Need to write an anti virus that uses the NIST NSRL database and operate
it
as a white list based AV. The db contains some 100 million hashes of known
good binary files. I tried to crowd fund to do this but no one was
interested.
Disclaimer:
use at own risk, sold (for free) as seen/0 day
Hello Steve,
In this way I can stop EXE/Executable into ZIP/Archive file and as
attachment (without change any other settings into mailserver config)
Shouldn't be an issue.
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV
Which is the best solution/way to block all EXE/executable files?
You could use these...
http://sanesecurity.com/foxhole-databases/
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
The daily system scan is fussing about
/home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt:
MBL_400944.UNOFFICIAL FOUND
Hi,
Just seen your post on LKML, so before this get's any more out of hand
than it already has, here's why you'll find MBL_400944 detected in
gadget_multi.txt.
Hi Clamav Users,
I'm getting a FP-Alert from a customer regarding the following sig:
main.hdb:15c9c9ed5046a885d241afd2159c236a:43180:Junk.Corrupted-50
The scan is done on our inbound authenticated mail host, which rejects our
customer's mail with the following error-message:
Hi,
The
c) It's a false positive and should be report to MBL as such
And their contact address is?
To report false positives or list problems: fp (_a_t_) malwarepatrol.net
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide:
Now, since the real thing is considered a high level threat to a win32
system, perhaps the thing to do is edit the .'s to DOT's, make a patch and
submit it to lkml? I might see if its accepted.
Sorry, forgot to add this:
http://www DOT nirsoft DOT net/false_positive_report.html
fwiw, I
Greetings;
The daily system scan is fussing about
/home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt:
MBL_400944.UNOFFICIAL FOUND
Hi...
http://www.malwarepatrol.net/cgi/search.pl?id=400944
To report false positives: fp (_a_t_) malwarepatrol.net
*or*
printf MBL_400944
Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND
And while its marked up txt, it doesn't look like it should be a problem.
Can it be verified?
MBL#: 400944
PSWTool.Win32.PassViewer.av
Insertion date: 00:51:45 27/03/2013 UTC
URL http://www.nirsoft.net/utils/sanitized
Malware
Someone @ ClamAV needs to add this to daily.ftm filetypes...
Just to close this... daily.ftm has now been updated, so XZ files
should now be scanned correctly.
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide:
I have just compiled and installed version 0.98.1 of Clam on my
computer. According to the documentation, this version should support
decompression and scanning of files in the Xz compression format.
However, when I run clamscan to check an Xz file which I know contains a
virus (the EICAR
Thanks Steve for this reply; this is helpful.
Hi Bill,
Sorted I think.
Someone @ ClamAV needs to add this to daily.ftm filetypes...
0:0:FD377A585A00:XZ container file:CL_TYPE_ANY:CL_TYPE_XZ:75
It's in the source defaults (filetypes_int.h) but when daily.cvd gets
loaded, it uses the
Someone @ ClamAV needs to add this to daily.ftm filetypes...
These are missing too, unless it's still in devel...
1:EOF-512:6b6f6c79:DMG container file:CL_TYPE_ANY:CL_TYPE_DMG:75
0:0:78617221:XAR container file:CL_TYPE_ANY:CL_TYPE_XAR:75
4:1024:482B0004:HFS+
Looks like 0.98.1 is out...
Change log:
https://raw.github.com/vrtadmin/clamav-devel/0.98.1/ChangeLog
Sources:
http://www.clamav.net/lang/en/download/sources/
Windows binaries (.msi format):
http://sourceforge.net/projects/clamav/files/clamav/0.98.1/
Cheers,
Steve
Sanesecurity
Hello,
I found a problem with false positive malware
CRDF.Malware-Generic.3661413036.UNOFFICIAL. I wanted to decode and bypass
this signature but it looks like this can be an image signature or another
type of signature
Hi Pawel
CRDF.Malware-Generic.3661413036 was whitelisted/removed
Finally I found where this signature is located
sigwhitelist.ign2:CRDF.Malware-Generic.3661413036
Does someone know how can I bypass this signature? Which command?
Hi Pawel,
Just to add, that seeing the signature in sigwhitelist.ign2 means that
signature is in your whitelist already..
We added a file local.ign2 containing one line: Worm.Bagle.H-zippwd-1
clamscan called again and - nothing changed. Still marked as virus...
Any hints/ideas?
Hi Andreas,
Make sure you don't have a space at the end of the sig name in the .ign2
file:
Sanesecurity.Malware.22454.ZipHeur works
clamav@debian-vm-07:~/clamav-devel$ sigtool --find-sigs=Worm.Bagle.H-zip
[main.db] Worm.Bagle.H-zippwd-1
What makes this one a special case is the extra (Clam) at the end of
the signature name. This is an old sig.
Hi Dave,
Thanks for the detailed write-up, the issue was a bit confusing ;)
freebsd FreeBSD mx1.hctc.net 7.2-RELEASE
clamav-0.95.1 (yeah, I know)
Hi,
According to the changelog...
0.95.1 came out... Wed Apr 8 16:49:32 CEST 2009
.ign2 was added:
Mon Sep 28 19:29:32 CEST 2009 (tk)
--
* libclamav: new signature blacklisting
So, you'd need to upgrade ClamAV for the .ign2 format to work.
... But...just looking back in time...
local.ign...
FileName:Line#:SigName
so...try create a local.ign file with...
junk.ndb:50779:Sanesecurity.Junk.50779
scam.ndb:11957:Sanesecurity.Spam.11957.WCM
(if it doesn't work add
Hi,
This is nothing new but I've had a few off-list emails regarding this, so
thought I'd throw out to the list.
ArchiveBlockEncrypted (clamd.conf) or --block-encrypted=yes blocks
encrypted zip/rar etc. archives which is fine... but it also blocked
Encrypted PDF files..
Eg:
readme.zip:
Joel
thanks, is this list still correct..
https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md
Hi Martin,
I think it's slightly outdated... just looking at the daily ones
PUA.Crypt.ScriptCryptor
PUA.CVE_2007_0214
PUA.CVE_2007_0325
PUA.CVE_2007_1498
PUA.CVE_2011_3397
I have downloaded the prebuilt installation of ClamAV 0.98 for Win-32
from sourceforge. However, when I issue the command clamscan -V, I
get the response ClamAV devel-clamav-0.97-408-ge11f7cc
Is this what I should expect to get, or have I somehow got my hands on
an older version of ClamAV
On 17/09/2013 20:05, Alejandro Rodriguez wrote:
How I can ignore uppercase in a filename.
Right now i´m using foxhole_all.cdb to block .exe files inside .zip
archives
However if the zip contain archive.EXE (in uppercase) the scan miss.
Hi,
Sorry for the delay, been away for a few days.
Hi, have a look on the sanesecurity.com site for the foxhole signature
databases. cheers, Steve
Rajesh M 24x7ser...@24x7server.net wrote:
hi
i wish to know the steps to prepare signature so that clamav will
detect
all zipped files containing files with extensions pif, scr, exe, com,
bat,
cmd,
I'm running clamav 0.97.3 (I know it's old, working on that) on Linux. I
want to exclude files (via clamd) based on a regex and can't seem to
figure out how. I can ignore paths just fine (ExcludePath ^/tmp) but I
want to ignore all log files. I've tried many different variations of
the
Hi Andre,
NB: I'm copying this to the ClamAV users list, as a heads-up.
The ClamAV EXT list currently contains a number (eleven) of false positive
entries. They all match the string :// (without the quotes), which
clearly matches any email containing any URL.
This is a very serious
Finally I would like to know why these subscriptions were implemented? Who
can answer this question?
I had a report the this sig causing an issue, sigs were removed and domain
whitelisted.
Problem was a big spam run from those domain, but root was incorrectly
flagged
Cheers,
Steve
MBL sigs are now fixed, just had contact with them
We sincerely apologize for the trouble caused by these faulty
signatures. An update to our system was applied this morning and,
unfortunately, it had this unwanted side effect.
The update was reverted and signatures should be fixed now.
I've done some analysis of ClamAV with just this signature set, and the
loading is simply slowing down as it runs through the list. This is mainly
because of the significant amounts of overlap at the beginnings of these
strings and the length thereafter.
Hi David,
Thanks for the info.. and
I've done some analysis of ClamAV with just this signature set, and the
loading is simply slowing down as it runs through the list.
* Third Party dbs *
Hi,
While looking into the database loading time issue, thought it might be
an idea to quickly scan the same small file with each database,
OK...I'll do some testing tomorrow and see if we can't come up with some
information for you.
Matt
in the last few days a lot of spam is (ab)using t.co shortened URLs in
the payload, so these are ending up in bofhland_cracked_URL.ndb (~7K
distinct URLs atm)
Sorry for the cross post...
OK...I'll do some testing tomorrow and see if we can't come up with some
information for you.
Hi Matt
In additional testing:
a) Replacing (B)772E with (B)772E also brings the speed
down... (6.5 secs)
b) Replacing (B)772E with (B)77??772E also brings the speed
down...(10.2
OK, we've been able to reproduce the problem and it is, as you all
suspected revolving around the www. matching. I've asked one of the
developers to look at it, and we should be able to provide some
best-practice guidelines on how to construct rules to avoid this
situation.
Thanks Matt,
just in case anyone missed it...
The best news in all of this, especially for our partners, customers and
open source users, is that Cisco is committed to accelerate the
realization of our vision into the market. Well be able to more quickly
innovate, develop and provide products and
Dear ClamAV users,
ClamAV 0.97.8 addresses several reported potential security bugs. Thanks
to Felix Groebert of the Google Security Team for finding and reporting
these issues.
Download: http://downloads.sourceforge.net/clamav/clamav-0.97.8.tar.gz
PGP sig:
Sorry about that, I had it right in my post, but when the email went out,
it didn't take.
No problem, just thought I'd point it out in case anyone thought there had
been a security issue with the file.
Cheers,
Steve
Sanesecurity
___
Help us build
Given that a large proportion of the Sanesecurity sigs detect spam,
phishing, and other junk
mail (and folks use them as such), wouldn't it be useful to include a
standard spam test
signature by default?
It seems to be very controversial if ClamAV should include signatures
for other
On 4/8/13 1:40 PM, Andrew Beverley wrote:
Some time ago there was a discussion that resulted in the GTUBE test
spam message being added to the Clamav signatures[1].
...
[1] http://lurker.clamav.net/message/20090924.234610.57310ea1.en.html
According to the second message in your footnoted
Al,
Just now I restored and submitted autorun.inf as well to submit
malware in clamav.net
From sigtool I got this MD5 signature;
3b19da4562e3729854ae6b3fe127:1123:Autorun.inf
It's also worth submitting the malware to:
https://www.virustotal.com/en/
Currently the Autorun hash you
Hi all,
Bill Landry is the developer of clamav-unofficial-sigs and since I'm the
Debian maintainer of that, I need to discuss some things with him but
his domain inetmsg.com doesn't respond to HTTP or SMTP connections. Does
anyone know what happened to him or if he moved to a different
FYI, Win32 now available too...
http://sourceforge.net/projects/clamav/files/clamav/win32/0.97.7/
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
How could I block some files type that are inside a zip or rar files
attached into an e-mail received?
Here's an example: create a blockext.zmd:
Sanesecurity.Blocked.Zip.xxx.exe:0:\.(doc|xls|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).exe$:*:*:*:*:*:*
(watch the wrap after the 0:\. bit)
This
These rules must have a common signature? Old downloads suddenly trigger
positives.
Hi Jari,
These sigs need to be reported as FP's to:
false_positive AT crdf.fr
In the mean time, I've whitelisted on the mirrors, until they can take a
look.
One thing to double check is to submit one of
Jari Fredriksson skrev den 25-11-2012 17:10:
These rules must have a common signature? Old downloads suddenly
trigger
positives.
unofficial sigs, what should clamav team do about them ?
Well, I've tried to explain what to do with FP's like this...
http://sanesecurity.co.uk/fps.htm
Are signatures for Belgian or Dutch bank-phishing mails (ING,
BNP-Paribas-Fortis, Belfius, etc) included in these databases?
I've replied off-list
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide: visit
OK, I'm stumped as to why clamav-milter did not catch this virus. It was
from this address, being masked as from UPS:
File: Invoices-14-2012.htm
Hi Jamen,
I've been seeing these java/htm combos over the last few days and been
adding detection to phish.ndb.
The other bad stuff coming in
Unless something has changed again that I missed, the INetMsg signatures
are no
longer maintained.
That's still correct... just in case anyone else missed the updates,
here's the last two announcements, as there were a few new databases too:
I will Alain,
But I want a quick way to whitelist as a shortcut, because our users
are complaining. :(
Put the problem signature name in a file called local.ign2 and restart clamd.
eg:
MBL_303159
MBL_312128
Worm.Mydoom-20009
etc. etc.
Cheers,
Steve
Sanesecurity
Hi, just was informed that some mails with
ZIP/Bredolab.A!Camelot
slipped through up2date clamav gateway , detected by
Microsoft Forefront
Hi,
Did they slip past the Sanesecurity phish.ndb/rogue.hdb ones too?
Cheers,
Steve
Sanesecurity
___
Thank you for your reply.
The suggested solution doesn't solve the problem as I am trying to
communicate with clamav-daemon which (as far as I can tell) checks for
the cvd databases and doesn't take a database argument. Any other
suggestions?
Create the test.ndb file as shown earlier...
Your best bet is to ask on the ClamWin forum. Here is the forum site
http://forums.clamwin.com/
I'm not sure if he's talking about the binaries here, auto-built by
ClamAV Team (not the version by the ClamWin team)
http://sourceforge.net/projects/clamav/files/clamav/win32/
The builds used to
On Mon, Jun 25, 2012 at 08:13:58AM +0100, Steve Basford wrote:
While I can see the MSI installer being useful to some people... I'd
prefer to have the .ZIPs back (or have both built), as I've got to run
the
MSI
installer, find where the files have been installed and them copy them
out,
so
VisualStudio does not have a target to build a ZIP file, we could also
build a cab file if this would help.
Hi Tom,
Any use?
http://markkemper1.blogspot.co.uk/2010/10/zipping-build-outputs-using-build-file.html
I think I'm missing some context here: which DB files are slow to load?
The official ones? Just the sanesecurity ones? Any particular DB from the
sanesecurity ones?
Hi Edwin,
I'm emailed you off-list... but think I've found the issue and work-around.
Sorry for the cross-post to
Hi,
Any eta on an update to v0.97.4 here...
http://sourceforge.net/projects/clamav/files/clamav/win32/
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
I started seeing a bunch of these this morning, essentially trashing
around... I don't know, 80 or 90% of our mail. The signature is
definitely in our database but I can't find anything about it via google
aside from pages that have apparently been updated to no longer mention
it. Any ideas
Oh, and I now realize that this is outside of freshclam's control, being
a sanesecurity signature. I removed the mbl.db and disabled that
cronjob until we sort this out...
Hi John,
Actually, just to clarify... it's not a Sanesecurity signature and it's
not distributed by Sanesecurity either,
Dear list,
We received a virus not detected by Clamav. VirusTotal shows a 23/43
detection ratio. Trend Micro recogises it as TROJ_GEN.R06C8AN.
Yesterday I submitted a sample to Clamav. But till now it's not detected.
Can someone help me understand why the issue with securesites.net is,
and why this email was blocked because of it?
Hi Alex,
The domain was blocked by a Third Party ClamAV database produced by InetMsg.
I've removed the signature for them and it will be removed from the
mirrors in the next 15
I have a large number of files (9TB) with over a million files and
thousands of directories. I would like to scan the group one time so I
have a good baseline. After that I would like to scan files that are less
than 365 days old. Can I use clamscan to scan files by date?
Along these lines,
On Wed, 14 Sep 2011, Dan wrote:
http://www.downforeveryoneorjustme.com/88.198.67.125
Says it's up.
Received responses: 53 Ok 5 Fail
http://host-tracker.com/check_res_ajx/8730391-0/
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive
This is a message I hand created with a valid link to a dropbox file.
4e1653aa.432.e8be7950.c618...@mc3computerclub.org Message contains an
infected attachment (INetMsg.SpamDomain-2w.dl_dropbox_com.UNOFFICIAL)
Hi,
I've removed the signature from the mirrors and have also notified Bill
On Thu, 9 Jun 2011, Luca Gibelli wrote:
Dear ClamAV users,
This is a bugfix release recommended for all users. Please refer to the
ChangeLog file for details.
Download : http://downloads.sourceforge.net/clamav/clamav-0.97.1.tar.gz
Can't see the windows binaries for 0.97.1 yet?
I know that XF.SIC.L detected files are not virus i want clamav to ignore
this kind for viruses .
i also also created file local.ign2 in the the database dir with folowing
content
# cat local.ign2
XF.Sic.E
XF.Sic.L
but got error after restarting the clamd service
How about?
printf
On 04/17/11 05:05, Dennis Peterson wrote:
Adding the hard-coded
UNOFFICIAL reduces some liability from the Clamav team.
That!
And lots of daily annoyances with FP reports too.
Which is why the suffix won't go away nor an option will be available to
get rid of it.
I receive .UNOFFICIAL
Thanks
I ad put in
MBL_200562.UNOFFICIAL
instead of
MBL_200562
I reloaded clamav and now it works.
Glad you got it sorted.
Just to clarify, don't add the .UNOFFICIAL to *any* signature names that
you wish to whitelist (add to the .ign2 file)
It confused me at first too, why sigs
Hello,
I have a user that receives an email from a legitimate online newspaper
site and since Monday they click on links in that email address and DG
blocks the page with the following message
Virus MBL_200562.UNOFFICIAL found
Hi,
Although it's a not a Sanesecurity signature but another
Disregard the message found this was and OLD database file that was
causing problems.
Hi Ken,
Thanks for the report and glad you sorted out the problem.
For reference, here's the contact details for the
Sanesecurity/Sanesecurity Distributed signatures:
http://sanesecurity.co.uk/fps.htm
Hello again,
Probably expected, the above mentioned 3rd party database can't be
loaded with this version, 0.96 had no such problem.
I've just done a quick download of the current file and this item is causing
the problem for me:
LibClamAV Error: cli_loadhash: Invalid value for the size field
[NSFW]
http://git.clamav.net/gitweb?p=clamav-devel.git;a=commit;h=42ab31d897c0d67b89467cfe34532c8b421d2c95
Lol,
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Alex wrote:
Hi,
We had a user report that their email was tagged with
winnow.botnets.zu.zeus.4637.UNOFFICIAL, according to the logs. How can
I track this, and determine which database it was that contains this
pattern, and why it considered this email to contain this virus?
Hi Alex,
As
the actual file name is Xerox_doc.exe
i have submitted this on the clam website several times but there seems to
be no update on this
Could somebody check this out and help please.
Just to add that Sanesecurity signatures from phish.ndb should be catching
that one already... add in
Can you run it with --debug to see where it hangs?
Then open a bugreport please (and attach junk.ndb).
Not that this really helps, but I've tried the official win32 windows port
from here: http://sourceforge.net/projects/clamav/files/clamav/win32/
And in doing a quick test - loading ALL
OK. Here's debug AND the fix at least from my solution:
Recompiled with
./configure --disable-llvm
make
make install
Thanks for reporting back.. it's odd though, as the test file you are
scanning is only a small ascii file out of interest does the same
thing happen with llvm enabled
Hi all,
I was thinking of implementing the MSRBL signatures, as they are
described on the sanesecurity site, but it appears they haven't been
updated in quite some time. I wouldn't have considered it, except that
they are listed on the sanesecurity site.
Are they still effective? Perhaps
I've discontinued using them because of the lack of activity. I've also
shut off
SecuriteInfo and because of false positives, InetMsg signatures.
Hi Dennis,
If any FP's are reported here:
false_positive AT sanesecurity DOT me DOT uk
I then remove and forward on the the right person to take
Eric Rostetter wrote:
I recently
had a false positive also (a base64 encoded pdf string that happened
to match on a certain drug name). But, the FP rate is probable about
1 per year, so all in all not bad at all if you either reject
them or quarantine them (as opposed to tossing them in the
Yep, please open a ticket in our bugzilla
Entry added:
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2063
BTW, might be an idea to add Sigtool to the component options page on
Bugzilla.
Cheers,
Steve
Sanesecurity
___
Help us build a
Ooops... forgot the sigtool un-pack bit (note: daily file only)
sigtool --unpack-current=daily
grep PUA.HTML.Infected.WebPage daily.* -h sig.tmp
sigtool --decode-sigs sig.tmp decodedsig.tmp
cat decodedsig.tmp
Cheers,
Steve
Sanesecurity
You can use 'sigtool -fPUA.HTML.Infected.WebPage' to find and print the
sigs, no need to unpack.
Nice... thanks Edwin:
sigtool -fPUA.HTML.Infected.WebPage | sigtool --decode-sigs
:)
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive
You can use 'sigtool -fPUA.HTML.Infected.WebPage' to find and print the
sigs, no need to unpack.
Also works for:
sigtool -fSanesecurity.Phishing.Fake.13780 | sigtool --decode-sigs
Could a --database type option be added to sigtool, for loading databases
outside the normal DatabaseDirectory
If someone can point me to the solution ?!
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.96 Recommended version: 0.96.1
# clamd -V
ClamAV 0.96/11056/Thu May 20 08:33:06 2010
You are using 0.96.. the latest being 0.96.1, released yesterday:
For some reason your program has my domain (mwrinc.com) listed as bad, and
as a result some of our clients cannot receive our emails. How can I
remove my domain from your list. It is not on google's safe browsing
list, nor is it blocked by any other spam/virus program that I am aware of
Hi,
Just had clamd 0.96 win32 port crash...
LibClamAV debug: 767942.cbc loaded
LibClamAV debug: Loading trusted bytecode
LibClamAV debug: bytecode using API 66, but highest API known to
libclamav is 45
, skipping
LibClamAV debug: 767944.cbc loaded
LibClamAV debug: Loading trusted bytecode
Török Edwin wrote:
Please update to latest from 0.96 branch/master, and it should work.
Just downloading and re-compiling now... I need a faster machine :(
Thanks for looking into it...
Cheers,
Steve
Sanesecurity
___
Help us build a
We've had a couple of legitimate messages hit on Sanesecurity.Junk.23771
within the last week or so.
Hi Adam,
Signature fixed.
Sanesecurity False Positives should be reported to: false_positive AT
sanesecurity DOT me DOT uk.
More information here:
http://sanesecurity.co.uk/fps.htm
Cheers,
I meant that the other day there was a URL in the body of an email
that passed through as ham when in fact it ended in 'ecard.exe' and,
should the recipient download it, would be shown to be a trojan.
Doesn't clamav block stuff like this, I thought?
Hi Alex,
If you still have a copy of the
If you still have a copy of the headers body, could you send me a
sample:
Attachment sent.
Thanks for the sample Alex.
It's already being detected as:
Sanesecurity.Malware.8830.UNOFFICIAL
So, you should already be covered :)
Cheers,
Steve
Sanesecurity
No, I can run rsync right afterwards and it succeeds, like this:
# rsync -v rsync://ns.km33603.keymachine.de/sanesecurity/
Here's the output from the clamav-unofficial-sigs.sh script immediately
after:
Hi Alex,
If you run rsync manually and then run the script after, you'll no doubt
get a
Noel Jones wrote:
Clam must scan the whole email message because (as you know) some
signatures only trigger on files that look like a mail message.
To have both attachment blocking and full email scanning, the mail
ends up being scanned twice. Maybe I'll put in a request for a don't
scan
+1
+0x1
but if you *really* must...
http://www.acepolls.com/polls/1116421-clamav-eol-what-do-you-think
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
I guess this is a false positive?
decodes to:
width=1 height=1 f*r*a*m*e*b*o*r*d*e*r=0/i*f*r*a*m*e
(remove *'s)
I guess this might hit on
If you are using 0.96 and want to whitelist it:
1. create a whitelist.ign2 file (for example)
2. insert the text: HTML.IFrame-39
3. restart clamd
4.
After the last signature update, clam av stopped working on our woody
installation.
Could be this...
This move is needed to push more people to upgrade to 0.95
See: http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/
Cheers,
Steve
Sanesecurity
We use clamav within a webscanner. The sample is the webpage itself:
- http://www.alice-dsl.de/
- http://www.lenovo.com/us/en/
- http://www.sky.de/web/cms/de/abonnieren-paket-info.jsp
- http://www.apple.com/
Yep, the signature will match those, as it's quite generic. So, it hits
those
Christopher X. Candreva wrote:
I disagree with that statement because it's incomplete.. The purpose of this
update was to make running software break WITH A DESCRIPTIVE ERROR .
Important difference.
The alternative being breaking with an incomprehensable hex ump
I think that's sums it
Does anyone know if there is still a Windows compilation which will run on
Windows Server 2003 SP2? ClamAV (clam-latest-32.exe) refuses to install on
this operating system and ClamWin seems to have mutated into a desktop
product which lacks clamd and clamdscan etc.
Hi Tim,
Have you tried
Does anyone know if there is still a Windows compilation which will run on
Windows Server 2003 SP2? ClamAV (clam-latest-32.exe) refuses to install on
this operating system and ClamWin seems to have mutated into a desktop
product which lacks clamd and clamdscan etc.
Speaking of the
Hi,
www.clamav.net seems to have been down for short periods of time today,
is there extra load due to the EOL announce on the site?
Example here:
http://host-tracker.com/check_res_ajx/4730986-0/
Cheers,
Steve
Sanesecurity
___
Help us build a
Hi,
Just for interest.. feedback on EOL...
http://search.twitter.com/search?q=clamav
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
301 - 400 of 523 matches
Mail list logo