> From: philip.andersson...@live.se
> To: clamav-users@lists.clamav.net
> Date: Tue, 24 May 2016 19:17:42 +0200
> Subject: Re: [clamav-users] Problem with setup
>
> The Eicar virus is stopped, a colleague of mine tested it, but this pdf virus
> is still slinking through CVE-2010-1240.
>
> I know that this virus is old but because of old systems on end users it is
> still a risk. It picks it up in clamdscan though as noted before. Cant see
> socket output right now but the regular output is dead silent. Only start up
> things and database updates. The last row is the clamdscan output. Runs the
> same output-file.
>
> Tue May 24 12:45:30 2016 -> +++ Started at Tue May 24 12:45:30 2016
> Tue May 24 12:45:30 2016 -> Received 0 file descriptor(s) from systemd.
> Tue May 24 12:45:30 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64,
> CPU: x86_64)
> Tue May 24 12:45:30 2016 -> Log file size limited to 104857600 bytes.
> Tue May 24 12:45:30 2016 -> Reading databases from
> /program/clamav_new/database
> Tue May 24 12:45:30 2016 -> Not loading PUA signatures.
> Tue May 24 12:45:30 2016 -> Bytecode: Security mode set to "TrustSigned".
> Tue May 24 12:45:38 2016 -> Loaded 4383889 signatures.
> Tue May 24 12:45:39 2016 -> TCP: Bound to [0.0.0.0]:3310
> Tue May 24 12:45:39 2016 -> TCP: Setting connection queue length to 200
> Tue May 24 12:45:39 2016 -> LOCAL: Unix socket file /tmp/clamd.socket
> Tue May 24 12:45:39 2016 -> LOCAL: Setting connection queue length to 200
> Tue May 24 12:45:39 2016 -> Limits: Global size limit set to 104857600 bytes.
> Tue May 24 12:45:39 2016 -> Limits: File size limit set to 41943040 bytes.
> Tue May 24 12:45:39 2016 -> Limits: Recursion level limit set to 16.
> Tue May 24 12:45:39 2016 -> Limits: Files limit set to 10000.
> Tue May 24 12:45:39 2016 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
> Tue May 24 12:45:39 2016 -> Limits: MaxHTMLNormalize limit set to 10485760
> bytes.
> Tue May 24 12:45:39 2016 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
> Tue May 24 12:45:39 2016 -> Limits: MaxScriptNormalize limit set to 5242880
> bytes.
> Tue May 24 12:45:39 2016 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
> Tue May 24 12:45:39 2016 -> Limits: MaxPartitions limit set to 50.
> Tue May 24 12:45:39 2016 -> Limits: MaxIconsPE limit set to 100.
> Tue May 24 12:45:39 2016 -> Limits: MaxRecHWP3 limit set to 16.
> Tue May 24 12:45:39 2016 -> Limits: PCREMatchLimit limit set to 10000.
> Tue May 24 12:45:39 2016 -> Limits: PCRERecMatchLimit limit set to 5000.
> Tue May 24 12:45:39 2016 -> Limits: PCREMaxFileSize limit set to 26214400.
> Tue May 24 12:45:39 2016 -> Archive support enabled.
> Tue May 24 12:45:39 2016 -> Algorithmic detection enabled.
> Tue May 24 12:45:39 2016 -> Portable Executable support enabled.
> Tue May 24 12:45:39 2016 -> ELF support enabled.
> Tue May 24 12:45:39 2016 -> Mail files support enabled.
> Tue May 24 12:45:39 2016 -> OLE2 support enabled.
> Tue May 24 12:45:39 2016 -> PDF support enabled.
> Tue May 24 12:45:39 2016 -> SWF support enabled.
> Tue May 24 12:45:39 2016 -> HTML support enabled.
> Tue May 24 12:45:39 2016 -> XMLDOCS support enabled.
> Tue May 24 12:45:39 2016 -> HWP3 support enabled.
> Tue May 24 12:45:39 2016 -> Self checking every 600 seconds.
> Tue May 24 12:55:54 2016 -> SelfCheck: Database status OK.
> Tue May 24 13:13:18 2016 -> SelfCheck: Database status OK.
> Tue May 24 13:23:18 2016 -> SelfCheck: Database status OK.
> Tue May 24 13:33:18 2016 -> SelfCheck: Database status OK.
> Tue May 24 13:43:18 2016 -> SelfCheck: Database status OK.
> Tue May 24 13:53:18 2016 -> SelfCheck: Database status OK.
> Tue May 24 13:58:29 2016 -> /nfshome/66118710/clam/cybercom_pentest2.pdf:
> Win.Trojan.MSShellcode-7(0fefca28d5c5509397979d86c4e8d1cb:95307) FOUND
>
> Output from clamdscan:
> $/program/clamav_new/clamav/bin/clamdscan -c
> /program/clamav_new/clamav/etc/clamd-A1.conf
> /nfshome/66118710/clam/cybercom_pentest2.pdf
> /nfshome/66118710/clam/cybercom_pentest2.pdf: Win.Trojan.MSShellcode-7 FOUND
>
> ----------- SCAN SUMMARY -----------
> Infected files: 1
> Time: 0.047 sec (0 m 0 s)
>
>
> > To: clamav-users@lists.clamav.net
> > From: cla...@cosis.dk
> > Date: Tue, 24 May 2016 16:52:22 +0200
> > Subject: Re: [clamav-users] Problem with setup
> >
> >
> >
> > On 05/24/2016 04:29 PM, Philip Andersson wrote:
> > > I know that the setup have work before, but the test virus is new and the
> > > clamav version is new. The plugins is written by me and used in small MTS
> > > application.
> > >
> > > I am not reading the log-file but the output stream from clamd, its two
> > > different things.
> > >
> > > I just wonder how the clamd is missing a virus that clamdscan picks up
> > > when using the same settings and same database.
> > > Is there a difference in the way they work?
> > >
> > >
> > > _________
> > You could have saved us all a lot of time, if only you had given us that
> > information up-front.
> >
> > With the new ClamAV Version - does it detect the standard Eicar Test
> > Virus? (Sent in an attachment as eg. Eicar.com)
> >
> > Could you provide the output from the ClamD when injecting the infected
> > PDF file. (All output please - log and socket)
> >
> > Also the output from Clamscan processing the same file would be useful.
> >
> > Best regards
> > Michael
> >
> >
> >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
