Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

2016-06-03 Thread Tsutomu Oyamada 
There are still positives "Zip.Suspect.MacroDoubleExtension-zippwd".
(see attached file)
To resolve this false positive when it does?


On Wed, 17 Feb 2016 20:16:02 -0800
Dennis Peterson  wrote:

> My experience with these kind of failures is that the pattern is not properly 
> anchored or the writer doesn't understand greedy grep patterns or both. 
> Fallout from the new pcregrep, perhaps? I've not analyzed it so am 
> speculating here, but lessons learned after decades of doing this is of regex 
> results amaze you then you have probably screwed up somewhere when writing 
> the pattern. Or as one of my staff liked to say, something we're sure of is 
> wrong.
> 
> dp
> 
> On 2/16/16 7:02 PM, Al Varnell wrote:
> > Resubmited.
> >
> > 87084602bb62d9213e10a1741150093a37481cd005b62008e7187f2086b8922a:319649:pg3726-images.epub
> >
> > -Al-
> >
> > On Feb 14, 2016, at 4:34 PM, Al Varnell  wrote:
> >
> >> I attempted to submit the sample I have to 
> >> http://www.clamav.net/reports/fp and it was similarly rejected as "empty." 
> >>  Scanned the file on my computer after updating definitions still shows it 
> >> as infected.  Uploading it to VirusTotal results in only a ClamAV 
> >> detection:
> >> .
> >>
> >>
> >> ___
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV-users Digest

2016-06-03 Thread Paul Kosinski 
Hi,

I haven't received any Digest email since Feb 3, is the list still in
operation?

Paul Kosinski
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-06-03 Thread Jason J. W. Williams 
That's unfortunate. Given the magnitude of the change I would've expected
them to be very attentive to the list, post deployment.

-J

On Thu, Mar 17, 2016 at 1:23 PM, Al Varnell  wrote:

> No. I'm sure they are trying to recover from this week's activities and
> rarely have time to follow this list anyway. It would likely be Alain
> Zidouemba the sig team lead.
>
> To get feedback on FP's you would need to subscribe to the clamav-virusdb
> list and it often takes weeks under normal circumstances.
>
> The main contributor here is Joel Esler, Manager, Talos Group.
>
> Sent from Janet's iPad
>
> -Al-
>
> On Mar 17, 2016, at 1:09 PM, "Jason J. W. Williams" <
> jasonjwwilli...@gmail.com> wrote:
> > Does anyone that's chimed in work on the signatures team?
> >
> > -J
> >
> > On Thu, Mar 17, 2016 at 10:31 AM, Al Varnell  wrote:
> >
> >> There have not been any additional updates released yet, so nothing
> could
> >> have changed.
> >>
> >> -Al-
> >>
> >> On Thu, Mar 17, 2016 at 10:25 AM, Jason Williams wrote:
> >>>
> >>> Is anyone still seeing this or have they fixed it?
> >>>
> >>> -J
> >>>
> >>> Sent via iPhone
> >>>
>  On Mar 17, 2016, at 02:44, Mark Allan  wrote:
> 
>  Just to confirm, I'm also seeing everything being flagged as
> >> Win.Trojan.Trojan-476 with the new main/daily.cvd files.
> 
>  Mark
> 
> > On 17 Mar 2016, at 6:49 am, Al Varnell  wrote:
> >
> > I just ran a scan against the ClamAV test files contained in the
> >> 0.99.1 source file and I’m getting all Win.Trojan.Trojan-476:
> >
> > File NameInfection NameStatus
> >
> >>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip
> >> Win.Trojan.Trojan-476
> >
> >>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio
> >> Win.Trojan.Trojan-476
> > /Users/avarnell/Desktop/•Downloa

Re: [clamav-users] Remove clamav-unofficial-sigs

2016-06-03 Thread Joel Esler (jesler) 

> On Apr 10, 2016, at 12:10 AM, Paul Wise  wrote:
> 
>> On Wed, Apr 6, 2016 at 3:47 PM, Mathieu Parent wrote:
>> 2016-04-06 6:55 GMT+02:00 Paul Wise:
>>> Personally I am still waiting for clamav freshclam to properly support
>>> third-party signatures, so clamav-unofficial-sigs can be a config file.
>> 
>> Is there a tracking bug for this? How can we help?
> 
> This was an upstream initiative that now appears to be completely
> removed from their website. Some references still exist on archive.org
> though:
> 
> https://wayback.archive.org/web/http://www.clamav.net/lang/en/2011/07/25/clamav-0-97-2-is-now-available/
> https://wayback.archive.org/web/http://www.clamav.net/lang/en/download/cvd/3rdparty/
> 
> CCing Luca from the clamav project, perhaps he has some news about this.


Luca is no longer with the ClamAV project.   The way that we support these 
right now is through our community signature program:
http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html

This way we can send all sigs distributed through the same QA and FP regression 
test that we do our signatures. We even have a monthly contest that we award 
people for submissions:
http://blog.clamav.net/2016/03/clamav-monthly-community-signature.html


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Remove clamav-unofficial-sigs

2016-06-03 Thread Paul Wise 
On Sun, Apr 10, 2016 at 8:10 PM, Joel Esler (jesler) wrote:

> Luca is no longer with the ClamAV project.

Removed from CC.

> our community signature program:

Unfortunately this isn't suitable for the distribution of the
3rd-party rules that we are talking about, there is a list of the
current ones here:

https://github.com/extremeshok/clamav-unofficial-sigs

To replace that code with freshclam, there would probably need to be:

A directory where configuration files can be dropped in.

A way to specify where to get files from.

A way to specify the OpenPGP key or similar for each provider.

A way to specify per-downloader secrets for the paid providers.

> the same QA and FP regression test that we do our signatures.

Are these regression tests published?

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamd OnAccessScan issues

2016-06-03 Thread tasc 
Hi

I am using Centos 7.2, i.e.: /proc/version =>
Linux version 3.10.0-327.18.2.el7.x86_64 (buil...@kbuilder.dev.centos.org)
(gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Thu May 12
11:03:55 UTC 2016

SElinux is running.

Using Epel packages for clamav including unofficial signatures.

Using latest clamavtk as well.

Installed per
https://www.adminsys.ch/2015/08/21/installing-clamav-epel-centosred-hat-7-nightmare/.

freshclam functional
clamscan functional
clamavtk functional in KDE environment.

clamd service can be started using your sample clamd.conf.

1/ $> clamd zPING
   $> clamd PING
gives new line and then nothing. Need to terminate with control -c.

Doesn't match manual?

2/ Enabled per clamd.conf-2016-06-01-OnAccessScan attached as used for for
/etc/clamd.d/scan.conf .

Results in attached /var/log/clamd.scan log at the end as attached.

$ systemctl status clamd@scan
● clamd@scan.service - Generic clamav scanner daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled;
vendor preset: disabled)
   Active: active (running) since Thu 2016-06-02 09:11:03 AEST; 2s ago
 Main PID: 29639 (clamd)
   CGroup: /system.slice/system-clamd.slice/clamd@scan.service
   └─29639 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
--nofork=yes

Jun 02 09:11:03 earth systemd[1]: Started Generic clamav scanner daemon.
Jun 02 09:11:03 earth systemd[1]: Starting Generic clamav scanner daemon...
Jun 02 09:11:03 earth clamd[29639]: clamd daemon 0.99.1 (OS: linux-gnu,
ARCH: x86_64, CPU: x86_64)
Jun 02 09:11:03 earth clamd[29639]: Running as user clamscan (UID 981, GID
972)
Jun 02 09:11:03 earth clamd[29639]: Log file size limited to 10485760 bytes.
Jun 02 09:11:03 earth clamd[29639]: Reading databases from /var/lib/clamav
Jun 02 09:11:03 earth clamd[29639]: Bytecode: Security mode set to
"TrustSigned".

Get in clamd.scan log

Thu Jun  2 09:11:12 2016 -> ERROR: ScanOnAccess: fanotify_init failed:
Operation not permitted
Thu Jun  2 09:11:12 2016 -> ScanOnAccess: clamd must be started by root

Yet I note that running as root is not a good idea.

I note some websites re Debian/Opensuse refer to apparmour settings being
an issue. There appears to be no documentation re SElinux settings.
Further clamd is running as clamscan user 981

$ ps -alx | grep clam
1   982   2959  1  20   0  73808  3168 pause  Ss   ?  0:04
/usr/bin/freshclam -d -c 4
0  1000   5587   5094  20   0 516868 39848 poll_s Sl   ?  0:00
/usr/bin/perl /usr/bin/clamtk
0  1000   8876   5094  20   0 1241756 162936 poll_s Sl ?  0:03
/usr/bin/okular
/home/robertk/Documents/PC/Intel-P4304CR2JNF/Applications/ClamAV/clamdoc.pdf
--icon okular -caption Okular
4   981  29639  1  20   0 774572 551400 poll_s Ssl ?  0:18
/usr/sbin/clamd -c /etc/clamd.d/scan.conf --nofork=yes
4 0  39355  16994  20   0 215476  4132 signal Tpts/2  0:00
sudo clamd zPING
4   981  39387  39355  20   0 373808 307192 signal T   pts/2  0:04
clamd zPING
0  1000 172437  16994  20   0 112660   984 pipe_w S+   pts/2  0:00
grep --color=auto clam

Consequently your documentation is inadequate to cover the OnAccessScan
case using SELinux as clamd service.

Could you please assist before I tinker further with the system?

Regards
RobK

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV-users Digest

2016-06-03 Thread Joel Esler (jesler) 
This should be fixed now.

--
Joel Esler
Manager, Talos Group




> On Mar 3, 2016, at 6:17 PM, Paul Kosinski  wrote:
> 
> Hi,
> 
> I haven't received any Digest email since Feb 3, is the list still in
> operation?
> 
> Paul Kosinski
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

2016-06-03 Thread Al Varnell 
Attachments are not allowed here. Be sure you submit it to the False Positive 
Report site and post the hash value back here.


Sent from Janet's iPad

-Al-

On Feb 23, 2016, at 5:55 AM, Tsutomu Oyamada wrote:
> There are still positives "Zip.Suspect.MacroDoubleExtension-zippwd".
> (see attached file)
> To resolve this false positive when it does?
> 
> On Wed, 17 Feb 2016 20:16:02 -0800 Dennis Peterson wrote:
>> My experience with these kind of failures is that the pattern is not 
>> properly anchored or the writer doesn't understand greedy grep patterns or 
>> both. Fallout from the new pcregrep, perhaps? I've not analyzed it so am 
>> speculating here, but lessons learned after decades of doing this is of 
>> regex results amaze you then you have probably screwed up somewhere when 
>> writing the pattern. Or as one of my staff liked to say, something we're 
>> sure of is wrong.
>> 
>> dp
>> 
>> On 2/16/16 7:02 PM, Al Varnell wrote:
>>> Resubmited.
>>> 
>>> 87084602bb62d9213e10a1741150093a37481cd005b62008e7187f2086b8922a:319649:pg3726-images.epub
>>> 
>>> -Al-
>>> 
>>> On Feb 14, 2016, at 4:34 PM, Al Varnell wrote:
 I attempted to submit the sample I have to 
 http://www.clamav.net/reports/fp and it was similarly rejected as "empty." 
  Scanned the file on my computer after updating definitions still shows it 
 as infected.  Uploading it to VirusTotal results in only a ClamAV 
 detection:
 .
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Issue with ClamAV on Red Hat Enterprise Linux

2016-06-03 Thread Nathan Parker 
Thanks everyone for chiming into this. Sorry it's taken me so long to respond 
(again).


So basically, I just need to open those two files mentioned above and edit them 
to get everything running?


Thanks!


Nathan Parker

President/CEO
Mallard Computer, Inc.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml