date:20160517

Re: [clamav-users] ClamAV virus database not downloaded: No permission ?!

2016-05-17 Thread Al Varnell

Your main.cvd file should start with:

ClamAV-VDB:16 Mar 2016 23-17 +:57:4218790:60:06386

If it doesn’t then your original download is corrupt and will need to be 
re-downloaded.

-Al-

On Mon, May 16, 2016 at 02:33 AM, Zvi Kave wrote:
> 
> Yes. Usually I got a lot of messages like this:
> ClamAV update process started at Sat Apr 30 03:00:50 2016
> Reading CVD header (main.cvd): Trying again in 5 secs...
> ClamAV update process started at Sat Apr 30 03:00:57 2016
> Reading CVD header (main.cvd): Trying again in 5 secs...
> ClamAV update process started at Sat Apr 30 03:01:02 2016
> ClamAV update process started at Sat Apr 30 03:01:19 2016
> Reading CVD header (main.cvd): Trying again in 5 secs...
> ClamAV update process started at Sat Apr 30 03:01:25 2016
> 
> Zvi
> 
> On 16/05/2016 11:30, Al Varnell wrote:
>> Is there some reason you are not using freshclam to do this initially and 
>> thereafter to download incremental updates?
>> 
>> Sent from Janet's iPad
>> 
>> -Al-
>> 
>> On May 16, 2016, at 1:29 AM, Zvi Kave  wrote:
>>> Hi,
>>> 
>>> I am trying to download daily.cvd and main.cvd by curl command as follows:
>>> 
>>> curl  --data-binary -k"http://database.clamav.net/daily.cvd";  -G -o 
>>> daily.cvd
>>> 
>>> Most of the time, I get this text instead of the real *.cvd file:
>>> 
>>> <|DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>> 
>>> 403 Forbidden
>>> 
>>> Forbidden
>>> You don't have permission to access /daily.cvd
>>> on this server.
>>> 
>>> 
>>> Apache/2.4.20 (Unix) OpenSSL/1.0.2g Server at >> href="mailto:webmas...@omroep.nl";>database.clamav.net Port 80
>>> 
>>> 
>>> But randomly I get the real cvd file!?
>>> 
>>> Can someone help me in this weird issue?
>>> 
>>> Regards,
>>> 
>>> Zvi
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV virus database not downloaded: No permission ?!

2016-05-17 Thread Zvi Kave


Al,

But the problem is that in 90% of the cases,

instead of getting the real main.cvd or daily.cvd,

I get a file with the following text:

<|DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

403 Forbidden

Forbidden
You don't have permission to access /daily.cvd
on this server.


Apache/2.4.20 (Unix) OpenSSL/1.0.2g Server at mailto:webmas...@omroep.nl";>database.clamav.net Port 80


Regards,

Zvi

On 17/05/2016 12:13, Al Varnell wrote:

Your main.cvd file should start with:

ClamAV-VDB:16 Mar 2016 23-17 +:57:4218790:60:06386

If it doesn’t then your original download is corrupt and will need to be 
re-downloaded.

-Al-

On Mon, May 16, 2016 at 02:33 AM, Zvi Kave wrote:

Yes. Usually I got a lot of messages like this:
ClamAV update process started at Sat Apr 30 03:00:50 2016
Reading CVD header (main.cvd): Trying again in 5 secs...
ClamAV update process started at Sat Apr 30 03:00:57 2016
Reading CVD header (main.cvd): Trying again in 5 secs...
ClamAV update process started at Sat Apr 30 03:01:02 2016
ClamAV update process started at Sat Apr 30 03:01:19 2016
Reading CVD header (main.cvd): Trying again in 5 secs...
ClamAV update process started at Sat Apr 30 03:01:25 2016

Zvi

On 16/05/2016 11:30, Al Varnell wrote:

Is there some reason you are not using freshclam to do this initially and 
thereafter to download incremental updates?

Sent from Janet's iPad

-Al-

On May 16, 2016, at 1:29 AM, Zvi Kave  wrote:

Hi,

I am trying to download daily.cvd and main.cvd by curl command as follows:

curl  --data-binary -k"http://database.clamav.net/daily.cvd";  -G -o daily.cvd

Most of the time, I get this text instead of the real *.cvd file:

<|DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

403 Forbidden

Forbidden
You don't have permission to access /daily.cvd
on this server.


Apache/2.4.20 (Unix) OpenSSL/1.0.2g Server at mailto:webmas...@omroep.nl";>database.clamav.net Port 80


But randomly I get the real cvd file!?

Can someone help me in this weird issue?

Regards,

Zvi

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV virus database not downloaded: No permission ?!

2016-05-17 Thread Al Varnell

I don’t see how that can possibly happen if you use freshclam instead of curl.  
You only need to download main.cvd once ever few years, so once you have a 
clean copy you should be set.

-Al-

On Tue, May 17, 2016 at 02:29 AM, Zvi Kave wrote:
> 
> Al,
> 
> But the problem is that in 90% of the cases,
> 
> instead of getting the real main.cvd or daily.cvd,
> 
> I get a file with the following text:
> 
> <|DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> 
> 403 Forbidden
> 
> Forbidden
> You don't have permission to access /daily.cvd
> on this server.
> 
> 
> Apache/2.4.20 (Unix) OpenSSL/1.0.2g Server at  href="mailto:webmas...@omroep.nl";>database.clamav.net Port 80
> 
> 
> Regards,
> 
> Zvi
> 
> On 17/05/2016 12:13, Al Varnell wrote:
>> Your main.cvd file should start with:
>> 
>> ClamAV-VDB:16 Mar 2016 23-17 +:57:4218790:60:06386
>> 
>> If it doesn’t then your original download is corrupt and will need to be 
>> re-downloaded.
>> 
>> -Al-
>> 
>> On Mon, May 16, 2016 at 02:33 AM, Zvi Kave wrote:
>>> Yes. Usually I got a lot of messages like this:
>>> ClamAV update process started at Sat Apr 30 03:00:50 2016
>>> Reading CVD header (main.cvd): Trying again in 5 secs...
>>> ClamAV update process started at Sat Apr 30 03:00:57 2016
>>> Reading CVD header (main.cvd): Trying again in 5 secs...
>>> ClamAV update process started at Sat Apr 30 03:01:02 2016
>>> ClamAV update process started at Sat Apr 30 03:01:19 2016
>>> Reading CVD header (main.cvd): Trying again in 5 secs...
>>> ClamAV update process started at Sat Apr 30 03:01:25 2016
>>> 
>>> Zvi
>>> 
>>> On 16/05/2016 11:30, Al Varnell wrote:
 Is there some reason you are not using freshclam to do this initially and 
 thereafter to download incremental updates?
 
 Sent from Janet's iPad
 
 -Al-
 
 On May 16, 2016, at 1:29 AM, Zvi Kave  wrote:
> Hi,
> 
> I am trying to download daily.cvd and main.cvd by curl command as follows:
> 
> curl  --data-binary -k"http://database.clamav.net/daily.cvd";  -G -o 
> daily.cvd
> 
> Most of the time, I get this text instead of the real *.cvd file:
> 
> <|DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> 
> 403 Forbidden
> 
> Forbidden
> You don't have permission to access /daily.cvd
> on this server.
> 
> 
> Apache/2.4.20 (Unix) OpenSSL/1.0.2g Server at  href="mailto:webmas...@omroep.nl";>database.clamav.net Port 
> 80
> 
> 
> But randomly I get the real cvd file!?
> 
> Can someone help me in this weird issue?
> 
> Regards,
> 
> Zvi
 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq
 
 http://www.clamav.net/contact.html#ml
 
>>> ___
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> -Al-
>> 
>> 
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Signature update schedule, and requirements for adding Signatures

2016-05-17 Thread Michael D. L.


Hi,

Hope it's the right list I'm posting to :)

Why is the Signature Database only updated every 4 hours? Every 15 
minutes would make more sense, since Spammers move very fast pushing out 
new version of Trojans and alike.


I've reported several Signatures/Files (via. the website), but they 
never make it to the database. When reporting, I also included the 
result from www.virustotal.com


Best Regards
 Michael

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Signature update schedule, and requirements for adding Signatures

2016-05-17 Thread C.D. Cochrane

My 2 cents would be that rapid traditional signature updates are not a viable 
solution to this long term problem.  I'm pretty sure the current generation of 
Locky, Dridex, Nemucod, etc. ransomware is generated using millions of tiny 
mutations so that almost every email attachment has a unique signature.  There 
is no way to keep up with that.  ClamAV got more than a million virus samples 
per day, last time I inquired.
...Chris 
 
>
>Sent: Tuesday, May 17, 2016 at 8:02 AM
>From: "Michael D. L." 
>To: clamav-users@lists.clamav.net
>Subject: [clamav-users] Signature update schedule, and requirements for adding 
>Signatures
>Hi,
>
>Hope it's the right list I'm posting to :)
>
>Why is the Signature Database only updated every 4 hours? Every 15
>minutes would make more sense, since Spammers move very fast pushing out
>new version of Trojans and alike.
>
>I've reported several Signatures/Files (via. the website), but they
>never make it to the database. When reporting, I also included the
>result from www.virustotal.com[http://www.virustotal.com]
>
>Best Regards
>Michael
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Signature update schedule, and requirements for adding Signatures

2016-05-17 Thread Charles Swiger

On May 17, 2016, at 5:02 AM, Michael D. L.  wrote:
> Hi,
> 
> Hope it's the right list I'm posting to :)
> 
> Why is the Signature Database only updated every 4 hours? Every 15 minutes 
> would make more sense, since Spammers move very fast pushing out new version 
> of Trojans and alike.

Over the long term, ClamAV has averaged about two virus definition updates per 
day.  If they start averaging more than 6 updates per day, then supporting more 
frequent signature changes might make sense

Regards,
-- 
-Chuck

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-17 Thread Jason J. W. Williams

No ClamAV 0.98.7.

-J

On Mon, May 16, 2016 at 11:25 PM, Al Varnell  wrote:

> I’m unable to replicate your findings:
>
> ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
>
> Taking a look at the current daily.cld I see entries in both ignore
> sections:
>
> daily.ign
>  1374
> 002516
>
>
>
>
> fake:1:Dont_remove_this_line
> ...
> main:42:Win.Trojan.Trojan-605
>
>
>
>
>   daily.ign2
>
>   1072002573
>
>
>
>
>   fake_dont_remove_this_line
> ...
> Win.Trojan.Trojan-605
>
> I wonder if it’s engine specific?  Are you using 0.99.x
>
> -Al-
>
> On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote:
> >
> > Looks like EICAR is getting classified as Win.Trojan.Trojan-605 again
> > (daily 21557).
> >
> > https://gist.github.com/williamsjj/b8104402e80f44475df5
> >
> > -J
> >
> > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell  wrote:
> >
> >> The new database was just made available, so I recommend you hold off
> >> until you have the new mail.cvd v57 and daily.cvd v21466 before getting
> too
> >> excited about this.
> >>
> >> -Al-
> >>
> >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> >>>
> >>> As of the latest daily update, running ClamAV against the EICAR test
> >>> string
> >>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> >>>
> >>> -J
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-17 Thread Alain Zidouemba

Jason:

Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was
dropped several weeks ago, but would only be reflected in your installation
if you have both main.cvd and daily.cvd. Please confirm.

Thanks,

- Alain



On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
jasonjwwilli...@gmail.com> wrote:

> No ClamAV 0.98.7.
>
> -J
>
> On Mon, May 16, 2016 at 11:25 PM, Al Varnell  wrote:
>
> > I’m unable to replicate your findings:
> >
> > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
> >
> > Taking a look at the current daily.cld I see entries in both ignore
> > sections:
> >
> > daily.ign
> >  1374
> > 002516
> >
> >
> >
> >
> > fake:1:Dont_remove_this_line
> > ...
> > main:42:Win.Trojan.Trojan-605
> >
> >
> >
> >
> >   daily.ign2
> >
> >   1072002573
> >
> >
> >
> >
> >   fake_dont_remove_this_line
> > ...
> > Win.Trojan.Trojan-605
> >
> > I wonder if it’s engine specific?  Are you using 0.99.x
> >
> > -Al-
> >
> > On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote:
> > >
> > > Looks like EICAR is getting classified as Win.Trojan.Trojan-605 again
> > > (daily 21557).
> > >
> > > https://gist.github.com/williamsjj/b8104402e80f44475df5
> > >
> > > -J
> > >
> > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell  wrote:
> > >
> > >> The new database was just made available, so I recommend you hold off
> > >> until you have the new mail.cvd v57 and daily.cvd v21466 before
> getting
> > too
> > >> excited about this.
> > >>
> > >> -Al-
> > >>
> > >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> > >>>
> > >>> As of the latest daily update, running ClamAV against the EICAR test
> > >>> string
> > >>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> > >>>
> > >>> -J
> >
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-17 Thread Jason J. W. Williams

We do.

-J

On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba 
wrote:

> Jason:
>
> Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was
> dropped several weeks ago, but would only be reflected in your installation
> if you have both main.cvd and daily.cvd. Please confirm.
>
> Thanks,
>
> - Alain
>
>
>
> On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
> jasonjwwilli...@gmail.com> wrote:
>
> > No ClamAV 0.98.7.
> >
> > -J
> >
> > On Mon, May 16, 2016 at 11:25 PM, Al Varnell  wrote:
> >
> > > I’m unable to replicate your findings:
> > >
> > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
> > >
> > > Taking a look at the current daily.cld I see entries in both ignore
> > > sections:
> > >
> > > daily.ign
> > >  1374
> > > 002516
> > >
> > >
> > >
> > >
> > > fake:1:Dont_remove_this_line
> > > ...
> > > main:42:Win.Trojan.Trojan-605
> > >
> > >
> > >
> > >
> > >   daily.ign2
> > >
> > >   1072002573
> > >
> > >
> > >
> > >
> > >   fake_dont_remove_this_line
> > > ...
> > > Win.Trojan.Trojan-605
> > >
> > > I wonder if it’s engine specific?  Are you using 0.99.x
> > >
> > > -Al-
> > >
> > > On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote:
> > > >
> > > > Looks like EICAR is getting classified as Win.Trojan.Trojan-605 again
> > > > (daily 21557).
> > > >
> > > > https://gist.github.com/williamsjj/b8104402e80f44475df5
> > > >
> > > > -J
> > > >
> > > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell 
> wrote:
> > > >
> > > >> The new database was just made available, so I recommend you hold
> off
> > > >> until you have the new mail.cvd v57 and daily.cvd v21466 before
> > getting
> > > too
> > > >> excited about this.
> > > >>
> > > >> -Al-
> > > >>
> > > >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> > > >>>
> > > >>> As of the latest daily update, running ClamAV against the EICAR
> test
> > > >>> string
> > > >>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> > > >>>
> > > >>> -J
> > >
> > > ___
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-17 Thread Alain Zidouemba

$ sigtool -u /usr/local/share/clamav/daily.cld

$ grep -i 'Win.Trojan.Trojan-605' daily.ign
main:42:Win.Trojan.Trojan-605


Same on your end?

- Alain

On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams <
jasonjwwilli...@gmail.com> wrote:

> We do.
>
> -J
>
> On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
> azidoue...@sourcefire.com>
> wrote:
>
> > Jason:
> >
> > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was
> > dropped several weeks ago, but would only be reflected in your
> installation
> > if you have both main.cvd and daily.cvd. Please confirm.
> >
> > Thanks,
> >
> > - Alain
> >
> >
> >
> > On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
> > jasonjwwilli...@gmail.com> wrote:
> >
> > > No ClamAV 0.98.7.
> > >
> > > -J
> > >
> > > On Mon, May 16, 2016 at 11:25 PM, Al Varnell 
> wrote:
> > >
> > > > I’m unable to replicate your findings:
> > > >
> > > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
> > > >
> > > > Taking a look at the current daily.cld I see entries in both ignore
> > > > sections:
> > > >
> > > > daily.ign
> > > >  1374
> > > > 002516
> > > >
> > > >
> > > >
> > > >
> > > > fake:1:Dont_remove_this_line
> > > > ...
> > > > main:42:Win.Trojan.Trojan-605
> > > >
> > > >
> > > >
> > > >
> > > >   daily.ign2
> > > >
> > > >   1072002573
> > > >
> > > >
> > > >
> > > >
> > > >   fake_dont_remove_this_line
> > > > ...
> > > > Win.Trojan.Trojan-605
> > > >
> > > > I wonder if it’s engine specific?  Are you using 0.99.x
> > > >
> > > > -Al-
> > > >
> > > > On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote:
> > > > >
> > > > > Looks like EICAR is getting classified as Win.Trojan.Trojan-605
> again
> > > > > (daily 21557).
> > > > >
> > > > > https://gist.github.com/williamsjj/b8104402e80f44475df5
> > > > >
> > > > > -J
> > > > >
> > > > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell 
> > wrote:
> > > > >
> > > > >> The new database was just made available, so I recommend you hold
> > off
> > > > >> until you have the new mail.cvd v57 and daily.cvd v21466 before
> > > getting
> > > > too
> > > > >> excited about this.
> > > > >>
> > > > >> -Al-
> > > > >>
> > > > >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> > > > >>>
> > > > >>> As of the latest daily update, running ClamAV against the EICAR
> > test
> > > > >>> string
> > > > >>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> > > > >>>
> > > > >>> -J
> > > >
> > > > ___
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > ___
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-17 Thread Jason J. W. Williams

Yessir:

# sigtool -u /var/lib/clamav/daily.cld

# grep -i 'Win.Trojan.Trojan-605' daily.ign
main:42:Win.Trojan.Trojan-605

On Tue, May 17, 2016 at 1:25 PM, Alain Zidouemba 
wrote:

> $ sigtool -u /usr/local/share/clamav/daily.cld
>
> $ grep -i 'Win.Trojan.Trojan-605' daily.ign
> main:42:Win.Trojan.Trojan-605
>
>
> Same on your end?
>
> - Alain
>
> On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams <
> jasonjwwilli...@gmail.com> wrote:
>
> > We do.
> >
> > -J
> >
> > On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
> > azidoue...@sourcefire.com>
> > wrote:
> >
> > > Jason:
> > >
> > > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was
> > > dropped several weeks ago, but would only be reflected in your
> > installation
> > > if you have both main.cvd and daily.cvd. Please confirm.
> > >
> > > Thanks,
> > >
> > > - Alain
> > >
> > >
> > >
> > > On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
> > > jasonjwwilli...@gmail.com> wrote:
> > >
> > > > No ClamAV 0.98.7.
> > > >
> > > > -J
> > > >
> > > > On Mon, May 16, 2016 at 11:25 PM, Al Varnell 
> > wrote:
> > > >
> > > > > I’m unable to replicate your findings:
> > > > >
> > > > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
> > > > >
> > > > > Taking a look at the current daily.cld I see entries in both ignore
> > > > > sections:
> > > > >
> > > > > daily.ign
> > > > >  1374
> > > > > 002516
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > fake:1:Dont_remove_this_line
> > > > > ...
> > > > > main:42:Win.Trojan.Trojan-605
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >   daily.ign2
> > > > >
> > > > >   1072002573
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >   fake_dont_remove_this_line
> > > > > ...
> > > > > Win.Trojan.Trojan-605
> > > > >
> > > > > I wonder if it’s engine specific?  Are you using 0.99.x
> > > > >
> > > > > -Al-
> > > > >
> > > > > On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote:
> > > > > >
> > > > > > Looks like EICAR is getting classified as Win.Trojan.Trojan-605
> > again
> > > > > > (daily 21557).
> > > > > >
> > > > > > https://gist.github.com/williamsjj/b8104402e80f44475df5
> > > > > >
> > > > > > -J
> > > > > >
> > > > > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell 
> > > wrote:
> > > > > >
> > > > > >> The new database was just made available, so I recommend you
> hold
> > > off
> > > > > >> until you have the new mail.cvd v57 and daily.cvd v21466 before
> > > > getting
> > > > > too
> > > > > >> excited about this.
> > > > > >>
> > > > > >> -Al-
> > > > > >>
> > > > > >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> > > > > >>>
> > > > > >>> As of the latest daily update, running ClamAV against the EICAR
> > > test
> > > > > >>> string
> > > > > >>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> > > > > >>>
> > > > > >>> -J
> > > > >
> > > > > ___
> > > > > Help us build a comprehensive ClamAV guide:
> > > > > https://github.com/vrtadmin/clamav-faq
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > > >
> > > > ___
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > ___
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-17 Thread David Raynor

If you run clamscan with "--debug" it will tell you which files it is
loading, even the files inside a cvd or cld file. It will also remark about
which signatures is skips when loading.

You should see these lines within your debug output:

...
LibClamAV debug: daily.ign2 loaded
...
LibClamAV debug: /var/lib/clamav/daily.cld loaded
...
LibClamAV debug: Ignoring signature Win.Trojan.Trojan-605
...
LibClamAV debug: main.ndb loaded
...

Which of these rows you see is going to be affected by the contents of your
database, but this is what I see with an up-to-date daily and main.cvd. The
signature is in the latest main. The ignore is set in the latest daily
(21562) and has been for weeks. Once you get to a fresh enough daily it
will have the ignore set. If there is something else going on that is
preventing clamscan from loading that daily.cld (e.g. file permissions,
path difference) that would be the culprit.

Hope this helps,

Dave R.


On Tue, May 17, 2016 at 4:33 PM, Jason J. W. Williams <
jasonjwwilli...@gmail.com> wrote:

> Yessir:
>
> # sigtool -u /var/lib/clamav/daily.cld
>
> # grep -i 'Win.Trojan.Trojan-605' daily.ign
> main:42:Win.Trojan.Trojan-605
>
> On Tue, May 17, 2016 at 1:25 PM, Alain Zidouemba <
> azidoue...@sourcefire.com>
> wrote:
>
> > $ sigtool -u /usr/local/share/clamav/daily.cld
> >
> > $ grep -i 'Win.Trojan.Trojan-605' daily.ign
> > main:42:Win.Trojan.Trojan-605
> >
> >
> > Same on your end?
> >
> > - Alain
> >
> > On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams <
> > jasonjwwilli...@gmail.com> wrote:
> >
> > > We do.
> > >
> > > -J
> > >
> > > On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
> > > azidoue...@sourcefire.com>
> > > wrote:
> > >
> > > > Jason:
> > > >
> > > > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605
> was
> > > > dropped several weeks ago, but would only be reflected in your
> > > installation
> > > > if you have both main.cvd and daily.cvd. Please confirm.
> > > >
> > > > Thanks,
> > > >
> > > > - Alain
> > > >
> > > >
> > > >
> > > > On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
> > > > jasonjwwilli...@gmail.com> wrote:
> > > >
> > > > > No ClamAV 0.98.7.
> > > > >
> > > > > -J
> > > > >
> > > > > On Mon, May 16, 2016 at 11:25 PM, Al Varnell 
> > > wrote:
> > > > >
> > > > > > I’m unable to replicate your findings:
> > > > > >
> > > > > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
> > > > > >
> > > > > > Taking a look at the current daily.cld I see entries in both
> ignore
> > > > > > sections:
> > > > > >
> > > > > > daily.ign
> > > > > >  1374
> > > > > > 002516
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > fake:1:Dont_remove_this_line
> > > > > > ...
> > > > > > main:42:Win.Trojan.Trojan-605
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >   daily.ign2
> > > > > >
> > > > > >   1072002573
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >   fake_dont_remove_this_line
> > > > > > ...
> > > > > > Win.Trojan.Trojan-605
> > > > > >
> > > > > > I wonder if it’s engine specific?  Are you using 0.99.x
> > > > > >
> > > > > > -Al-
> > > > > >
> > > > > > On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote:
> > > > > > >
> > > > > > > Looks like EICAR is getting classified as Win.Trojan.Trojan-605
> > > again
> > > > > > > (daily 21557).
> > > > > > >
> > > > > > > https://gist.github.com/williamsjj/b8104402e80f44475df5
> > > > > > >
> > > > > > > -J
> > > > > > >
> > > > > > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell  >
> > > > wrote:
> > > > > > >
> > > > > > >> The new database was just made available, so I recommend you
> > hold
> > > > off
> > > > > > >> until you have the new mail.cvd v57 and daily.cvd v21466
> before
> > > > > getting
> > > > > > too
> > > > > > >> excited about this.
> > > > > > >>
> > > > > > >> -Al-
> > > > > > >>
> > > > > > >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> > > > > > >>>
> > > > > > >>> As of the latest daily update, running ClamAV against the
> EICAR
> > > > test
> > > > > > >>> string
> > > > > > >>> reports  Win.Trojan.Trojan-605 instead of
> Eicar-Test-Signature.
> > > > > > >>>
> > > > > > >>> -J
> > > > > >
> > > > > > ___
> > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > https://github.com/vrtadmin/clamav-faq
> > > > > >
> > > > > > http://www.clamav.net/contact.html#ml
> > > > > >
> > > > > ___
> > > > > Help us build a comprehensive ClamAV guide:
> > > > > https://github.com/vrtadmin/clamav-faq
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > > >
> > > > ___
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > ___

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-17 Thread Jason J. W. Williams

Hi Dave,

Thanks. I don't see any issues with it loading the daily.cld. I'm going to
wipe it out and let Freshclam reload it and the ign.

-J

On Tue, May 17, 2016 at 2:02 PM, David Raynor 
wrote:

> If you run clamscan with "--debug" it will tell you which files it is
> loading, even the files inside a cvd or cld file. It will also remark about
> which signatures is skips when loading.
>
> You should see these lines within your debug output:
>
> ...
> LibClamAV debug: daily.ign2 loaded
> ...
> LibClamAV debug: /var/lib/clamav/daily.cld loaded
> ...
> LibClamAV debug: Ignoring signature Win.Trojan.Trojan-605
> ...
> LibClamAV debug: main.ndb loaded
> ...
>
> Which of these rows you see is going to be affected by the contents of your
> database, but this is what I see with an up-to-date daily and main.cvd. The
> signature is in the latest main. The ignore is set in the latest daily
> (21562) and has been for weeks. Once you get to a fresh enough daily it
> will have the ignore set. If there is something else going on that is
> preventing clamscan from loading that daily.cld (e.g. file permissions,
> path difference) that would be the culprit.
>
> Hope this helps,
>
> Dave R.
>
>
> On Tue, May 17, 2016 at 4:33 PM, Jason J. W. Williams <
> jasonjwwilli...@gmail.com> wrote:
>
> > Yessir:
> >
> > # sigtool -u /var/lib/clamav/daily.cld
> >
> > # grep -i 'Win.Trojan.Trojan-605' daily.ign
> > main:42:Win.Trojan.Trojan-605
> >
> > On Tue, May 17, 2016 at 1:25 PM, Alain Zidouemba <
> > azidoue...@sourcefire.com>
> > wrote:
> >
> > > $ sigtool -u /usr/local/share/clamav/daily.cld
> > >
> > > $ grep -i 'Win.Trojan.Trojan-605' daily.ign
> > > main:42:Win.Trojan.Trojan-605
> > >
> > >
> > > Same on your end?
> > >
> > > - Alain
> > >
> > > On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams <
> > > jasonjwwilli...@gmail.com> wrote:
> > >
> > > > We do.
> > > >
> > > > -J
> > > >
> > > > On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
> > > > azidoue...@sourcefire.com>
> > > > wrote:
> > > >
> > > > > Jason:
> > > > >
> > > > > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605
> > was
> > > > > dropped several weeks ago, but would only be reflected in your
> > > > installation
> > > > > if you have both main.cvd and daily.cvd. Please confirm.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > - Alain
> > > > >
> > > > >
> > > > >
> > > > > On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
> > > > > jasonjwwilli...@gmail.com> wrote:
> > > > >
> > > > > > No ClamAV 0.98.7.
> > > > > >
> > > > > > -J
> > > > > >
> > > > > > On Mon, May 16, 2016 at 11:25 PM, Al Varnell 
> > > > wrote:
> > > > > >
> > > > > > > I’m unable to replicate your findings:
> > > > > > >
> > > > > > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
> > > > > > >
> > > > > > > Taking a look at the current daily.cld I see entries in both
> > ignore
> > > > > > > sections:
> > > > > > >
> > > > > > > daily.ign
> > > > > > >  1374
> > > > > > > 002516
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > fake:1:Dont_remove_this_line
> > > > > > > ...
> > > > > > > main:42:Win.Trojan.Trojan-605
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >   daily.ign2
> > > > > > >
> > > > > > >   1072002573
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >   fake_dont_remove_this_line
> > > > > > > ...
> > > > > > > Win.Trojan.Trojan-605
> > > > > > >
> > > > > > > I wonder if it’s engine specific?  Are you using 0.99.x
> > > > > > >
> > > > > > > -Al-
> > > > > > >
> > > > > > > On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote:
> > > > > > > >
> > > > > > > > Looks like EICAR is getting classified as
> Win.Trojan.Trojan-605
> > > > again
> > > > > > > > (daily 21557).
> > > > > > > >
> > > > > > > > https://gist.github.com/williamsjj/b8104402e80f44475df5
> > > > > > > >
> > > > > > > > -J
> > > > > > > >
> > > > > > > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <
> alvarn...@mac.com
> > >
> > > > > wrote:
> > > > > > > >
> > > > > > > >> The new database was just made available, so I recommend you
> > > hold
> > > > > off
> > > > > > > >> until you have the new mail.cvd v57 and daily.cvd v21466
> > before
> > > > > > getting
> > > > > > > too
> > > > > > > >> excited about this.
> > > > > > > >>
> > > > > > > >> -Al-
> > > > > > > >>
> > > > > > > >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams
> wrote:
> > > > > > > >>>
> > > > > > > >>> As of the latest daily update, running ClamAV against the
> > EICAR
> > > > > test
> > > > > > > >>> string
> > > > > > > >>> reports  Win.Trojan.Trojan-605 instead of
> > Eicar-Test-Signature.
> > > > > > > >>>
> > > > > > > >>> -J
> > > > > > >
> > > > > > > ___
> > > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > > https://github.com/vrta

Re: [clamav-users] Signature update schedule, and requirements for adding Signatures

2016-05-17 Thread Joel Esler (jesler)

Correct.  Now that we are back to pushing updates every 4 hours, whereas most 
AV companies only push once or twice a day.


--
Joel Esler
Manager, Talos Group




On May 17, 2016, at 10:20 AM, C.D. Cochrane 
mailto:c...@post.com>> wrote:

My 2 cents would be that rapid traditional signature updates are not a viable 
solution to this long term problem.  I'm pretty sure the current generation of 
Locky, Dridex, Nemucod, etc. ransomware is generated using millions of tiny 
mutations so that almost every email attachment has a unique signature.  There 
is no way to keep up with that.  ClamAV got more than a million virus samples 
per day, last time I inquired.
...Chris


Sent: Tuesday, May 17, 2016 at 8:02 AM
From: "Michael D. L." mailto:cla...@cosis.dk>>
To: clamav-users@lists.clamav.net
Subject: [clamav-users] Signature update schedule, and requirements for adding 
Signatures
Hi,

Hope it's the right list I'm posting to :)

Why is the Signature Database only updated every 4 hours? Every 15
minutes would make more sense, since Spammers move very fast pushing out
new version of Trojans and alike.

I've reported several Signatures/Files (via. the website), but they
never make it to the database. When reporting, I also included the
result from 
www.virustotal.com[http://www.virustotal.com]

Best Regards
Michael

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-17 Thread Helmut Hullen

Hallo, Jason,

Du meintest am 17.05.16:


>> You should see these lines within your debug output:
>>
>> ...
>> LibClamAV debug: daily.ign2 loaded
>> ...
>> LibClamAV debug: /var/lib/clamav/daily.cld loaded
>> ...
>> LibClamAV debug: Ignoring signature Win.Trojan.Trojan-605
>> ...
>> LibClamAV debug: main.ndb loaded
>> ...

[...]

> Thanks. I don't see any issues with it loading the daily.cld. I'm
> going to wipe it out and let Freshclam reload it and the ign.

That changes the warnings ...

cd 
rm -f *.cvd *.cld
freshclam
clamscan /tmp

now tells

LibClamAV Warning: cli_loadldb: logical signature for Win.Trojan.ssid18332-1 
uses PCREs but support is disabled, skipping
LibClamAV Warning: cli_loadldb: logical signature for Win.Ransomware.Locky-4 
uses PCREs but support is disabled, skipping
LibClamAV Warning: cli_loadldb: logical signature for 
Html.Exploit.CVE_2016_0184-1 uses PCREs but support is disabled, skipping

Viele Gruesse!
Helmut

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV virus database not downloaded: No permission ?!

Re: [clamav-users] ClamAV virus database not downloaded: No permission ?!

Re: [clamav-users] ClamAV virus database not downloaded: No permission ?!

[clamav-users] Signature update schedule, and requirements for adding Signatures

Re: [clamav-users] Signature update schedule, and requirements for adding Signatures

Re: [clamav-users] Signature update schedule, and requirements for adding Signatures

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Re: [clamav-users] Signature update schedule, and requirements for adding Signatures

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

15 matches

Site Navigation

Mail list logo

Footer information