Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Vincent Fox
I've had to exempt 4 MBL sigs in 24 hours. Where's the QC? I'm on a knife edge about just dropping MBL. From: clamav-users on behalf of Alex Sent: Friday, April 27, 2018 8:22:05 PM To: ClamAV

[clamav-users] FP Ppt.Exploit.CVE_2017_0199-6336815-1

2017-10-05 Thread Vincent Fox
Hi, Getting hits today on this entry in daily.cld. [root@smtp1 clamav]# sigtool --find-sigs Ppt.Exploit.CVE_2017_0199-6336815-1|sigtool --decode-sigs VIRUS NAME: Ppt.Exploit.CVE_2017_0199-6336815-1 TARGET TYPE: ANY FILE OFFSET: * DECODED SIGNATURE:

Re: [clamav-users] CryLocker and Cryptolocker

2016-09-14 Thread Vincent Fox
>Does anyone think it's reasonable/acceptable to block all macros in >any sizable organization? Yes. We are 2-4 million messages/day, dunno if that is "sizable" to you. ___ Help us build a comprehensive ClamAV guide:

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

2014-10-06 Thread Vincent Fox
On 10/06/2014 08:32 AM, Webmaster wrote: Le lundi 6 octobre 2014, 10:05:11 Alain Zidouemba a écrit : If you think it needs to be quicker, then maybe you could volunteer your time to help with the analysis (I'm not sure how you'd go about this) Or use this :

[clamav-users] signature that penalizes for line length?

2014-06-14 Thread Vincent Fox
Hi, We use ClamAV, and I have noticed a certain class of spam hitting us lately that has VERY long final lines of garbage text. The reason I noticed it was the length exceeds 2048 characters, which trips a problem in POP3 client downloads. Anyhow is there any signature that can be used to

Re: [clamav-users] signature that penalizes for line length?

2014-06-14 Thread Vincent Fox
suggest taking a look at Sanesecurity http://sanesecurity.com to see if they have what you need. Steve runs things there and subscribes to this list so will probably have some more specific knowledge. -Al- On Sat, Jun 14, 2014 at 12:56 AM, Vincent Fox wrote: Hi, We use ClamAV, and I have

Re: [clamav-users] Block all EXE/SRC or MS-EXE/DLL file

2014-04-08 Thread Vincent Fox
On 4/8/2014 8:12 PM, Carl Brewer wrote: On 13/02/2014 8:48 PM, Sim wrote: Hello! In the last weeks/months the unrecognized virus are increasingly exponentially (not only for Clamav but for all antivirus). My idea is block all EXE/SRC (also into ZIP/RAR). Executing clamscan --debug filename I

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive

2014-03-02 Thread Vincent Fox
Comment about this feature, which I've never turned on before. I flipped it on, for a single mail router in a pool of 9. Over the course of a day and MANY messages, it tripped for only 4 messages, all of which seem legit. So I'm turning it back off.

Re: [clamav-users] clamd taking too long to restart?

2013-08-14 Thread Vincent Fox
On 8/13/2013 9:46 PM, Matt Olney wrote: OK...I'll do some testing tomorrow and see if we can't come up with some information for you. Mainly I want MX pool heavy on signatures. I tested shorter list on SMTP pool: ss_dbs= blurl.ndb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb

Re: [clamav-users] clamd taking too long to restart?

2013-08-14 Thread Vincent Fox
On 8/14/2013 7:58 AM, G.W. Haywood wrote: Hi there, On Wed, 14 Aug 2013, Vincent Fox wrote: Re: clamd taking too long to restart? Previously I was using a short list of signatures and startup time of 30 seconds which was acceptable. Well it didn't get noticed much. However recently I added

[clamav-users] clamd taking too long to restart?

2013-08-13 Thread Vincent Fox
Hi, Previously I was using a short list of signatures and startup time of 30 seconds which was acceptable. Well it didn't get noticed much. However recently I added a kitchen sink of extra databases like winnow etc. Now startup time is 2.5 minutes, which becomes noticeable. Any way to

Re: [clamav-users] clamd taking too long to restart?

2013-08-13 Thread Vincent Fox
On 8/13/2013 8:49 PM, Matt Olney wrote: Sowhat qualifies as a kitchen sink-load? Most everything that SaneSecurity hosts that is low or medium risk: ss_dbs= blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb bofhland_malware_attach.hdb

[clamav-users] n00b question: signatures enabled?

2013-07-26 Thread Vincent Fox
Hi, I've been puzzling over a ClamAV installation I was handed. Is there an easy way to verify which signatures are being loaded/used? It's not clear to me, where you go to enable/disable signatures. I see quite a lot of signatures being downloaded by freshclam and/or the unofficial-sigs.sh

Re: [clamav-users] n00b question: signatures enabled?

2013-07-26 Thread Vincent Fox
Found the answer to part of my question with: clamconf -n I still have a problem that previous admin was downloading lots of unofficial signatures, to a place that clamd isn't paying any attention to. Working on that part. Thanks! On 07/26/2013 12:44 PM, Vincent Fox wrote: Hi, I've been

Re: [clamav-users] What happened to 12663 ?

2011-02-11 Thread Vincent Fox
On 2/11/2011 8:31 AM, Jan-Pieter Cornet wrote: On the other hand, since you haven't updated ClamAV in over a year, leading to (significantly) decreased detection, maybe the scanning of email isn't top priority, and your mail scanning engine needs to fallback to letting mail through on scan