Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

[Lilia Gonzalez Medina]

Hi Orion!

Thank you for reporting this. URLhaus is a partner that generates a list of
ClamAV signatures to target malicious URLs. Signature
Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
files, which is why it is alerting on the URLs you mentioned. We found
these FPs some weeks ago and added an extra check on new ClamAV signatures
to prevent them from alerting on legitimate URLhaus content. We are
currently updating older ClamAV signatures to ensure they don't FP on
non-malicious HTML files.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos

On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski  wrote:

> Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
> signature?  We're seeing following URLs trigger it:
>
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
>
> Which seems to be the online update URLs for the urlhaus filter.  Does
> ClamAV
> deem urlhaus a bad actor?
>
> Thanks,
>   Orion
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems  720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane   or...@nwra.com
> Boulder, CO 80301 https://www.nwra.com/
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam can't download updates due to SSL issue

[Micah Snyder (micasnyd) via clamav-users]

Chris,

Is the date/time correct on your machine?  You can get this error if the time 
is incorrect.

Eg if I set my date back to 2012:

❯ sudo date 010417352012
[sudo] password for micasnyd:
Wed Jan  4 17:35:00 PST 2012

❯ ~/.clamav/bin/freshclam
ClamAV update process started at Wed Jan  4 17:35:09 2012
daily database available for update (local version: 25990, remote version: 
26038)
Current database is 48 versions behind.
Downloading database patch # 25991...
WARNING: Download failed (60) WARNING:  Message: SSL peer certificate or SSH 
remote key was not OK
WARNING: getpatch: Can't download daily-25991.cdiff from 
https://database.clamav.net/daily-25991.cdiff
…

-Micah


From: clamav-users  On Behalf Of Joel 
Esler (jesler) via clamav-users
Sent: Wednesday, December 23, 2020 4:11 PM
To: ClamAV users ML 
Cc: Joel Esler (jesler) 
Subject: Re: [clamav-users] freshclam can't download updates due to SSL issue

Nothing has changed on our end.
Sent from my  iPhone


On Dec 23, 2020, at 13:57, Chris via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:

Hello

I'm using ClamAV version 0.103.0 and recently whenever I try to update ClamAV 
with freshclam, for some reason it spits out this error:

WARNING: Download failed (60) WARNING:  Message: SSL peer certificate or SSH 
remote key was not OK
WARNING: getpatch: Can't download daily-26002.cdiff from 
https://database.clamav.net/daily-26002.cdiff

I Googled for some answers on this and a few of the answers said to make sure 
my "ca-certificates" were updated.  For the record my OS is Linux Devuan 
Beowulf (Debian 10) and it has the latest version of ca-certificates available 
(20200601).  This also includes ca-certificates-java (20190405) and 
ca-certificates-mono (5.18.0.240+dfsg-3).  Running "update-ca-certificates" ran 
successfully, but I'm still getting that above error when updating ClamAV.

This never happened before, as running freshclam always updated the definitions 
without any issues.  Is it something on my end I need to do or is it an issue 
with ClamAV?

Thanks
--
Chris Garcia
https://supersamplestar.bandcamp.com/
https://www.bitchute.com/channel/supersamplestar/
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[Micah Snyder (micasnyd) via clamav-users]

Zvi,

Yes, clamscan has a --max-scantime=#n option, which is measured in 
milliseconds.  Clamscan will check the time limit periodically and abort the 
scan if the time limit has been exceeded.  There is a similar config option for 
clamd in clamd.conf.

Disclaimer: the limit is not precise as clamscan may be busy decompressing or 
parsing a file in between checks.  It’s useful mostly when scanning large 
archives and such to abort partway through a long scan.   Ideally it would 
monitor the scan in a watchdog process or something so it could abort the scan 
more precisely but unfortunately it doesn’t work that way.

Regards,
Micah

From: clamav-users  On Behalf Of Zvi 
Kave via clamav-users
Sent: Monday, December 28, 2020 8:04 AM
To: clamav-users@lists.clamav.net
Cc: Zvi Kave 
Subject: [clamav-users] Terminate clamscan after specific time


Hi,

Is there a way to Terminate clamscan after specific time with summary ?

Regards,

Zvi

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml