Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd
Hello, did you really drop the signature? During the weekend scan (clamscan), we got 45 false positives. According to file names, they seem to be signed official PDF documents from goverment. On 04/28/17 17:16, Christopher Marczewski wrote: > Thanks for the reports. We'll be modifying the signature. > > In the interim, I've dropped the current signature. > > On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz > wrote: > >> I have the same problem, and already submitted a false positive report. >> In our case it was a signad pdf, so I suspect that the signature makes >> it FP. But I have no idea how to work around it now. Maybe disable pdf >> scanning? >> >> On 04/28/17 16:47, Giuseppe Ravasio wrote: >>> Hi, >>> since this morning daily signature update 23337 >>> and even with the latest one 23338 >>> my amavis flags some emails with PDF attachments as virus: >>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND >>> >>> Checking the PDF with other AVs and even with clamscan (on the same >>> server) results in a clean file: >>> >>> beppe@thot:/tmp$ clamscan TCA.pdf >>> TCA.pdf: OK >>> >>> --- SCAN SUMMARY --- >>> Known viruses: 6272759 >>> Engine version: 0.99.2 >>> Scanned directories: 0 >>> Scanned files: 1 >>> Infected files: 0 >>> Data scanned: 0.22 MB >>> Data read: 0.08 MB (ratio 2.71:1) >>> Time: 17.277 sec (0 m 17 s) >>> >>> if I check the file with clamdscan I get the virus found: >>> beppe@thot:/tmp$ clamdscan TCA.pdf >>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND >>> >>> --- SCAN SUMMARY --- >>> Infected files: 1 >>> Time: 0.032 sec (0 m 0 s) >>> >>> Any hints on how to solve the problem? >>> >>> Thanks >>> Giuseppe >>> ___ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> >> >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > > -- S pozdravem Vladislav Kurz Centrála: Celní 17/5, 63900 Brno, CZ Web: http://www.webstep.net E-Mail: podp...@webstep.net Tel: 840 840 700, +420 548 214 711 Obchodní podmínky: https://zkrat.to/op ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd
It never appeared on a daily as being dropped, but when I checked on Saturday and again just now, I can't find it: > $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0 > $ I don't think it is related, but there was an issue with DNS that stopped all updates after 23343 late Saturday until mid morning Monday Pacific Time. -Al- On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote: > > Hello, > > did you really drop the signature? > > During the weekend scan (clamscan), we got 45 false positives. According > to file names, they seem to be signed official PDF documents from goverment. > > On 04/28/17 17:16, Christopher Marczewski wrote: >> Thanks for the reports. We'll be modifying the signature. >> >> In the interim, I've dropped the current signature. >> >> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz >> wrote: >> >>> I have the same problem, and already submitted a false positive report. >>> In our case it was a signad pdf, so I suspect that the signature makes >>> it FP. But I have no idea how to work around it now. Maybe disable pdf >>> scanning? >>> >>> On 04/28/17 16:47, Giuseppe Ravasio wrote: Hi, since this morning daily signature update 23337 and even with the latest one 23338 my amavis flags some emails with PDF attachments as virus: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND Checking the PDF with other AVs and even with clamscan (on the same server) results in a clean file: beppe@thot:/tmp$ clamscan TCA.pdf TCA.pdf: OK --- SCAN SUMMARY --- Known viruses: 6272759 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.22 MB Data read: 0.08 MB (ratio 2.71:1) Time: 17.277 sec (0 m 17 s) if I check the file with clamdscan I get the virus found: beppe@thot:/tmp$ clamdscan TCA.pdf /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.032 sec (0 m 0 s) Any hints on how to solve the problem? Thanks Giuseppe ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml >>> >>> >>> ___ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd
I see there is an rewrite in daily 23349 that just posted:
> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2
> TDB: Engine:81-255,Target:10
> LOGICAL EXPRESSION: 0&1&2=0
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> /Adobe.PPKLite/Location{WILDCARD_ANY_STRING(LENGTH<=290)}/SubFilter
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> /Sig
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> +-> TRIGGER: 0&1
> +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\s*\x2fSig
> +-> CFLAGS: sm
-Al-
On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote:
>
> It never appeared on a daily as being dropped, but when I checked on Saturday
> and again just now, I can't find it:
>
>> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0
>> $
>
> I don't think it is related, but there was an issue with DNS that stopped all
> updates after 23343 late Saturday until mid morning Monday Pacific Time.
>
> -Al-
>
> On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote:
>>
>> Hello,
>>
>> did you really drop the signature?
>>
>> During the weekend scan (clamscan), we got 45 false positives. According
>> to file names, they seem to be signed official PDF documents from goverment.
>>
>> On 04/28/17 17:16, Christopher Marczewski wrote:
>>> Thanks for the reports. We'll be modifying the signature.
>>>
>>> In the interim, I've dropped the current signature.
>>>
>>> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz >>> wrote:
>>>
I have the same problem, and already submitted a false positive report.
In our case it was a signad pdf, so I suspect that the signature makes
it FP. But I have no idea how to work around it now. Maybe disable pdf
scanning?
On 04/28/17 16:47, Giuseppe Ravasio wrote:
> Hi,
> since this morning daily signature update 23337
> and even with the latest one 23338
> my amavis flags some emails with PDF attachments as virus:
> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>
> Checking the PDF with other AVs and even with clamscan (on the same
> server) results in a clean file:
>
> beppe@thot:/tmp$ clamscan TCA.pdf
> TCA.pdf: OK
>
> --- SCAN SUMMARY ---
> Known viruses: 6272759
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.22 MB
> Data read: 0.08 MB (ratio 2.71:1)
> Time: 17.277 sec (0 m 17 s)
>
> if I check the file with clamdscan I get the virus found:
> beppe@thot:/tmp$ clamdscan TCA.pdf
> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>
> --- SCAN SUMMARY ---
> Infected files: 1
> Time: 0.032 sec (0 m 0 s)
>
> Any hints on how to solve the problem?
>
> Thanks
> Giuseppe
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
>
> -Al-
-Al-
--
Al Varnell
Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd
Hi,
I'm now getting some other signed pdf matched by
Pdf.Exploit.CVE_2017_3039-6300177-2
As with the Pdf.Exploit.CVE_2017_3039-6300177-0 it only happens using
the daemon and not clamscan.
Regards
Giuseppe
Il 02/05/2017 09:46, Al Varnell ha scritto:
> I see there is an rewrite in daily 23349 that just posted:
>
>> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2
>> TDB: Engine:81-255,Target:10
>> LOGICAL EXPRESSION: 0&1&2=0
>> * SUBSIG ID 0
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> /Adobe.PPKLite/Location{WILDCARD_ANY_STRING(LENGTH<=290)}/SubFilter
>> * SUBSIG ID 1
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> /Sig
>> * SUBSIG ID 2
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> +-> TRIGGER: 0&1
>> +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\s*\x2fSig
>> +-> CFLAGS: sm
>
> -Al-
>
> On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote:
>>
>> It never appeared on a daily as being dropped, but when I checked on
>> Saturday and again just now, I can't find it:
>>
>>> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0
>>> $
>>
>> I don't think it is related, but there was an issue with DNS that stopped
>> all updates after 23343 late Saturday until mid morning Monday Pacific Time.
>>
>> -Al-
>>
>> On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote:
>>>
>>> Hello,
>>>
>>> did you really drop the signature?
>>>
>>> During the weekend scan (clamscan), we got 45 false positives. According
>>> to file names, they seem to be signed official PDF documents from goverment.
>>>
>>> On 04/28/17 17:16, Christopher Marczewski wrote:
Thanks for the reports. We'll be modifying the signature.
In the interim, I've dropped the current signature.
On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz
wrote:
> I have the same problem, and already submitted a false positive report.
> In our case it was a signad pdf, so I suspect that the signature makes
> it FP. But I have no idea how to work around it now. Maybe disable pdf
> scanning?
>
> On 04/28/17 16:47, Giuseppe Ravasio wrote:
>> Hi,
>> since this morning daily signature update 23337
>> and even with the latest one 23338
>> my amavis flags some emails with PDF attachments as virus:
>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>
>> Checking the PDF with other AVs and even with clamscan (on the same
>> server) results in a clean file:
>>
>> beppe@thot:/tmp$ clamscan TCA.pdf
>> TCA.pdf: OK
>>
>> --- SCAN SUMMARY ---
>> Known viruses: 6272759
>> Engine version: 0.99.2
>> Scanned directories: 0
>> Scanned files: 1
>> Infected files: 0
>> Data scanned: 0.22 MB
>> Data read: 0.08 MB (ratio 2.71:1)
>> Time: 17.277 sec (0 m 17 s)
>>
>> if I check the file with clamdscan I get the virus found:
>> beppe@thot:/tmp$ clamdscan TCA.pdf
>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>
>> --- SCAN SUMMARY ---
>> Infected files: 1
>> Time: 0.032 sec (0 m 0 s)
>>
>> Any hints on how to solve the problem?
>>
>> Thanks
>> Giuseppe
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>>
>> -Al-
>
> -Al-
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd
I do see a few alerts for Pdf.Exploit.CVE_2017_3039-6300177-2 on
VirusTotal, too.
We'll be dropping the signature again & examining further.
On Tue, May 2, 2017 at 8:24 AM, Giuseppe Ravasio <
giuseppe_rava...@ch.modiano.com> wrote:
> Hi,
>
> I'm now getting some other signed pdf matched by
> Pdf.Exploit.CVE_2017_3039-6300177-2
>
> As with the Pdf.Exploit.CVE_2017_3039-6300177-0 it only happens using
> the daemon and not clamscan.
>
> Regards
> Giuseppe
>
> Il 02/05/2017 09:46, Al Varnell ha scritto:
> > I see there is an rewrite in daily 23349 that just posted:
> >
> >> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2
> >> TDB: Engine:81-255,Target:10
> >> LOGICAL EXPRESSION: 0&1&2=0
> >> * SUBSIG ID 0
> >> +-> OFFSET: ANY
> >> +-> SIGMOD: NONE
> >> +-> DECODED SUBSIGNATURE:
> >> /Adobe.PPKLite/Location{WILDCARD_ANY_STRING(LENGTH<=290)}/SubFilter
> >> * SUBSIG ID 1
> >> +-> OFFSET: ANY
> >> +-> SIGMOD: NONE
> >> +-> DECODED SUBSIGNATURE:
> >> /Sig
> >> * SUBSIG ID 2
> >> +-> OFFSET: ANY
> >> +-> SIGMOD: NONE
> >> +-> DECODED SUBSIGNATURE:
> >> +-> TRIGGER: 0&1
> >> +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\
> s*\x2fSig
> >> +-> CFLAGS: sm
> >
> > -Al-
> >
> > On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote:
> >>
> >> It never appeared on a daily as being dropped, but when I checked on
> Saturday and again just now, I can't find it:
> >>
> >>> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0
> >>> $
> >>
> >> I don't think it is related, but there was an issue with DNS that
> stopped all updates after 23343 late Saturday until mid morning Monday
> Pacific Time.
> >>
> >> -Al-
> >>
> >> On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote:
> >>>
> >>> Hello,
> >>>
> >>> did you really drop the signature?
> >>>
> >>> During the weekend scan (clamscan), we got 45 false positives.
> According
> >>> to file names, they seem to be signed official PDF documents from
> goverment.
> >>>
> >>> On 04/28/17 17:16, Christopher Marczewski wrote:
> Thanks for the reports. We'll be modifying the signature.
>
> In the interim, I've dropped the current signature.
>
> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz <
> vladislav.k...@webstep.net
> > wrote:
>
> > I have the same problem, and already submitted a false positive
> report.
> > In our case it was a signad pdf, so I suspect that the signature
> makes
> > it FP. But I have no idea how to work around it now. Maybe disable
> pdf
> > scanning?
> >
> > On 04/28/17 16:47, Giuseppe Ravasio wrote:
> >> Hi,
> >> since this morning daily signature update 23337
> >> and even with the latest one 23338
> >> my amavis flags some emails with PDF attachments as virus:
> >> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
> >>
> >> Checking the PDF with other AVs and even with clamscan (on the same
> >> server) results in a clean file:
> >>
> >> beppe@thot:/tmp$ clamscan TCA.pdf
> >> TCA.pdf: OK
> >>
> >> --- SCAN SUMMARY ---
> >> Known viruses: 6272759
> >> Engine version: 0.99.2
> >> Scanned directories: 0
> >> Scanned files: 1
> >> Infected files: 0
> >> Data scanned: 0.22 MB
> >> Data read: 0.08 MB (ratio 2.71:1)
> >> Time: 17.277 sec (0 m 17 s)
> >>
> >> if I check the file with clamdscan I get the virus found:
> >> beppe@thot:/tmp$ clamdscan TCA.pdf
> >> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
> >>
> >> --- SCAN SUMMARY ---
> >> Infected files: 1
> >> Time: 0.032 sec (0 m 0 s)
> >>
> >> Any hints on how to solve the problem?
> >>
> >> Thanks
> >> Giuseppe
> >> ___
> >> clamav-users mailing list
> >> clamav-users@lists.clamav.net
> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>
> >>
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> >>
> >
> >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >>
> >> -Al-
> >
> > -Al-
> >
> >
> >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http
[clamav-users] Different results: Clamscan vs ClamWin
Dear Clamav users, I was scanning a ZIP file with both: clamscan (on Xubuntu), and clamwin (on Win7). Clamwin found a virus, where clamscan did not. I'm surprised, since I thought these are just 2 frontends for the same engine and virus database? I updated the database on Linux using "$ sudo freshclam". No change. Grateful for any information why clamscan finds less than clamwin...? :) Thank you in advance, Peter B. Software versions on my setups: Xubuntu 12.04.1 (64bit): - ClamAV 0.99.2/23350/Tue May 2 15:02:21 2017 main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) daily.cld is up to date (version: 23350, sigs: 2063182, f-level: 63, builder: neo) bytecode.cvd is up to date (version: 296, sigs: 58, f-level: 63, builder: anvilleg) Win7 (64bit): - ClamWin v0.99.1 Virus DB Version: main 57 daily 23350 Updated: 15:02 02 May 2017 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Different results: Clamscan vs ClamWin
Can you tell us which virus you encountered? Also can you validate that the file has the same checksum in both windows and Linux? > On May 2, 2017, at 2:22 PM, Peter B. wrote: > > Dear Clamav users, > > I was scanning a ZIP file with both: clamscan (on Xubuntu), and clamwin > (on Win7). > Clamwin found a virus, where clamscan did not. > > I'm surprised, since I thought these are just 2 frontends for the same > engine and virus database? > > I updated the database on Linux using "$ sudo freshclam". > No change. > > > Grateful for any information why clamscan finds less than clamwin...? :) > > Thank you in advance, > Peter B. > > > > Software versions on my setups: > > Xubuntu 12.04.1 (64bit): > - >ClamAV 0.99.2/23350/Tue May 2 15:02:21 2017 >main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, > builder: amishhammer) >daily.cld is up to date (version: 23350, sigs: 2063182, f-level: 63, > builder: neo) >bytecode.cvd is up to date (version: 296, sigs: 58, f-level: 63, > builder: anvilleg) > > > Win7 (64bit): > - >ClamWin v0.99.1 >Virus DB Version: main 57 daily 23350 >Updated: 15:02 02 May 2017 > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Different results: Clamscan vs ClamWin
First thing I notice is that you are running two different versions of ClamAV. -- Sent from my iPhone > On May 2, 2017, at 20:08, Rafael Ferreira wrote: > > Can you tell us which virus you encountered? Also can you validate that the > file has the same checksum in both windows and Linux? > >> On May 2, 2017, at 2:22 PM, Peter B. wrote: >> >> Dear Clamav users, >> >> I was scanning a ZIP file with both: clamscan (on Xubuntu), and clamwin >> (on Win7). >> Clamwin found a virus, where clamscan did not. >> >> I'm surprised, since I thought these are just 2 frontends for the same >> engine and virus database? >> >> I updated the database on Linux using "$ sudo freshclam". >> No change. >> >> >> Grateful for any information why clamscan finds less than clamwin...? :) >> >> Thank you in advance, >> Peter B. >> >> >> >> Software versions on my setups: >> >> Xubuntu 12.04.1 (64bit): >> - >> ClamAV 0.99.2/23350/Tue May 2 15:02:21 2017 >> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, >> builder: amishhammer) >> daily.cld is up to date (version: 23350, sigs: 2063182, f-level: 63, >> builder: neo) >> bytecode.cvd is up to date (version: 296, sigs: 58, f-level: 63, >> builder: anvilleg) >> >> >> Win7 (64bit): >> - >> ClamWin v0.99.1 >> Virus DB Version: main 57 daily 23350 >> Updated: 15:02 02 May 2017 >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] LibClamAV Warning
Hi Folks, I've been getting the following error for a week or so: 'LibClamAV Warning: Bytecode runtime error at line 1226, col 4' I finally found the time to run ClamAV in verbose mode and believe this is the culprit: 'Scanning C:\Program Files (x86)\Applian Director\ClearRegCode.exe' At least that was the last file being scanned right before the error. I can upload the file somewhere if you like... Cheers, Rudy ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
