date:20160225

[clamav-users] scan on access block when found.

2016-02-25 Thread kamil kapturkiewicz

Hi,
I've just installed ClamAV 0.99, configured scan-on-access, as following:

OnAccessIncludePath /home
OnAccessIncludePath /var/ftp
OnAccessDisableDDD yes
OnAccessPrevention yes
OnAccessExtraScanning yes

then uploaded (via scp) Eicar to test, which was found by ScanOnAccess:

Thu Feb 25 12:00:55 2016 -> ScanOnAccess: /home/username/eicar.txt: 
Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND

but not blocked. Checked clamd.log, and found this:
...
Thu Feb 25 12:39:05 2016 -> ScanOnAccess: 
/usr/lib/x86_64-linux-gnu/libfontconfig.so.1.8.0: 
YARA.MD5_Constants.UNOFFICIAL(0ef17ff4124d38b50ec503513ddfff01:248816) FOUND
Thu Feb 25 12:39:05 2016 -> ScanOnAccess: 
/usr/lib/x86_64-linux-gnu/librtmp.so.1: 
YARA.BLOWFISH_Constants.UNOFFICIAL(3b067506f0b185622631c6e43fff2403:122168) 
FOUND
Thu Feb 25 12:39:05 2016 -> ScanOnAccess: 
/usr/lib/x86_64-linux-gnu/libgnutls-deb0.so.28.41.0: 
YARA.RIPEMD160_Constants.UNOFFICIAL(082e1c093f4a321564793324d8a53148:1173320) 
FOUND
Thu Feb 25 12:39:05 2016 -> ScanOnAccess: 
/usr/lib/x86_64-linux-gnu/libnettle.so.4.7: 
YARA.BLOWFISH_Constants.UNOFFICIAL(4cce9eb53d3af2c9bcf34ef8e5990284:203520) 
FOUND
Thu Feb 25 12:39:05 2016 -> ScanOnAccess: 
/lib/x86_64-linux-gnu/libgcrypt.so.20.0.3: 
YARA.BLOWFISH_Constants.UNOFFICIAL(59235bed62b29d88a20f55b675f097c9:924096) 
FOUND
Thu Feb 25 12:39:05 2016 -> ScanOnAccess: 
/usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25: 
YARA.MD5_Constants.UNOFFICIAL(064ea4ea5acf2bc1dfa79cecef1efec2:113520) FOUND
Thu Feb 25 12:39:06 2016 -> ScanOnAccess: /usr/bin/php5: 
YARA.BLOWFISH_Constants.UNOFFICIAL(595910cd8a190ed3ea92b214f1dd4509:9024168) 
FOUND
Thu Feb 25 12:39:06 2016 -> ScanOnAccess: 
/lib/x86_64-linux-gnu/libcrypt-2.19.so: 
YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND
Thu Feb 25 12:39:07 2016 -> ScanOnAccess: 
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0: 
YARA.BLOWFISH_Constants.UNOFFICIAL(8f88442f21ad73a51c3413ce7dfc82e0:2062720) 
FOUND
Thu Feb 25 12:39:07 2016 -> ScanOnAccess: 
/usr/lib/x86_64-linux-gnu/libdb-5.3.so: 
YARA.RIPEMD160_Constants.UNOFFICIAL(db727251f8d41832c6dbb87d75be7e73:1840496) 
FOUND
Thu Feb 25 12:39:07 2016 -> ScanOnAccess: 
/usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1: 
YARA.MD5_Constants.UNOFFICIAL(94039c03eeecb23ee62acdecab4c9306:195400) FOUND
Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/bin/sort: 
YARA.MD5_Constants.UNOFFICIAL(c530fd8e6ed446fd4979e1fa4193:105832) FOUND
Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/bin/sort: 
YARA.MD5_Constants.UNOFFICIAL(c530fd8e6ed446fd4979e1fa4193:105832) FOUND
Thu Feb 25 12:39:07 2016 -> ScanOnAccess: 
/lib/x86_64-linux-gnu/security/pam_unix.so: 
YARA.MD5_Constants.UNOFFICIAL(23e650547c395da69a953f0b896fe0a8:60160) FOUND
Thu Feb 25 12:39:07 2016 -> ScanOnAccess: 
/lib/x86_64-linux-gnu/libcrypt-2.19.so: 
YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND
Thu Feb 25 12:40:01 2016 -> ScanOnAccess: 
/lib/x86_64-linux-gnu/security/pam_unix.so: 
YARA.MD5_Constants.UNOFFICIAL(23e650547c395da69a953f0b896fe0a8:60160) FOUND
Thu Feb 25 12:40:01 2016 -> ScanOnAccess: 
/lib/x86_64-linux-gnu/libcrypt-2.19.so: 
YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND
Thu Feb 25 12:40:03 2016 -> ScanOnAccess: 
/lib/x86_64-linux-gnu/security/pam_unix.so: 
YARA.MD5_Constants.UNOFFICIAL(23e650547c395da69a953f0b896fe0a8:60160) FOUND
Thu Feb 25 12:40:03 2016 -> ScanOnAccess: 
/lib/x86_64-linux-gnu/libcrypt-2.19.so: 
YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND
...

(it seems whole system is infected)

Why Scan On Access scans files outside /home and /var/ftp?
Why Eicar was not blocked?

Does Scan On Access works at last in 0.99 or it is still in TO DO?



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV FP/Malware Submissions

2016-02-25 Thread domimdm

Dear sir

I receive many many messages about ClamAV

I do not see info for stoped this. or remove my mail adress

Clamwin do not work on my PC and I do not use this program

Please help me for remove this part list from my Mail adress.

Thank you


 Message d'origine 
De : Mark Allan 
À : ClamAV users ML 
Objet : Re: [clamav-users] ClamAV FP/Malware Submissions
Date : 17/02/2016 09:48:59 CET

Thanks Joel.

Do we need to resubmit the FPs we submitted over the last week-or-so, or did 
you actually receive them OK?

Mark

> On 16 Feb 2016, at 11:48 pm, Joel Esler (jesler)  wrote:
> 
> It appears that we have resolved the issue with FP/Malware submissions on 
> ClamAV.net. We apologize for any error and inconvenience.
> 
> Please let me know if you encounter any other errors.
> 
> --
> Joel Esler
> Manager, Talos Group
> 
> 
> 
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] scan on access block when found.

2016-02-25 Thread Mickey Sola

Hi Kamil,

A few things: what OS and kernel version are you using? what are the
results of opening the eicar file with vi (or your editor of choice)? are
/home/ and or /var/ftp/ mount points? if so, are there symlinks within
those directory hierarchies? is your kernel configured with
CONFIG_FANOTIFY_ACCESS_PERMISSIONS?

Also, extra scanning won't work without DDD since it's piggyback's off of
the inotify events caught by that system (events which otherwise aren't
caught by fanotify).

- Mickey

On Thu, Feb 25, 2016 at 7:59 AM, kamil kapturkiewicz  wrote:

> Hi,
> I've just installed ClamAV 0.99, configured scan-on-access, as following:
>
> OnAccessIncludePath /home
> OnAccessIncludePath /var/ftp
> OnAccessDisableDDD yes
> OnAccessPrevention yes
> OnAccessExtraScanning yes
>
> then uploaded (via scp) Eicar to test, which was found by ScanOnAccess:
>
> Thu Feb 25 12:00:55 2016 -> ScanOnAccess: /home/username/eicar.txt:
> Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
>
> but not blocked. Checked clamd.log, and found this:
> ...
> Thu Feb 25 12:39:05 2016 -> ScanOnAccess:
> /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.8.0:
> YARA.MD5_Constants.UNOFFICIAL(0ef17ff4124d38b50ec503513ddfff01:248816) FOUND
> Thu Feb 25 12:39:05 2016 -> ScanOnAccess:
> /usr/lib/x86_64-linux-gnu/librtmp.so.1:
> YARA.BLOWFISH_Constants.UNOFFICIAL(3b067506f0b185622631c6e43fff2403:122168)
> FOUND
> Thu Feb 25 12:39:05 2016 -> ScanOnAccess:
> /usr/lib/x86_64-linux-gnu/libgnutls-deb0.so.28.41.0:
> YARA.RIPEMD160_Constants.UNOFFICIAL(082e1c093f4a321564793324d8a53148:1173320)
> FOUND
> Thu Feb 25 12:39:05 2016 -> ScanOnAccess:
> /usr/lib/x86_64-linux-gnu/libnettle.so.4.7:
> YARA.BLOWFISH_Constants.UNOFFICIAL(4cce9eb53d3af2c9bcf34ef8e5990284:203520)
> FOUND
> Thu Feb 25 12:39:05 2016 -> ScanOnAccess:
> /lib/x86_64-linux-gnu/libgcrypt.so.20.0.3:
> YARA.BLOWFISH_Constants.UNOFFICIAL(59235bed62b29d88a20f55b675f097c9:924096)
> FOUND
> Thu Feb 25 12:39:05 2016 -> ScanOnAccess:
> /usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25:
> YARA.MD5_Constants.UNOFFICIAL(064ea4ea5acf2bc1dfa79cecef1efec2:113520) FOUND
> Thu Feb 25 12:39:06 2016 -> ScanOnAccess: /usr/bin/php5:
> YARA.BLOWFISH_Constants.UNOFFICIAL(595910cd8a190ed3ea92b214f1dd4509:9024168)
> FOUND
> Thu Feb 25 12:39:06 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/
> libcrypt-2.19.so:
> YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND
> Thu Feb 25 12:39:07 2016 -> ScanOnAccess:
> /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0:
> YARA.BLOWFISH_Constants.UNOFFICIAL(8f88442f21ad73a51c3413ce7dfc82e0:2062720)
> FOUND
> Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/lib/x86_64-linux-gnu/
> libdb-5.3.so:
> YARA.RIPEMD160_Constants.UNOFFICIAL(db727251f8d41832c6dbb87d75be7e73:1840496)
> FOUND
> Thu Feb 25 12:39:07 2016 -> ScanOnAccess:
> /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1:
> YARA.MD5_Constants.UNOFFICIAL(94039c03eeecb23ee62acdecab4c9306:195400) FOUND
> Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/bin/sort:
> YARA.MD5_Constants.UNOFFICIAL(c530fd8e6ed446fd4979e1fa4193:105832) FOUND
> Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /usr/bin/sort:
> YARA.MD5_Constants.UNOFFICIAL(c530fd8e6ed446fd4979e1fa4193:105832) FOUND
> Thu Feb 25 12:39:07 2016 -> ScanOnAccess:
> /lib/x86_64-linux-gnu/security/pam_unix.so:
> YARA.MD5_Constants.UNOFFICIAL(23e650547c395da69a953f0b896fe0a8:60160) FOUND
> Thu Feb 25 12:39:07 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/
> libcrypt-2.19.so:
> YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND
> Thu Feb 25 12:40:01 2016 -> ScanOnAccess:
> /lib/x86_64-linux-gnu/security/pam_unix.so:
> YARA.MD5_Constants.UNOFFICIAL(23e650547c395da69a953f0b896fe0a8:60160) FOUND
> Thu Feb 25 12:40:01 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/
> libcrypt-2.19.so:
> YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND
> Thu Feb 25 12:40:03 2016 -> ScanOnAccess:
> /lib/x86_64-linux-gnu/security/pam_unix.so:
> YARA.MD5_Constants.UNOFFICIAL(23e650547c395da69a953f0b896fe0a8:60160) FOUND
> Thu Feb 25 12:40:03 2016 -> ScanOnAccess: /lib/x86_64-linux-gnu/
> libcrypt-2.19.so:
> YARA.MD5_Constants.UNOFFICIAL(6db5503fe7f59072efc8dc3566cbc28d:35176) FOUND
> ...
>
> (it seems whole system is infected)
>
> Why Scan On Access scans files outside /home and /var/ftp?
> Why Eicar was not blocked?
>
> Does Scan On Access works at last in 0.99 or it is still in TO DO?
>
>
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Odp: Re: scan on access block when found.

2016-02-25 Thread kamil kapturkiewicz

Dnia Czwartek, 25 Lutego 2016 16:53 Mickey Sola  
napisał(a) 
> Hi Kamil,
> 
> A few things: what OS and kernel version are you using? what are the
> results of opening the eicar file with vi (or your editor of choice)? are
> /home/ and or /var/ftp/ mount points? if so, are there symlinks within
> those directory hierarchies? is your kernel configured with
> CONFIG_FANOTIFY_ACCESS_PERMISSIONS?
> 
> Also, extra scanning won't work without DDD since it's piggyback's off of
> the inotify events caught by that system (events which otherwise aren't
> caught by fanotify).
> 
> - Mickey
> 

1. Debian Jessie 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux
2. I Can open eicar file without any problems.
3. System is installed on single / partition.
4. cat /boot/config-3.16.0-4-amd64 | grep FANOTIFY
CONFIG_FANOTIFY=y
# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set

so I presume, SoA will not work with this kernel.


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Odp: Re: scan on access block when found.

2016-02-25 Thread Mickey Sola

While you can still use OnAccessScanning to alert on detection, prevention
isn't possible with your kernel configuration.

I'm still curious about how/why you're seeing scans outside of the
specified directories. I'll look into that a bit more.

On Thu, Feb 25, 2016 at 11:08 AM, kamil kapturkiewicz  wrote:

> Dnia Czwartek, 25 Lutego 2016 16:53 Mickey Sola 
> napisał(a)
> > Hi Kamil,
> >
> > A few things: what OS and kernel version are you using? what are the
> > results of opening the eicar file with vi (or your editor of choice)? are
> > /home/ and or /var/ftp/ mount points? if so, are there symlinks within
> > those directory hierarchies? is your kernel configured with
> > CONFIG_FANOTIFY_ACCESS_PERMISSIONS?
> >
> > Also, extra scanning won't work without DDD since it's piggyback's off of
> > the inotify events caught by that system (events which otherwise aren't
> > caught by fanotify).
> >
> > - Mickey
> >
>
> 1. Debian Jessie 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux
> 2. I Can open eicar file without any problems.
> 3. System is installed on single / partition.
> 4. cat /boot/config-3.16.0-4-amd64 | grep FANOTIFY
> CONFIG_FANOTIFY=y
> # CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
>
> so I presume, SoA will not work with this kernel.
>
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Odp: Re: Odp: Re: scan on access block when found.

2016-02-25 Thread kamil kapturkiewicz

Dnia Czwartek, 25 Lutego 2016 17:18 Mickey Sola  
napisał(a) 
> While you can still use OnAccessScanning to alert on detection, prevention
> isn't possible with your kernel configuration.
> 
> I'm still curious about how/why you're seeing scans outside of the
> specified directories. I'll look into that a bit more.
> 

1. Default kernel configuration must be a reason why ClamAV 0.99 is not 
available on Jessie as package.
2. Does it matter clamav is running by root? If yes, it should respect it's own 
configuration file and not look outside defined folders.

However, thanks for your help.



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fw: important message

2016-02-25 Thread lists

Hello!

 

New message, please read 

 

li...@kratzt.net

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] scan on access block when found.

Re: [clamav-users] ClamAV FP/Malware Submissions

Re: [clamav-users] scan on access block when found.

[clamav-users] Odp: Re: scan on access block when found.

Re: [clamav-users] Odp: Re: scan on access block when found.

[clamav-users] Odp: Re: Odp: Re: scan on access block when found.

[clamav-users] Fw: important message

7 matches

Site Navigation

Mail list logo

Footer information