[clamav-users] Clamav does not recognize known viruses

sebastian--- via clamav-users Thu, 21 Dec 2023 01:05:43 -0800

Good morning,

I use clamav with the additional signatures from securiteinfo.


ClamAV 0.103.10/27129/Wed Dec 20 10:38:37 2023

Some time ago clamav was due for an update - since then it hasrecognized almost nothing.


I start the scan with:

clamscan  -i   --move=/home/virusverdacht/erkannt  /home/virusverdacht

/etc/clamav/freshclam.conf:


[...]
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sanesecurity.ftm
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/junk.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phish.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/rogue.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/scam.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamimg.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamattach.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/blurl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malwarehash.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malware.expert.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/hackingteam.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb

DatabaseCustomURLhttp://ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndbDatabaseCustomURLhttp://ftp.swin.edu.au/sanesecurity/winnow_extended_malware.hdb

DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow.attachments.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_bad_cw.hdb

DatabaseCustomURLhttp://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndbDatabaseCustomURLhttp://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndbDatabaseCustomURLhttp://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndbDatabaseCustomURLhttp://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb

DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/crdfam.clamav.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.hsb
DatabaseCustomURL https://urlhaus.abuse.ch/downloads/urlhaus.ndb

DatabaseCustomURLhttps://www.securiteinfo.com/get/signatures/xxxxxx/securiteinfo.hdbDatabaseCustomURLhttps://www.securiteinfo.com/get/signatures/xxxxx/securiteinfo.ign2DatabaseCustomURLhttps://www.securiteinfo.com/get/signatures/xxxx/javascript.ndbDatabaseCustomURLhttps://www.securiteinfo.com/get/signatures/xxxxx/spam_marketing.ndbDatabaseCustomURLhttps://www.securiteinfo.com/get/signatures/xxxxx/securiteinfohtml.hdbDatabaseCustomURLhttps://www.securiteinfo.com/get/signatures/xxxxx/securiteinfoascii.hdbDatabaseCustomURLhttps://www.securiteinfo.com/get/signatures/xxxxx/securiteinfoandroid.hdbDatabaseCustomURLhttps://www.securiteinfo.com/get/signatures/xxxxx/securiteinfoold.hdbDatabaseCustomURLhttps://www.securiteinfo.com/get/signatures/xxxxx/securiteinfopdf.hdbDatabaseCustomURLhttps://www.securiteinfo.com/get/signatures/xxxxx/securiteinfo0hour.hdbDatabaseCustomURLhttps://www.securiteinfo.com/get/signatures/xxxxx/securiteinfo.mdbDatabaseCustomURLhttps://www.securiteinfo.com/get/signatures/xxxxx/securiteinfo.yaraDatabaseCustomURL https://www.securiteinfo.com/get/signatures/xxxx/securiteinfo.pdb

[...]


/etc/clamav/clamav.conf
[...]
LogFile /var/log/clamav.log
LogTime yes
LogSyslog yes
LogFacility LOG_LOCAL2

PidFile  /var/amavis/clamd.pid
DatabaseDirectory /var/clamav
OfficialDatabaseOnly no
LocalSocket  /var/amavis/clamd
LocalSocketMode 660

FixStaleSocket yes

DetectPUA yes

IncludePUA Spy
IncludePUA Scanner
IncludePUA RAT

AlgorithmicDetection yes

ScanPE yes

ScanELF yes

DetectBrokenExecutables yes

ScanOLE2 yes

ScanPDF yes

ScanMail yes

ScanPartialMessages yes

PhishingSignatures yes

PhishingScanURLs yes

PhishingAlwaysBlockSSLMismatch no

PhishingAlwaysBlockCloak no

HeuristicScanPrecedence yes

StructuredDataDetection yes

StructuredMinCreditCardCount 5

StructuredMinSSNCount 5

StructuredSSNFormatNormal yes

StructuredSSNFormatStripped yes

Bytecode yes
[...]



I suspect he ignores the additional signatures.

But where is the mistake here?


greeting
Sebastian



_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Clamav does not recognize known viruses

Reply via email to