date:20200507

[clamav-users] Whitelist databases/File whitelist - format?

2020-05-07 Thread Pascal De Meerleer via clamav-users

Public

Hi,

whitelisting a file themedesigner.war

Creating an md5 signature and writing it to a file with extension .fp
# sigtool --md5 themedesigner.war
a264955211fd1fb5dc952430c4ee6674:14824637:themedesigner
(omitting the last extension, in this case .war)

Restarting the clamd scan service

Check if whitelisting found using clamd and clamscan
In both cases virus is still FOUND, not whitelisted

Any idea what's wrong in my thinking or something I'm missing?

Thx,


Pascal De Meerleer
Systems Engineer Mainframe Platform
Tel. +32 2 448 21 03
IMS Support: ims...@kbc.be or http://klein/ims_chatbox
KBC Groep NV, KBC H IOB - COMPUTE & 
STORAGE INFRASTRUCTURE
Egide Walschaertsstraat 3, 2800 Mechelen

[Logo]
[Facebook]  [Twitter] 
   [LinkedIn] 
   
[Instagram]    [Youtube] 




Disclaimer 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelist databases/File whitelist - format?

2020-05-07 Thread G.W. Haywood via clamav-users


Hi there,

On Thu, 7 May 2020, Pascal De Meerleer via clamav-users wrote:


...
whitelisting a file themedesigner.war

Creating an md5 signature and writing it to a file with extension .fp
# sigtool --md5 themedesigner.war
a264955211fd1fb5dc952430c4ee6674:14824637:themedesigner
(omitting the last extension, in this case .war)


It is not clear to me from your post exactly what you have done, and I
specifically do not understand your comment

"(omitting the last extension, in this case .war)"

Why would you omit it?  Are you expecting to whitelist every file with
a name which begins with "themedesigner"?

Have you tried _not_ omitting the file extension?


Restarting the clamd scan service


Not necessary, you can signal clamd to reload the databases or just
wait until something else does it (such as freshclam, or any scan).


Check if whitelisting found using clamd and clamscan
In both cases virus is still FOUND, not whitelisted

Any idea what's wrong in my thinking or something I'm missing?


Please make your post much clearer.  What exactly is the name of the
database file which you created, where in the filesystem did you put
it, and what is the exact content of the database file?

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelist databases/File whitelist - format?

2020-05-07 Thread Pascal De Meerleer via clamav-users

Public

Hi, 

Hopefully this is clearer, it depicts the steps I took:

The file I try to whitelist is the following:
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war

The method I use is:
# sigtool --md5 
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war
 > /var/lib/clamav/whitelist.fp

The result is:
# cat /var/lib/clamav/whitelist.fp
a264955211fd1fb5dc952430c4ee6674:14824637:themedesigner.war

Scanning the file using clamscan is:
# clamscan -i 
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war:
 Win.Exploit.CVE_2012_1889-16 FOUND

--- SCAN SUMMARY ---
Known viruses: 6921006
Engine version: 0.102.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 125.63 MB
Data read: 14.14 MB (ratio 8.89:1)
Time: 60.377 sec (1 m 0 s)

OR using clamdscan
# clamdscan 
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war
WARNING: Ignoring deprecated option ScanOnAccess at /etc/clamd.d/scan.conf:633
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war:
 Win.Exploit.CVE_2012_1889-16 FOUND

--- SCAN SUMMARY ---
Infected files: 1
Time: 48.522 sec (0 m 48 s)

Grtz,

Pascal De Meerleer 
Systems Engineer Mainframe Platform
Tel. +32 2 448 21 03
IMS Support: ims...@kbc.be or http://klein/ims_chatbox 
KBC Groep NV, KBC H IOB - COMPUTE & STORAGE INFRASTRUCTURE
Egide Walschaertsstraat 3, 2800 Mechelen 



        



-Original Message-
From: clamav-users  On Behalf Of G.W. 
Haywood via clamav-users
Sent: Thursday, May 7, 2020 1:27 PM
To: Pascal De Meerleer via clamav-users 
Cc: G.W. Haywood 
Subject: Re: [clamav-users] Whitelist databases/File whitelist - format?

Hi there,

On Thu, 7 May 2020, Pascal De Meerleer via clamav-users wrote:

> ...
> whitelisting a file themedesigner.war
>
> Creating an md5 signature and writing it to a file with extension .fp 
> # sigtool --md5 themedesigner.war 
> a264955211fd1fb5dc952430c4ee6674:14824637:themedesigner
> (omitting the last extension, in this case .war)

It is not clear to me from your post exactly what you have done, and I 
specifically do not understand your comment

"(omitting the last extension, in this case .war)"

Why would you omit it?  Are you expecting to whitelist every file with a name 
which begins with "themedesigner"?

Have you tried _not_ omitting the file extension?

> Restarting the clamd scan service

Not necessary, you can signal clamd to reload the databases or just wait until 
something else does it (such as freshclam, or any scan).

> Check if whitelisting found using clamd and clamscan In both cases 
> virus is still FOUND, not whitelisted
>
> Any idea what's wrong in my thinking or something I'm missing?

Please make your post much clearer.  What exactly is the name of the database 
file which you created, where in the filesystem did you put it, and what is the 
exact content of the database file?

-- 

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Disclaimer 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd crashes frequently - macOS Catalina

2020-05-07 Thread Mark Allan via clamav-users

Hi Micah,

Curiously it only seems to affect clamd/clamdscan. The standalone clamscan 
doesn't appear to be affected, which means it took quite a while to track down 
the file which causes the crash.

The signature in question is Email.Exploit.Efail-6641027-1

The file triggering the crash for me is 'actionmailer-2.2.2.gem' a gem within 
the Ruby framework on Mac OS X 10.6.8


/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/gems/1.8/cache/actionmailer-2.2.2.gem

SHA-256 164de36ca0e858ccc9bd3e33ae1ee3d3bb9f964f7d941621b3bec725945af5fe

I've uploaded it to VirusTotal.

For what it's worth, I was wrong about the version of lib-pcre that we're 
using. Our current build runs with pcre2 (10.32) but our test machine in 
question was using an older version of ClamAV (0.100.1) which was compiled with 
pcre 8.41

Still quite surprising that a signature can bring down clamd though.

Hope the above is useful.

Best regards
Mark 

> On 5 May 2020, at 6:28 pm, Micah Snyder (micasnyd)  wrote:
> 
> Mark,
>  
> It probably won’t make much difference, though there is a possible slow scan 
> time issue in pcre2 10.32 for case-insensitive patterns.
>  
> If you have a sample and signature that cause the issue, I’d love a copy so I 
> can investigate further.
>  
> -Micah
>  
> From: Mark Allan 
> Date: Tuesday, May 5, 2020 at 5:20 AM
> To: ClamAV users ML , Micah Snyder (micasnyd) 
> 
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
> 
> Hi Micah, 
>  
> Al is correct, we're using 10.32. I see 10.34 is now available, so I'll 
> compile against that when I get a chance and see if it makes any difference.
>  
> Mark
> 
> 
> On 5 May 2020, at 6:25 am, Al Varnell via clamav-users 
> mailto:clamav-users@lists.clamav.net>> wrote:
>  
> Micah,
>  
> Looks to be 10.32, but Mark should be along shortly to confirm.
>  
> -Al-
> 
> 
> On May 4, 2020, at 13:23, Micah Snyder (micasnyd) via clamav-users 
> mailto:clamav-users@lists.clamav.net>> wrote:
>  
> Hi Mark, 
>  
> Which pcre2 version are you using?
>  
> Regards,
> Micah
>  
> From: clamav-users  >
> Date: Saturday, May 2, 2020 at 5:50 PM
> To: ClamAV users ML  >
> Cc: Mark Allan mailto:markjal...@gmail.com>>
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
> 
> Hi James,
>  
> Glad that seems to have helped.
>  
> Al and others are correct that the distro should be updated to use pcre2, but 
> I'm not convinced that's the root of the problem. We're seeing the issue with 
> that signature despite already using pcre2 in our build.
>  
> Mark
> 
> 
> 
> On 2 May 2020, at 3:45 am, Al Varnell via clamav-users 
> mailto:clamav-users@lists.clamav.net>> wrote:
>  
> Although I complete support what Mark has recommended, I would caution that 
> there could easily be a future signature that will cause this same issue if 
> the root cause of not upgrading to pcre2 is not accomplished, and figuring 
> out what signature that is won’t be easy.
> 
> Sent from my iPad
>  
> -Al-
> 
> 
> 
> On May 1, 2020, at 18:38, James Brown via clamav-users 
> mailto:clamav-users@lists.clamav.net>> wrote:
> 
> On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users 
> mailto:clamav-users@lists.clamav.net>> wrote:
>  
> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>  
> Thanks Mark. After over 12 hours clamd is still up and running. Looks like 
> that sig was causing the problem.
>  
> James.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net 
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> 
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> 
> 
> http://www.clamav.net/contact.html#ml 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net 
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> 
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> 
> 
> http://www.clamav.net/contact.html#ml 
>  
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net 
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> 
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> 
> 
> http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelist databases/File whitelist - format?

2020-05-07 Thread Andy Ragusa (aragusa) via clamav-users

Hi,

It looks like this issue might be related to 
https://bugzilla.clamav.net/show_bug.cgi?id=12217.  The problem is a bug in the 
clamav reporting code where the archive itself is whitelisted, but the contents 
are not.  This causes the archive to be reported, even though it has been 
whitelisted.

The clamav team is working on a fix for this, but you could temporarily try 
unpacking the archive and whitelisting the individual file that is being 
flagged, however if the file being flagged is html or javascript it is possible 
that it will still not work until 0.103, when the bug is fixed.

Thanks,
Andy

From: clamav-users  on behalf of Pascal 
De Meerleer via clamav-users 
Sent: Thursday, May 7, 2020 7:44 AM
To: ClamAV users ML 
Cc: Pascal De Meerleer ; G.W. Haywood 

Subject: Re: [clamav-users] Whitelist databases/File whitelist - format?

Public

Hi,

Hopefully this is clearer, it depicts the steps I took:

The file I try to whitelist is the following:
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war

The method I use is:
# sigtool --md5 
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war
 > /var/lib/clamav/whitelist.fp

The result is:
# cat /var/lib/clamav/whitelist.fp
a264955211fd1fb5dc952430c4ee6674:14824637:themedesigner.war

Scanning the file using clamscan is:
# clamscan -i 
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war:
 Win.Exploit.CVE_2012_1889-16 FOUND

--- SCAN SUMMARY ---
Known viruses: 6921006
Engine version: 0.102.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 125.63 MB
Data read: 14.14 MB (ratio 8.89:1)
Time: 60.377 sec (1 m 0 s)

OR using clamdscan
# clamdscan 
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war
WARNING: Ignoring deprecated option ScanOnAccess at /etc/clamd.d/scan.conf:633
/usr/sap/XA1/DVEBMGS20/j2ee/cluster/apps/sap.com/theme~designer/servlet_jsp/themedesigner/themedesigner.war:
 Win.Exploit.CVE_2012_1889-16 FOUND

--- SCAN SUMMARY ---
Infected files: 1
Time: 48.522 sec (0 m 48 s)

Grtz,

Pascal De Meerleer
Systems Engineer Mainframe Platform
Tel. +32 2 448 21 03
IMS Support: ims...@kbc.be or http://klein/ims_chatbox
KBC Groep NV, KBC H IOB - COMPUTE & STORAGE INFRASTRUCTURE
Egide Walschaertsstraat 3, 2800 Mechelen

-Original Message-
From: clamav-users  On Behalf Of G.W. 
Haywood via clamav-users
Sent: Thursday, May 7, 2020 1:27 PM
To: Pascal De Meerleer via clamav-users 
Cc: G.W. Haywood 
Subject: Re: [clamav-users] Whitelist databases/File whitelist - format?

Hi there,

On Thu, 7 May 2020, Pascal De Meerleer via clamav-users wrote:

> ...
> whitelisting a file themedesigner.war
>
> Creating an md5 signature and writing it to a file with extension .fp
> # sigtool --md5 themedesigner.war
> a264955211fd1fb5dc952430c4ee6674:14824637:themedesigner
> (omitting the last extension, in this case .war)

It is not clear to me from your post exactly what you have done, and I 
specifically do not understand your comment

"(omitting the last extension, in this case .war)"

Why would you omit it?  Are you expecting to whitelist every file with a name 
which begins with "themedesigner"?

Have you tried _not_ omitting the file extension?

> Restarting the clamd scan service

Not necessary, you can signal clamd to reload the databases or just wait until 
something else does it (such as freshclam, or any scan).

> Check if whitelisting found using clamd and clamscan In both cases
> virus is still FOUND, not whitelisted
>
> Any idea what's wrong in my thinking or something I'm missing?

Please make your post much clearer.  What exactly is the name of the database 
file which you created, where in the filesystem did you put it, and what is the 
exact content of the database file?

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Disclaimer 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

[clamav-users] Whitelist databases/File whitelist - format?

Re: [clamav-users] Whitelist databases/File whitelist - format?

Re: [clamav-users] Whitelist databases/File whitelist - format?

Re: [clamav-users] Clamd crashes frequently - macOS Catalina

Re: [clamav-users] Whitelist databases/File whitelist - format?

5 matches

Site Navigation

Mail list logo

Footer information