Re: [clamav-users] Clamav fails to detect exe within rar

Hi Alex... do you have libunrar  ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml

Re: [clamav-users] old stuff from Windows95

On Tue, November 17, 2015 11:56 am, ellanios82 wrote: > On 11/17/2015 12:46 AM, Joel Esler (jesler) wrote: > >> Please submit false positive reports on the website. > - thanks : did try but failed , due my PC runs Linux : ClamAV > webpage RadioButtons stuck : cannot change from Windows to Linux

Re: [clamav-users] False positive on go source code using PUA

On Wed, November 4, 2015 6:03 am, P K wrote: > Hi, > > > I tried clamdscan with PUA enabled on go source code and seen an error. > issue6550.gz: PUA.File.Exploit.CVE_2012_1461 https://www.virustotal.com/en/file/c809983cf1b4f11552a1880272e3002a963a39c453b4883bf47e5c2cfc8f2a47/analysis/1446632226/

Re: [clamav-users] negate part of signature

On Fri, October 30, 2015 8:07 am, Deyan Chepishev wrote: > Hello, > > > Thank you for the answer. > > > There is probably something missing in the doc, because the signature is > not properly working with the current clamav release 0.98.7 > I confirm the same here... I think it was a bug that's

Re: [clamav-users] ERROR: clamfi_eom: FD send failed: Broken pipe

On Wed, October 28, 2015 1:25 pm, Urban Loesch wrote: > Hi, > > > today I moved my clamav-milter and clamd installation (linux container) > to a brand new hardware. Know I get this strange errors in the log any 3-5 > minutes. > Did a quick google...

Re: [clamav-users] Interesting report from clamscan after adding new database

On Thu, October 15, 2015 4:03 pm, Gene Heskett wrote: > Greetings everybody; > > > I added a new, not quite official database to my clamav checker, and this > morning its fussing about several files I have on my web page: > /var/www/html/gene/Genes-os9-stf/dw4_beta_1.4.tar.gz: >

Re: [clamav-users] Trouble with foxhole

On Wed, October 14, 2015 7:23 am, Hartmann, Jan wrote: > > > Hi, > Today we had a lot problems with exe files hidden in zip archives > > > I tried to add the foxholedb to our clamav, but sadly it didn’t > recognize the exe in the zip. > > > clamscan

Re: [clamav-users] Trouble with foxhole

On Wed, October 14, 2015 7:37 am, Rajesh M wrote: > > Sanesecurity.Foxhole.7z:CL_TYPE_7Z > Sanesecurity.Foxhole.Rar:CL_TYPE_RAR etc.. Hi rajesh, Yep, the above will work... but could cause high FP's for some people which they might find unacceptable, depending on their setup. If anyone has a

Re: [clamav-users] Match alternate bytes?

Hi kris, I added a sig to detect some of these in phish.ndb. If you send me some samples I'll have a look to see if it matches. On 8 October 2015 17:14:58 Kris Deugau wrote: I've been seeing Javscript malware on and off where (one layer of) the Javascript obfuscation is

Re: [clamav-users] DB update and clamav-milter delay

On Tue, September 29, 2015 9:15 am, Marco wrote: > I tried to relax the upgrades, but I see the problem is the time spent > to reload the db: > > 2015-09-29T01:03:15.710526+02:00 av2 clamd[15201]: Reading databases > from /var/lib/clamav 2015-09-29T01:03:53.151179+02:00 av2 clamd[15201]: >

[clamav-users] Fp report

Just spotted this go report https://twitter.com/hanno/status/642067768616046592 Anyone else seeing issues: https://www.reddit.com/r/sysadmin/comments/3kg08m/gmail_flagging_company_docs_as_viruses_when/ ___ Help us build a comprehensive ClamAV guide:

Re: [clamav-users] Freshclam problem

On Thu, August 13, 2015 9:11 pm, Paul wrote: Hi A patch for current 0.98.7 would be much appreciated. As a simple network outage at the wrong time causes havoc with several systems. Paul Hi Paul, Just in case this helps...

Re: [clamav-users] ClamAV Update Authenticity?

On Tue, August 11, 2015 9:31 pm, Benny Pedersen wrote: http://sanesecurity.com/ is a wordpress site that is infacted with mailware popups :( Ok, sweetcaptcha plugin removed. For the technically interested...

Re: [clamav-users] ClamAV Update Authenticity?

On 11 August 2015 21:31:40 Benny Pedersen m...@junc.eu wrote: there is download scripts that automate this, ironical http://sanesecurity.com/ is a wordpress site that is infacted with mailware popups :( Everything is kept up-to-date wordpress and plugins wise but think I've identified the

Re: [clamav-users] block access to file using scan on access option

On Mon, August 10, 2015 10:58 am, kamil kapturkiewicz wrote: Hi, I am trying to configure Scan On Access with ProFTPD server to block acccess to file (not only mark as FOUND): Not my area but Found this from an archive... -- You could write a virusevent script, put VirusEvent

Re: [clamav-users] virus samples

Could you resend to: samp...@sanesecurity.me.uk On 8 August 2015 10:08:47 sebast...@debianfan.de sebast...@debianfan.de wrote: Hi @all, i have 37 Files - which are not detected by clamav. ___ Help us build a comprehensive ClamAV guide:

[clamav-users] [Fwd: [sanesecurity] Hacking Team detection]

Just in case it's useful... Original Message Subject: [sanesecurity] Hacking Team detection From:Steve Basford steveb_cla...@sanesecurity.com Date:Fri, August 7, 2015 9:43 am To: sanesecurity_annou...@freelists.org Cc

Re: [clamav-users] Fwd: Unable to detect pdf virus

On Tue, July 28, 2015 3:27 pm, P K wrote: a3e8a7602797c69f6320225e8137d063 exploit.pdf ClamAV isn't showing detection here: https://www.virustotal.com/en/file/61c9333604404addf7e3aaf97f89d4ed3bf6fe4d12bd3e98bc7232ebfd9f0c5b/analysis/ But does detect using PUA: ClamAV: Possibly Unwanted

Re: [clamav-users] Fwd: Unable to detect pdf virus

On Tue, July 28, 2015 3:41 pm, P K wrote: So how to detect same in my clamAv? Until a proper sig is added, you could try clamscan --detect-pua=yes Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com ___ Help us build a

Re: [clamav-users] HackingTeam hashes

On Tue, July 21, 2015 3:55 pm, Jörg Stephan wrote: Hi there, I guess you know that a team has released a tool to check for HackingTeam files. The provided a test tool including the file hashes of the files. As I am seem to be under-skilled to create a database for this, I will hand this

Re: [clamav-users] problem reading socket while updating database

On Wed, July 8, 2015 9:30 pm, Jingo Administrator wrote: I am planning to drop the SecuriteInfo.com signature libraries first, because these were the last I added and after that the issue began to pop up. I am planning to drop the SecuriteInfo.com signature libraries first, because these

Re: [clamav-users] problem reading socket while updating database

On Thu, July 9, 2015 11:11 am, Arnaud Jacques / SecuriteInfo.com wrote: Thank you for the benchmarks Steve. We are aware of this problem. With more than 1 million signatures, it takes too much ram/cpu on lower hardware systems. ATM, we mainly focus on javascript.ndb and securiteinfohtml.hdb

Re: [clamav-users] clamav 0.99 beta yara

On Thu, June 25, 2015 10:50 pm, Steven Morgan wrote: Steve, One more question: is Sansecurity planning to distribute yara signatures when 0.99 final is released? This will help with appropriate scheduling of any parameter implementations. Well, there's a new download script with Yara

[clamav-users] clamav 0.99 beta yara

Couple of pre-coffee questions... 1) From what I can tell Yara signature names will be generated based on the yara rule name provided... eg: testname.yara: rule Sanesecurity.test { strings: $match1 = test $ignore1 = this1 $ignore2 = this2 condition: $match1 and not ($ignore1 or $ignore2) }

[clamav-users] daily.ftm

Hi, Wasn't sure if this should be a bugzilla or not but... daily.ftm seems to be out-of-sync with the latest filetypes_int.h Eg, 4546492050415254 is missed and a few of the newer ones. Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99b Meets YARA!

On Thu, June 11, 2015 3:51 pm, Steven Morgan wrote: We've borrowed the yacc/lex code from yara project. Hi, Does that mean ClamAV will support this condition in the current beta: $match1 and not ($ignore1 or $ignore2) I'll wait to test once windows binary beta arrives... or find a bit of

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99b Meets YARA!

On 11 June 2015 20:41:13 Alain Zidouemba azidoue...@sourcefire.com wrote: This has been supported since the introduction of logical signatures (ldb) in ClamAV 0.94. Yep, I'm already using the ldb feature but a yara rule using the feature would make things easier to auto generate mostly,

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99b Meets YARA!

On 11 June 2015 16:37:09 Steven Morgan smor...@sourcefire.com wrote: Steve Here is a quick demo for your question. The file names in this test are the same as the file content: rule basford { strings: $match1 = bbb $ignore1 = n $ignore2 = zbcz condition: $match1 and not

Re: [clamav-users] ClamAV® blog: ClamAV 0.99b Meets YARA!

Hi Tom, I certainly don't see why Yara rules aren't going to be rsynced, I'll chat with you off list. On 5 June 2015 16:33:16 TR Shaw ts...@oitc.com wrote: Steve I have my own yara rules. Are you going to accept them for rsync? Tom On Jun 5, 2015, at 11:02 AM, Steve Basford steveb_cla

Re: [clamav-users] ClamAV® blog: ClamAV 0.99b Meets YARA!

On Wed, June 3, 2015 8:02 pm, Joel Esler (jesler) wrote: ClamAV 0.99b Meets YARA! The first beta release of ClamAV 0.99 is now on SourceForge! ClamAV 0.99 Since this is such a large feature, please help us by downloading, using, and testing this feature and reporting bugs via our usual

Re: [clamav-users] Submission status

On Fri, May 22, 2015 4:32 pm, sebast...@debianfan.de wrote: Are there any specialties die Sendung samples - f.e. zipping with password ? You can zip with password infected if you need to...but not 100% needed. or maybe use http://free.mailbigfile.com/ Cheers, Steve Web : sanesecurity.com

[clamav-users] [Fwd: [sanesecurity] extremeshok/clamav-unofficial-sigs :: version 4.3 (updated 2015-05-13)]

Hi All, Just in case this is useful to anyone: Adrian of extremeshok-dot-com has forked Bill Landry's clamav-unofficial-sigs script and made quite a few new changes to the script: Original Message Subject: [sanesecurity]

Re: [clamav-users] virus detection status

On Wed, May 13, 2015 5:49 am, Dmitry Melekhov wrote: Hello! We are using clamav for years fo e-mail virus filtering, and it worked OK for us, but last several weeks we found that clamav doesn't recognize many viruses like js, or xls macros. I submitted one of viruses several weeks ago, but

Re: [clamav-users] Sanesecurity .hdb databases integrity tested BAD

On Fri, April 24, 2015 8:38 am, Alessandro Vesely wrote: Hi, I've been getting these log it's for a couple of days now: Clamscan reports Sanesecurity honeynet.hdb database integrity tested BAD - SKIPPING See this post: http://lurker.clamav.net/message/20150423.072453.3394b584.en.html

[clamav-users] [Fwd: securiteinfo problems]

Just a heads up for Bill Landry's ClamAV Unofficial Signatures Updater script users Original Message Subject: securiteinfo problems From:Steve Basford steveb_cla...@sanesecurity.com Date:Thu, April 23, 2015 8:24 am

Re: [clamav-users] concerning foxhole databases

On Thu, April 23, 2015 12:03 pm, Rajesh M wrote: i am using foxhole_all.cdb foxhole_filename.cdb foxhole_generic.cdb but does not work how do i block .cab extension even if they are within zip or rar or 7z files. Hi Rajesh In your sample...a-to-z_moving_and_delivery.zip Using database

Re: [clamav-users] concerning foxhole databases

On Thu, April 23, 2015 12:03 pm, Rajesh M wrote: how do i block .cab extension even if they are within zip or rar or 7z files. thanks Hi Rajesh Can you zip all the zips up, with password infected and email to: samp...@sanesecurity.me.uk Cheers, Steve Web : sanesecurity.com Blog:

Re: [clamav-users] clamscan --exclude=REGEX

On Thu, April 16, 2015 2:50 pm, sanes wrote: The following exclude does not work (the scan will check the file) clamscan -r --exclude=c:\Windows\System32\mobsync.exe c:\ Please advise why exclude not working This works... don't think you can use a path... C:\clamavclamscan

Re: [clamav-users] Exclude multiple files with Windows version of clamscan

On Tue, April 14, 2015 6:34 pm, sanes wrote: Please advise how to use a Text File with a list of Files to Exclude from clamscan (Windows Version). Have only found postings with Unix-type solutions clamscan --exclude='text file containing list of files' Not ideal but this sort of thing

Re: [clamav-users] basic malware missed???

On Tue, March 24, 2015 9:40 pm, Steve Holdoway wrote: Hi folks, I'm in the process of cleaning up an infected wordpress website and am finding a number of files that contain Shouldn't this be in there already? If there is a process to add this can someone please point me to the docs? Hi

[clamav-users] [Fwd: remittance-advice xml malware]

Sorry for the post but being hit hard with these atm... Original Message Subject: remittance-advice xml malware From:Steve Basford steveb_cla...@sanesecurity.com Date:Wed, March 4, 2015 11:17 am To: sanesecurity_annou

[clamav-users] EquationAPT sigs

Hi All, EquationAPT is in the news... so in case this is useful... copy the following to EquationAPT.hdb: 03718676311de33dd0b8f4f18cffd488:376320:Sanesecurity.Rogue.EquationAPT.1 0a209ac0de4ac033f31d6ba9191a8f7a:184320:Sanesecurity.Rogue.EquationAPT.2

[clamav-users] certificates

Hi, Can anyone confirm... In one of the latest source files: + \end{itemize} + \item For more information and examples please see \url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164}.; The urls: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164 and https://www.clamav.net/ for

Re: [clamav-users] certificates

On Mon, February 9, 2015 11:03 am, Al Varnell wrote: Yes, I’m seeing the same thing with Safari for OS X. I also get an expired 22 Oct 2014 certificate for the wwws.clamav.net/bugzilla site. Hi Al, Thanks for the confirmation. Cheers, Steve Web : sanesecurity.com Blog:

Re: [clamav-users] Custom clamav rule to block exe and scr files in archive.

On Thu, February 5, 2015 8:46 am, Virgo Pärna wrote: Recently I have received some viruses that have scr inside zip arhcive inside zip archive. And also there have been some cab's containing exe files. Might be worth having a look here too... http://sanesecurity.com/foxhole-databases/

Re: [clamav-users] Custom clamav rule to block exe and scr files in archive.

On Thu, February 5, 2015 9:30 am, Virgo Pärna wrote: On Thu, 5 Feb 2015 09:11:16 -, Steve Basford It does not match urls inside the mail content. Also, since regexes are actually case sensitive, it does not match *.EXE. So there's that. Hi Virgo, (?i) will sort that case bit out... eg

Re: [clamav-users] Custom clamav rule to block exe and scr files in archive.

I created exe_in_archive.cdb file in clamav database directory, that contains: Archived_EXE:*:*:.*\.exe:*:*:*:*:*:* For got to add that the above sig, as you are using a *wildcard* ContainerType, means that any exe in the following types will be blocked: ContainerType: one of CL_TYPE_ZIP,

Re: [clamav-users] Protection from cryptowall/cryptolocker

On Tue, December 23, 2014 6:35 pm, Alex Regan wrote: I'd appreciate any further documents or other methods of protection that people are using to block these? ClamAV and Sanesecurity signatures will help block malware which is emailed in, which can then download exploit packs, some of which

Re: [clamav-users] url scanner

On Thu, December 18, 2014 2:29 pm, polloxx wrote: Since more and more malware is not attached to a mail but only an url to it, detecting it is challenge. Is there any good url scanner avalable for Clamav? Millions of years ago...there used to be a clamd.conf MailFollowURLs Yes option, which

Re: [clamav-users] sigwhitelist.ign2 whitelist not working

On Tue, December 9, 2014 1:23 pm, polloxx wrote: We have the same problem with signatures we want to whitelist. Was this problem ever solved? Hi, What sig name are you whitelisting? Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive

Re: [clamav-users] sigwhitelist.ign2 whitelist not working

On Tue, December 9, 2014 1:33 pm, polloxx wrote: % cat local.ign2 SecuriteInfo.com.Spammer.ec-messenger.com.UNOFFICIAL SecuriteInfo.com.Spammer.addemar.com.UNOFFICIAL Ah, ok...remove the .UNOFFICIAL off the end and restart clamd. Cheers, Steve Sanesecurity.com

Re: [clamav-users] Clamd: WARNING: lstat() failed on

On Mon, November 24, 2014 11:21 am, stephen.b...@tanint.com wrote: I'm hoping someone can shed some light on an issue I'm experiencing... Seem to remember a post a while ago... to do with AllowSupplementaryGroups ? clamd.conf... AllowSupplementaryGroups true Cheers, Steve

Re: [clamav-users] Fwd: What is the signature count?

On Fri, October 10, 2014 7:05 am, Prasanna Lotke wrote: Can anyone tell me how many signatures does Clam virus database have? Or how many malwares can it detect? Not had coffee yet but here's a quick summary of counts Current Official: main.cld is up to date (version: 55, sigs:

Re: [clamav-users] False positives phishing sites

On Tue, September 23, 2014 12:44 pm, Thorvald Hallvardsson wrote: Anyone would like to point me into the right direction and help me out with the problems I'm having ? Report as an FPs here: http://cgi.clamav.net/sendvirus.cgi ClamAV team will need to add hosts to the daily.wdb database to

Re: [clamav-users] Daily.cvd file

On Thu, September 18, 2014 5:59 am, Paul Kosinski wrote: When ClamAV was independent, every new release had an updated main.cvd, and the daily.cvd files were of modest size. Now the whole 0.98.x series has the same main.cvd, and the daily.cvds keep getting bigger. The immediately previous

Re: [clamav-users] Joomla Templates - False Possitive

On Wed, September 17, 2014 1:53 pm, James Meason wrote: Uploaded! (Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND) Hi James, ClamAV team have created a signature which helps block double attachments, in much the same way that the Sanesecurity foxhole sigs have been doing for a while now.

Re: [clamav-users] Problem with missing information

On Tue, September 9, 2014 9:48 am, Denny Bortfeldt wrote: I've got a little problem and don't know what happen to my system. Everytime I start clamscan or freshclam I get the following error: Hi Denny, There's a few posts with that sort of no version information available error... Google:

Re: [clamav-users] Hint for creating signatures

On Mon, September 8, 2014 3:04 pm, Hajo Locke wrote: What should i do now? Is there a trick to find a signature which fits for all samples or i have to create a different signature for every sample? Hi, Tricky :( Copy this into@ not_tested.ndb

[clamav-users] Sanesecurity:foxhole-databases

Hi All, For those using Sanesecuriy foxhole databases, I've finally updated their usage information: http://sanesecurity.com/foxhole-databases/ Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide:

Re: [clamav-users] Sanesecurity:foxhole-databases

On Fri, September 5, 2014 8:21 pm, Dennis Peterson wrote: Steve - thanks for your contribution to the success of the ClamAV products. One question for you - how does determine the current version of the files you distribute? One of the foxhole signature files I have is from May, for example.

Re: [clamav-users] False positive for sure

On Wed, September 3, 2014 11:56 am, Gene Heskett wrote: Ok, I'll byte, whats a PUA? Here's a good description... Q. What is a Potentially Unwanted Application (PUA)? A. The Sophos definition of a PUA is (quote) a term used to describe an application that is not inherently malicious, but is

Re: [clamav-users] False positive for sure

On Wed, September 3, 2014 12:38 pm, Gene Heskett wrote: So as its been yonks since I setup the daily machine scan, where do I turn off this particular PUA feature? ”—detect-pua” switch for clamscan or disable it in the clamd.conf file. Cheers, Steve Sanesecurity

Re: [clamav-users] False positive for sure

On Wed, September 3, 2014 12:54 pm, Gene Heskett wrote: ”—detect-pua” switch for clamscan or disable it in the clamd.conf file. Which one?, I have 3 of them. This is an old ubuntu 10.04 LTS install. Also its reported as version 98.1. If you are using clamscan then I guess you've got a

Re: [clamav-users] sanesecurity file size limit

On Wed, August 27, 2014 12:25 pm, Rajesh M. wrote: in my clamd.conf file the size upto which the files will be scanned is 30 mb ie max email size in my smtp session. how do we solve this issue. Sorry for this being brief/incorrect as I'm on holiday-ish ;) Qmail...

Re: [clamav-users] Priority problem

On Wed, July 23, 2014 10:41 am, Bernard Thédié wrote: I'm using clamav under Linux. I've scheduled a daily scan of my home dir. I would like to know if there's a way of telling clamscan to run more nicely ; actually when clamscan runs, it takes between 75 and 90% of my CPU ! I would rather

Re: [clamav-users] ClamAV®: Compiling OpenSSL For Windows

Just a thought.. Will ClamAV use LibreSSL too, as it's supposed to be drop in On 9 July 2014 20:14:01 GMT+01:00, Joel Esler (jesler) jes...@cisco.com wrote: Compiling OpenSSL For Windows In order to support more advanced features planned in future releases, ClamAV has switched to using OpenSSL

Re: [clamav-users] Custom signature question

On Tue, July 8, 2014 3:41 pm, a...@alb.de wrote: alex:~$ dd if=mp3file.mp3 count=1 | sigtool --hex-dump alex:~$ clamscan mp3file.exe Hi Alex, In the daily.ftm file, mp3 filetypes are ignored. 0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED Cheers, Steve Sanesecurity

Re: [clamav-users] Custom signature question

I guess, if you *really* wanted to block mp3's being emailed you could create a type4 ndb signature to match the mp3 base64 in the email ? eg... email format... == Content-Type: audio/mpeg; name=test.mp3 Content-Transfer-Encoding: base64 Content-Disposition: attachment;

Re: [clamav-users] [Heuristics.Structured.SSN]

On Thu, July 3, 2014 2:08 pm, Chris wrote: Below are the headers of the most recent mail that was hit the email itself was all html. Since this is just a home system with mine and my wifes email what's the best way to keep this from happening? Hi Chris, According to clamd.conf the default

Re: [clamav-users] Malformed database?

On Wed, June 25, 2014 9:57 am, Paul Smith wrote: Using ClamAV 0.97.2, since yesterday's update Freshclam gives this when trying to download a fresh database: Hi Paul, Much newer binaries here (0.98.4), does it work ok with this version...

Re: [clamav-users] Malformed database?

On Wed, June 25, 2014 11:00 am, Paul Smith wrote: It looks like my version is from the ClamWin ClamAV Unofficial Win32 port. It's slightly customised which is why it's still an old version. Ah ok. There is also... Native 0.98 here... http://oss.netfarm.it/clamav/ Native 0.98.4-rc1:

Re: [clamav-users] FN with unknown virus attachment

Okay, great, thanks. Can you describe the risk for me? What does it do, and what's necessary for the user to do to become infected? It appears to be a rogue link phishing attack? So it requires the user to open the Word doc then click the link, correct? Hi Alex, 1. I used strings on the

Re: [clamav-users] Bad detection rate

On Mon, June 23, 2014 4:47 pm, Walter Bürger wrote: This morning I submitted the file Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe (MD5 ad690be247dda635781e20887fcac0e7) on virustotal.com. 4 out of 54 scanners detected a virus (NOD32 named it Win32/Kryptik.CFAE) but

Re: [clamav-users] Bad detection rate

On Mon, June 23, 2014 4:47 pm, Walter Bürger wrote: About 4 hours later I checked again and 12 out of 54 scanners detected a virus in this file but ClamAV did not detect it. I know 4 hours sounds a long time but when you consider the current amount of malware that is submitted /

Re: [clamav-users] FN with unknown virus attachment

On Sat, June 21, 2014 2:00 pm, Alex wrote: Hi, I'm using clamav-0.98.4 on fedora20 with the sanesecurity and safebrowsing sigs and still seeing an unknown virus pass through our systems. I've submitted it to the clamav false-negative upload, but haven't received a response, and 24hrs later

[clamav-users] building a cud file

Hi All, I'm playing with .cud file creation from a couple of files... testdb folder COPYING testdb.hdb testdb.ndb set SIGNDUSER=me sigtool --datadir=testdb --build=testdb.cud --unsigned --cvd-version 1 WARNING: build: Signatures in testdb db files: 2674, loaded by libclamav: 5348 Total sigs:

[clamav-users] DatabaseCustomURL question

Hi, Does anyone have DatabaseCustomURL in their freshclam.conf: I've just tried this format... DatabaseCustomURL http://blahblahblah.com:/test.cud And I get an Unknown error :) ClamAV update process started at Thu Jun 19 14:14:24 2014 WARNING: Can't get information about

[clamav-users] DatabaseCustomURL question

Hi, Does anyone have DatabaseCustomURL in their freshclam.conf: I've just tried this format... DatabaseCustomURL http://blahblahblah.com:/test.cud And I get an Unknown error ? :) ie... ClamAV update process started at Thu Jun 19 14:14:24 2014 WARNING: Can't get information about

Re: [clamav-users] DatabaseCustomURL question

As it stands right now, freshclam does not support custom ports. However, we can add that functionality for a future release. Thanks for the quick reply. I'll add a bugzila... Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV

[clamav-users] building a cud file

Hi All, I'm playing with .cud file creation from a couple of files... testdb folder COPYING testdb.hdb testdb.ndb set SIGNDUSER=me sigtool --datadir=testdb --build=testdb.cud --unsigned --cvd-version 1 WARNING: build: Signatures in testdb db files: 2674, loaded by libclamav: 5348 Total sigs:

Re: [clamav-users] Thank You

On Tue, June 17, 2014 3:51 pm, Matt Olney wrote: Due to the success of this release candidate, we would like to use the beta/RC model going forward. Development is what it is, so we may not always be able to do this, but my strong preference would be to use this model. Provided nothing

Re: [clamav-users] Again: No database updates for 48 hours?

On Mon, June 2, 2014 10:09 am, Julius Plenz wrote: Hi, Alain! * Alain Zidouemba azidoue...@sourcefire.com [2014-05-19 19:45]: Let us know if you have any issues. Again, the last update to daily.cvd is more than 48 hours old: released on 30 May 2014 16:25 :0400. Is this intended? Hi,

Re: [clamav-users] ClamAv updates not being published properly?

On Wed, May 28, 2014 9:35 am, Randal, Phil wrote: Yet freshclam says (with and without -no-dns) Hi Phil, Same here... freshclam... ClamAV update process started at Wed May 28 10:13:11 2014 main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to

Re: [clamav-users] Signature matching email Subject:

On Fri, May 23, 2014 4:25 pm, Claudio Cuqui wrote: Hello there ! I would like to known if is it possible to create a virus signature that match the subject of a mail message. I tried everything and the signature only match when the pattern is located in the email body. Something like

Re: [clamav-users] clamav-0.98.3 does not pass vulnerability scan

On Tue, May 20, 2014 4:22 am, anctop wrote: The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it might have crashed. Please check its status right now, as it is not possible to do so remotely Just for info... Summary: This script sends the 42.zip recursive archive to

Re: [clamav-users] reported before, makes no sense

UNOFFICIAL means it did not come from ClamAV®. You need to take it up with whomever maintains the MBL database. MalwarePatrol? http://malwarepatrol.com.br/ I don't recall every subscribing to that service, and the clamav- unofficial sigs database is not installed, and never has been. Now

Re: [clamav-users] reported before, makes no sense

-rw-r--r-- 1 clamav adm 5958972 2013-05-03 07:51 junk.ndb That's a bit out of date ;) -rw-r--r-- 1 clamav adm 567741 2013-05-04 01:48 mbl.ndb JUST NUKED I'll see if the one I just nuked comes back. Yep, that'll be the one to watch out for... Current download scripts are here, if

Re: [clamav-users] ClamAV®: ClamAV 0.98.4rc1 is now available!

- Crashes of clamd on Windows and Mac OS X platforms when reloading the virus signature database. Just testing at the moment - reload issue seems to have gone and so far so good... great work guys! Cheers, Steve Sanesecurity ___ Help us build a

Re: [clamav-users] FP-Report: Email.Trojan-417

On Tue, May 13, 2014 8:27 am, Julian Hansmann wrote: Regardless of its content (even if it's empty) a mail which has a file with the suffix .JPG.zip (case sensitive) attached will be detected as Email.Trojan-417. Hi Julian, I'm guessing the orignal offical signature was to catch something

Re: [clamav-users] 0.98.3, new segfault probably related to email parser

On Mon, May 12, 2014 2:12 pm, Stuart Henderson wrote: I'm running clamav on OpenBSD/amd64 5.5 (with various sanesecurity hdb's, if that matters). Built from ports (with LLVM 3.3). Hi, Is is random or only on a certain email? Do have a full copy of the email shown in your log? If you do, does

Re: [clamav-users] 0.98.3, new segfault probably related to email parser

On Mon, May 12, 2014 3:50 pm, Stuart Henderson wrote: It also happens for clamscan (I removed all standard db's and included only the single signature triggered by this mail so it would start quickly). I have only hit this crash if a signature is matched (i.e. I haven't hit it if I remove

[clamav-users] Crash on db reload: 0.98.3 (OS: win32, ARCH: i386

Just a quick report... 0.98.3 crashes... 0.98.1 no issues... Thu May 08 15:29:06 2014 - +++ Started at Thu May 08 15:29:06 2014 Thu May 08 15:29:06 2014 - clamd daemon 0.98.3 (OS: win32, ARCH: i386, CPU: i386) Thu May 08 15:29:06 2014 - Log file size limited to 104857600 bytes. Thu May 08

Re: [clamav-users] Crash on db reload: 0.98.3 (OS: win32, ARCH: i386

On Thu, May 8, 2014 5:46 pm, Shawn Webb wrote: Hey Steve Could you send me over a copy of your clamd.conf, please? Thanks, Shawn Here you go... http://pastebin.com/EzRLk9iW Cheers, Steve Sanesecurity ___ Help us build a comprehensive

Re: [clamav-users] Crash on db reload: 0.98.3 (OS: win32, ARCH: i386

Hey Steve, Could you send me over a copy of your clamd.conf, please? Hi Shawn, I can reproduce... Installed a clamav without 3rd party stuff, fresh onto a test XP box I had not doing anything gulp run freshclam run clamd run clamdscan to prove its all working 1) clamdscan --reload to force

Re: [clamav-users] Clamav is not finding any viruses

On Thu, May 8, 2014 5:47 pm, Kris Deugau wrote: I have been adding MD5 signatures, and somewhat more recently, .zmd .zip-content-filename signatures (for doubled-extension files), but I do not have time to dig more deeply and create more general signatures. -kgd Hi, You could add

Re: [clamav-users] git repository

Dear all, I the past - before the latest takeover - I used the git repository to keep track of updates and/or other changes. I notice that since the latest takeover the git repository only is used when a new version has been released, thus defeating the practical use of the git repository.

Re: [clamav-users] Low detection rate

On 03.03.14 12:38, Dennis Peterson wrote: Did you just send a link to a known infected file to this list? Yes, I sent a link to something I felt people answering my question would need to be able to see, with some text next to it *specifically saying it was infected*. I think a h t t p

Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV

OpenSSL will be required to both compile and run ClamAV. Out of interest what Cipher: http://zombe.es/post/4078724716/openssl-cipher-selection http://security.stackexchange.com/questions/35036/different-performance-of-openssl-speed-on-the-same-hardware-with-aes-256-evp-an Cheers, Steve

[clamav-users] TheMask aka Careto

In case this is useful for system scanning for TheMask aka Careto... Original Message Subject: [sanesecurity] new database: malwarehash.hsb From:Steve Basford steveb_cla...@sanesecurity.com Date:Mon, February 17, 2014 4:00 pm

Re: [clamav-users] fireclam log

does anyone please know where is any documentation on fireclam plugin that is supposed to scan all files downloaded through Firefox browser using clamav? specifically I am trying to find out if it can be configured to produce a log or summary report of scan results including positive

<    1   2   3   4   5   6   >