Re: [clamav-users] SOLVED: freshclam checks database every time

[Matt Olney]

To track this and your other feature request, please put a ticket in at
https://bugzilla.clamav.net.

Matt


On Tue, Nov 5, 2013 at 8:29 AM, Andreas Schulze wrote:

> Am 21.06.2013 13:28 schrieb Andreas Schulze:
> > Am 10.04.2013 15:05 schrieb Andreas Schulze:
> >
> > > symptom: freshclam needs 3..4 seconds to finish also in the case where
> *no* updates are available.
> > Thats worse because freshclam still steal cputime here :-(
>
> I finaly found the relevant piece of code. Using the attached patch
> freshclam
> check the db only if there was really an update available.
> Maybe it could be an option in freshclam.conf
>
> Andreas
>
> --
> Andreas Schulze
> Internetdienste | P252
>
> DATEV eG
> 90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
> E-Mail info @datev.de | Internet www.datev.de
> Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg,
> GenReg Nr.70
> Vorstand
> Prof. Dieter Kempf (Vorsitzender)
> Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
> Dipl.-Kfm. Michael Leistenschneider
> Dipl.-Kfm. Dr. Robert Mayr
> Jörg Rabe v. Pappenheim
> Dipl.-Vw. Eckhard Schwarzer
> Vorsitzender des Aufsichtsrates: Reinhard Verholen
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] Thank You

[Matt Olney]

Hello all,

My name is Matthew Olney and I’m the manager of the VRT Research
Development team.  Among other things, my group is responsible for ClamAV
engine development.  I just wanted to take a moment to express my
appreciation for those in the community who have worked with us to ensure
a quality release of ClamAV 0.98.4.  In particular those of you who have
submitted bugs and worked with us to test patches, and those of you who
downloaded and tested 0.98.4RC1.

Due to the success of this release candidate, we would like to use the
beta/RC model going forward.  Development is what it is, so we may not
always be able to do this, but my strong preference would be to use this
model.  Provided nothing serious comes up in the meantime, you should
expect a beta for 0.98.5 in the near future.

Thank you all again, it’s a pleasure working with you,

Matthew Olney
Manager, VRT Research Development
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Identifying all infections in a file...

[Matt Olney]

Maarten,

There currently isn't a way to do this.  We could look at doing that
in a future release.  Feel free to put a bug in
https://bugzilla.clamav.net/ and we'll consider it.

Thanks,

Matthew Olney
Sourcefire VRT

On Thu, Jun 7, 2012 at 3:36 PM, Maarten Broekman  wrote:
> Is there any way to get a list of all the signatures that match a file
> with multiple infections?  For example, I have a file that's been
> infected with both PHP and JavaScript code (or even multiple, different,
> PHP code blocks), how would I be able to get all the signatures that
> match?  My primary interest in this is making sure I have signatures
> that cover all the infections since they can appear together as well as
> singularly.
>
> --Maarten
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Massive bugzilla notifications

[Matt Olney]

Nope, no problem.  We have some new developers on board and we're doing
some administrative stuff on the back end.

Matt

On Wed, Jun 13, 2012 at 11:55 AM, Gianluigi Tiesi wrote:

> Hi,
> I'm receiving a lot of bugzilla emails from clamav bugzilla, bugs are
> rather old, there is some problem?
>
> Regards
> --
> Gianluigi Tiesi 
> EDP Project Leader
> Netfarm S.r.l. - http://www.netfarm.it/
> Free Software: http://oss.netfarm.it/
>
> Q: Because it reverses the logical flow of conversation.
> A: Why is putting a reply at the top of the message frowned upon?
>
> __**_
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/**ml 
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] WARNING: Your ClamAV installation is OUTDATED!

[Matt Olney]

0.97.5 is now available on Sourceforge.  The outbound synchronization
process for the new build is ongoing and should be complete today.  Once it
is complete the standard notifications will go out.  Sorry for any
confusion.

Matthew Olney
Sourcefire VRT ClamAV Team

On Wed, Jun 13, 2012 at 7:38 PM, Bill Landry  wrote:

> I've been seeing these notifications for the past few hours:
>
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.97.4 Recommended version: 0.97.5
>
> but the download link at clamav.net still shows:
>
> Latest stable release: ClamAV 0.97.4 (signature – ChangeLog)
>
> When will the new release be available for download?
>
> Thanks,
>
> Bill
> __**_
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/**ml 
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Deprecation of "Basic signature format"

[Matt Olney]

Nathan,

There are no current plans to remove support for that signature format.
 However, you should investigate the alternate formats in case that changes
in a future version of ClamAV.  In particular look at the .hdb format that
matches both size and MD5.

Matt

On Wed, Jun 13, 2012 at 12:29 PM, ng seclists  wrote:

> Folks,
>
> I see that in the signatures documentation that "Basic signature format" is
> now deprecated. Using Clam 0.97.4, this .db format is still working. Will
> support for this format ever be dropped or can I continue to create
> signatures using this format indefinitely without consequence?
>
> Thanks!
>
> Nathan G.
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Help to download ClamAV 0.97.5

[Matt Olney]

We're having some trouble with our freshmeat account.  You can download the
latest here, until we get it fixed up:

https://sourceforge.net/projects/clamav/files/

On Thu, Jun 14, 2012 at 10:07 PM, Michael Wu  wrote:

> Hello,
>
>We try to download ClamAV 0.97.5 from "
> http://www.clamav.net/lang/en/download/sources/ ", but only get the
> download "clamav-0.97.4.tar.gz". Please help to check if the file is not
> updated. Thank you.
>
>Regards,
>
>  Michael
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] ClamAV 0.97.5 download

[Matt Olney]

We're having some trouble with our freshmeat account.  You can download the
latest here, until we get it fixed up:

https://sourceforge.net/projects/clamav/files/

On Thu, Jun 14, 2012 at 4:04 PM, Bowie Bailey  wrote:

> I see that the text on the download page of the website has changed to
> 0.97.5, but the link still goes to an 0.97.4 download file.
>
> --
> Bowie
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] WARNING: Your ClamAV installation is OUTDATED!

[Matt Olney]

Bill,

Can you submit a sample or two here:

http://cgi.clamav.net/sendvirus.cgi

So we can look at it?

Thanks,
Matt

On Fri, Jun 15, 2012 at 1:40 AM, Bill Maidment  wrote:

> I've updated to clamav-0.97.5 and now I'm getting lots of rejections like
> Clamd returned error: CL_EFORMAT: Bad format or broken data
>
> I've had to revert to 0.97.4 for now.
> Did I miss some crucial upgrade info?
>
> Regards
> Bill Maidment
> Maidment Enterprises Pty Ltd
>
> -Original message-
> From: Bill Landry 
> Sent: Thursday 14th June 2012 9:47
> To: clamav-users@lists.clamav.net
> Subject: [clamav-users] WARNING: Your ClamAV installation is OUTDATED!
>
>
> I've been seeing these notifications for the past few hours:
>
>  WARNING: Your ClamAV installation is OUTDATED!
>  WARNING: Local version: 0.97.4 Recommended version: 0.97.5
>
> but the download link at clamav.net still shows:
>
>  Latest stable release: ClamAV 0.97.4 (signature – ChangeLog)
>
> When will the new release be available for download?
>
> Thanks,
>
> Bill
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net <
> http://wiki.clamav.net>
> http://www.clamav.net/support/ml 
>
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Help to download ClamAV 0.97.5

[Matt Olney]

On Fri, Jun 15, 2012 at 9:46 AM, Brian Morrison  wrote:

> On Fri, 15 Jun 2012 09:13:30 -0400
> Matt Olney  wrote:
>
> > We're having some trouble with our freshmeat account.  You can
> > download the latest here, until we get it fixed up:
> >
> > https://sourceforge.net/projects/clamav/files/
>
> The download is 14MB odd, previous version have been 48MB and when I
> run my rpm build script it tells me that the main and daily cvd files
> are missing.
>
> --
>
> Brian Morrison
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>

Brian,

It looks like our new build system doesn't bundle the .cvds.  More
accurately it ships 0-length main and daily cvds.  For now you can, of
course, run freshclam to pickup the signature files.  We'll revisit the
desired behavior (with or without cvds) and adjust our build process
accordingly.  Since you brought it up, do you have a preference or use-case
that supports one behavior or the other?

Matt
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Latest Clam PGP key?

[Matt Olney]

A,


On this release, one of the changes you will notice is that the signing key
is now the Sourcefire VRT key which can be found here:



http://labs.snort.org/contact.html



This key can also be imported via the M.I.T. key server using the key id
15497F03. The key fingerprint is 9851 AE1B 3C52 0073 86DC  9F25 681A 2A64
1549 7F03.


Matt

On Fri, Jun 15, 2012 at 12:04 PM, A J Thew  wrote:

> Hi,
> what key is the 0.97.5 package signed with?
>
> I had the previous key on my gpg keyring.
>
> Thanks
>
> A Thew
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Known issue -- LZX compression

[Matt Olney]

All,



We wanted to bring to your attention an issue that we have been made aware
of in ClamAV 0.97.5.  As part of this release, we tightened the malformed
compression checks in LZX compressed files.  CAB, CHM and Install Shield
file formats may use this compression.



In previous versions of ClamAV, these files would be passed as "OK" when
the decompression failed.  ClamAV 0.97.5 will respond with a CL_EFORMAT
error instead.  In some environments, this level of checking may be
inappropriate.  We are currently reviewing the situation and evaluating
what, if any, changes are appropriate.



A bug has been created so you can follow our work:

https://bugzilla.clamav.net/show_bug.cgi?id=5252



If you have any questions, please let us know.

Matthew Olney
Sourcefire VRT / ClamAV Team
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] current version

[Matt Olney]

Thanks Florian,

I'll kick this over to the ops team to make sure it gets updated.

On Wed, Jun 20, 2012 at 1:02 AM, sys...@ra-schaal.de
 wrote:
> could you please update your dns?
>
> sometimes "host -t txt current.cvd.clamav.net" reports 0.97.4
>
> regards
> florian
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Clam virus database for test purposes

[Matt Olney]

You can create a file called test.ndb and add the following lines to it:

Eicar-Test-Signature:0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
Eicar-Test-Signature-1:0:*:574456504956416c51454651577a5263554670594e54516f554634704e304e444b5464394a45564a513046534c564e555155354551564a454c55464f56456c5753564a565579315552564e550a4c555a4a544555684a45677253436f3d0a

Then run clamscan against that database file:

kpyke@vrt-dev-01:~$ clamscan --database=./test.ndb eicar.com

eicar.com: Eicar-Test-Signature.UNOFFICIAL FOUND

--- SCAN SUMMARY ---
Known viruses: 2
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.007 sec (0 m 0 s)

Let me know if that doesn't answer your question.

Matt

On Mon, Jul 2, 2012 at 6:24 AM, Wojciech Michalak
 wrote:
> Hello,
>
>     I was wondering if you could release (or point me to if one exists)
> a set of cvd files which would contain only the eicar test samples? When
> developing software I was hoping to refrain from having to commit/host
> the whole current virus database. Checkout/download becomes cumbersome
> when running software deployment tests. I tried searching both the web
> and the mailing list, but didn't find anything useful. I was hoping to
> have a set of files that I could place in "/var/lib/clamav" which would
> be sufficient for starting "/etc/init.d/clamav-daemon" and running tests
> with the eicar sample.
>
> Kind regards,
> Wojciech Michalak
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] update clamav

[Matt Olney]

Bruno,

Nigel Houghton replied on Jun 27th:

"Here's the relevant information from the wiki:

Solution 1: Use an HTTP proxy

This solution is really easy to implement and is bandwidth efficient.

Install a proxy server (i.e. squid) and then tell your freshclam
clients to use it. This can be done by setting the HTTPProxyServer
parameter in freshclam.conf (see man 5 freshclam.conf for the
details).

Solution 2: Serve .cvd files from a local web server

This solution is really simple to implement but it's only effective if
your clients are all on the same local network and bandwidth is not an
issue for you.

Configure a local webserver on one of your machines (say
machine1.mylan) and let freshclam download the *.cvd files from
http://database.clamav.net to the webserver’s DocumentRoot.

Add this line to freshclam.conf on machine1.mylan:

  ScriptedUpdates off

First the database will be downloaded to the local webserver and then
the other clients on the network will update their copy of the
database from it. For this to work you have to change freshclam.conf
on your clients so that it reads:

  DatabaseMirror machine1.mylan

  ScriptedUpdates off"

Matt

On Mon, Jul 9, 2012 at 7:43 AM, Joel Esler  wrote:
> What issue?
>
> --
> Joel Esler
>
> On Jul 9, 2012, at 5:08 AM, Bruno Barosa  
> wrote:
>
>> Hello again,
>>
>> Good morning and a good week for all
>>
>> anyone has got news on this issue?
>>
>> Regards
>> Bruno
>>
>> On 27-06-2012 19:29, Nigel Houghton wrote:
>>> On Jun 27, 2012, at 8:12 AM, Matthew Olney wrote:
>>>
 Apparently, the answer to this is on the wiki, but it is having issues.

> Begin forwarded message:
>
>> From: Ilyas Doskhozhayev
>> Date: June 27, 2012, 5:45:28 AM EDT
>> To: jes...@sourcefire.com
>> Subject: update clamav
>>
>> Hi thank all you team for this antivirus tool/
>>
>> My question is on debian i have servers that can not update virus 
>> database  directly from internet, so they update from local repository 
>> on network
>> So can i make clamav update from my local repository on server that has 
>> internet ?
>>
>>
>> I use this source list to update from repository on server
>>
>> deb http://10.0.1.11/localrepository /
>>
>> Thank in advanse
>>> Here's the relevant information from the wiki:
>>>
>>> Solution 1: Use an HTTP proxy
>>>
>>> This solution is really easy to implement and is bandwidth efficient.
>>>
>>> Install a proxy server (i.e. squid) and then tell your freshclam clients to 
>>> use it. This can be done by setting the HTTPProxyServer parameter in 
>>> freshclam.conf (see man 5 freshclam.conf for the details).
>>>
>>> Solution 2: Serve .cvd files from a local web server
>>>
>>> This solution is really simple to implement but it's only effective if your 
>>> clients are all on the same local network and bandwidth is not an issue for 
>>> you.
>>>
>>> Configure a local webserver on one of your machines (say machine1.mylan) 
>>> and let freshclam download the *.cvd files from http://database.clamav.net 
>>> to the webserver's DocumentRoot.
>>>
>>> Add this line to freshclam.conf on machine1.mylan:
>>>
>>>   ScriptedUpdates off
>>>
>>> First the database will be downloaded to the local webserver and then the 
>>> other clients on the network will update their copy of the database from 
>>> it. For this to work you have to change freshclam.conf on your clients so 
>>> that it reads:
>>>
>>>   DatabaseMirror machine1.mylan
>>>
>>>   ScriptedUpdates off
>>>
>>> --
>>> Nigel Houghton
>>> Head Mentalist, Time Lord
>>> SF VRT Department of Intelligence Excellence
>>> http://vrt-blog.snort.org/&&;  http://labs.snort.org/
>>>
>>>
>>>
>>> ___
>>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>>> http://www.clamav.net/support/ml
>> ___
>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>> http://www.clamav.net/support/ml
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Many false positives: MBL_312128 / MBL_303159

[Matt Olney]

We've heard similar complaints on IRC.  It looks like downloads may be
broken from MBL.  You'll have to work with them to address the issue.

Matt

On Tue, Aug 7, 2012 at 2:38 PM, Laurent CARON wrote:

> Hi,
>
> I'm currently experiencing lots of FP.
>
> Those FP range from automatic apticron debian mails, mails with simple
> clean PDF files, CSV files, ...
>
> Do any of you experience the same ?
>
> Thanks
>
> Laurent
> __**_
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/**ml 
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Communigate Pro parser fails

[Matt Olney]

I'll have someone contact you directly.

Matt

On Thu, Sep 6, 2012 at 6:15 AM, Victor Sudakov  wrote:

> Colleagues,
>
> AFAIK clamd can parse Communigate Pro message spool format, where the
> message itself is preceded by several extra lines like
>
> P I 06-09-2012 08:53:14    
> O LH
> A sibptus.tomsk.ru [212.73.124.5]
> S SMTP [212.73.125.240]
> R W 06-09-2012 08:53:14   _FY_ 
>
> However, I have found a condition when this parser fails on
> clamav-0.97.5 and clamd reports OK though there is a known virus in
> the message. I can provide samples and more details.
>
> Who do I contact about it? Thank you in advance.
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:suda...@sibptus.tomsk.ru
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Communigate Pro parser fails

[Matt Olney]

Can you submit a bug through  https://bugzilla.clamav.net/  please?  Shawn
will keep working with you, but this will allow us to track this issue.

Matt

On Thu, Sep 6, 2012 at 10:28 PM, Victor Sudakov  wrote:

> Shawn Webb wrote:
>
> > >
> > > AFAIK clamd can parse Communigate Pro message spool format, where the
> > > message itself is preceded by several extra lines like
> > >
> > > P I 06-09-2012 08:53:14    
> > > O LH
> > > A sibptus.tomsk.ru [212.73.124.5]
> > > S SMTP [212.73.125.240]
> > > R W 06-09-2012 08:53:14   _FY_ 
> > >
> > > However, I have found a condition when this parser fails on
> > > clamav-0.97.5 and clamd reports OK though there is a known virus in
> > > the message. I can provide samples and more details.
>
> > Were you able to scan with versions of ClamAV prior to 0.97.5?
>
> clamav-0.97 has the same problem. Sorry, I don't have older ClamAV
> installations anywhere at the moment.
>
> > Can you send me some samples?
>
> Please take a sample at ftp://ftp.tomsk.ru/pub/m2.zip
> ClamAV says it's OK. But if you manually add some "Content-Type:"
> header to the message, it is reported as containing
> Trojan.Startpage-131 (which it does). If you remove the CommunigatePro
> extra lines without adding a "Content-Type:" header, it's again
> reported as containing Trojan.Startpage-131.
>
> I have come across this bug (?) when sending messages with the Unix
> mail program. It does not generate the "Content-Type:" header so any
> virus sent by the mail(1) program passes through ClamAV+Communigate.
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:suda...@sibptus.tomsk.ru
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Deep scanning of image files

[Matt Olney]

Maarten, can you help us track this by adding a bug at
https://bugzilla.clamav.net/?

Thanks,

Matt

On Tue, Oct 23, 2012 at 2:18 PM, Maarten Broekman  wrote:
> One thing I'm seeing more and more of is malware code (be it PHP or ASP)
> embedded after GIF headers.  ClamAV sees the GIF header and treats it
> like an image (properly), but then ClamAV sees an HTML signature later
> in the file.  However, it doesn't do any normalization on that HTML
> data.  Would it be possible to add an option to clamscan that does
> normalize the HTML data and analyzes it as usual?
>
>
>
> Example:
>
> LibClamAV debug: Recognized GIF file
>
> LibClamAV debug: in cli_check_jpeg_exploit()
>
> LibClamAV debug: Matched signature for file type HTML data at 4197
>
>
>
> Problem:
>
>   I have signatures that would match the normalized HTML data, but
> because the GIF header is there, clamscan doesn't normalize the HTML
> data.  This means that I have to create unique signatures for each file
> with a GIF header that contains different non-normalized HTML data.
>
>
>
> Thanks,
>
> Maarten
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Problems with signature mirrors today?

[Matt Olney]

Hey guys, thanks for the heads up.  We're checking into it now.

Matt

On Fri, Nov 9, 2012 at 12:38 PM, José Celestino  wrote:

> On Sex, 2012-11-09 at 10:23 -0700, Chris Stone wrote:
> > Seeing a lot of:
> >
> > Current working dir is /usr/local/share/clamav
> > Max retries == 3
> > ClamAV update process started at Fri Nov  9 10:22:52 2012
> > Using IPv6 aware code
> > If-Modified-Since: Tue, 11 Oct 2011 14:34:20 GMT
> > Reading CVD header (main.cvd): Ignoring mirror 63.141.241.106 (due to
> > previous errors)
> > Ignoring mirror 69.163.100.14 (due to previous errors)
> ...
> >
> > Problems? Everyone else seeing this as well?
>
>
>
> Yes. daily-15558.cdiff is nowhere to be found.
>
>
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Problems with signature mirrors today?

[Matt Olney]

Folks,

We seem to have resolved the issue.  Mirrors should be syncing now.  Let us
know if you see anything else.

Matt

On Fri, Nov 9, 2012 at 12:51 PM, Nigel Houghton wrote:

>
> On Nov 9, 2012, at 12:38 PM, José Celestino  wrote:
>
> > On Sex, 2012-11-09 at 10:23 -0700, Chris Stone wrote:
> >> Seeing a lot of:
> >>
> >> Current working dir is /usr/local/share/clamav
> >> Max retries == 3
> >> ClamAV update process started at Fri Nov  9 10:22:52 2012
> >> Using IPv6 aware code
> >> If-Modified-Since: Tue, 11 Oct 2011 14:34:20 GMT
> >> Reading CVD header (main.cvd): Ignoring mirror 63.141.241.106 (due to
> >> previous errors)
> >> Ignoring mirror 69.163.100.14 (due to previous errors)
> > ...
> >>
> >> Problems? Everyone else seeing this as well?
> >
> >
> >
> > Yes. daily-15558.cdiff is nowhere to be found.
> >
>
> We are working on the problem.
>
> --
> Nigel Houghton
> Head Mentalist, Time Lord
> SF VRT Department of Intelligence Excellence
> http://vrt-blog.snort.org/ && http://labs.snort.org/
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] LibClamAV Warnings

[Matt Olney]

We're looking into it, guys.  Don't have an answer right now, but
thanks for the info.  By chance, do you have a sample that triggers
this behavior?

Matt

On Fri, Nov 16, 2012 at 11:04 AM, Maarten Broekman
 wrote:
>> -Original Message-
>> LibClamAV Warning: Bytecode run timed out in interpreter after 765000
>> opcodes LibClamAV Warning: Bytcode 16 failed to run: Unknown error
> code
>> LibClamAV Warning: Bytecode runtime error at line 95, col 13 LibClamAV
>> Error: Opcode 45 of type 0 is not implemented yet!
>> LibClamAV Warning: Bytcode 16 failed to run: Invalid argument passed
> to
>> function
>>
>> LibClamAV Warning: Bytecode run timed out in interpreter after 68
>> opcodes LibClamAV Warning: Bytcode 20 failed to run: Unknown error
> code
>> LibClamAV Warning: Bytecode runtime error at line 95, col 13 LibClamAV
>> Error: Opcode 45 of type 0 is not implemented yet!
>> LibClamAV Warning: Bytcode 20 failed to run: Invalid argument passed
> to
>> function
>>
>>
>> LibClamAV Warning: Bytecode run timed out in interpreter after
> 19255000
>> opcodes
>>
>> LibClamAV Warning: Bytcode 1 failed to run: Unknown error code
>>
>> LibClamAV Warning: Bytecode run timed out in interpreter after 139
>> opcodes LibClamAV Warning: Bytcode 39 failed to run: Unknown error
> code
>
> I have been seeing the same behavior on my systems, though with Bytecode
> 37 and 38.
>
> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag
> set
> LibClamAV Warning: [Bytecode JIT]: recovered from error
> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> LibClamAV Warning: Bytcode 37 failed to run: Unknown error code
>
> I get the same error regardless of whether I have --bytecode-timeout=0
> set or not.
>
> Anyone know what's going on?
>
> --Maarten
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] LibClamAV Warnings

[Matt Olney]

Can you attach that sample to this bug:
https://bugzilla.clamav.net/show_bug.cgi?id=6139

Or if you don't have and don't want a bugzilla account, you can zip it
up, password protect it and then send it to me.

Matt

On Fri, Nov 16, 2012 at 11:30 AM, Maarten Broekman
 wrote:
> Yep.  I have a .js file that triggers the Bytecode 37 error.  I've filed
> a bug against the CVD with it.
> Bug 6140 - Bytecode 37 failed to run: Unknown error code
>
> --Maarten
>
>> -Original Message-
>> From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-
>> boun...@lists.clamav.net] On Behalf Of Matt Olney
>> Sent: Friday, November 16, 2012 11:15 AM
>> To: ClamAV users ML
>> Subject: Re: [clamav-users] LibClamAV Warnings
>>
>> We're looking into it, guys.  Don't have an answer right now, but
>> thanks for the info.  By chance, do you have a sample that triggers
>> this behavior?
>>
>> Matt
>>
>> On Fri, Nov 16, 2012 at 11:04 AM, Maarten Broekman
>>  wrote:
>> >> -Original Message-
>> >> LibClamAV Warning: Bytecode run timed out in interpreter after
>> 765000
>> >> opcodes LibClamAV Warning: Bytcode 16 failed to run: Unknown error
>> > code
>> >> LibClamAV Warning: Bytecode runtime error at line 95, col 13
>> >> LibClamAV
>> >> Error: Opcode 45 of type 0 is not implemented yet!
>> >> LibClamAV Warning: Bytcode 16 failed to run: Invalid argument
> passed
>> > to
>> >> function
>> >>
>> >> LibClamAV Warning: Bytecode run timed out in interpreter after
>> 68
>> >> opcodes LibClamAV Warning: Bytcode 20 failed to run: Unknown error
>> > code
>> >> LibClamAV Warning: Bytecode runtime error at line 95, col 13
>> >> LibClamAV
>> >> Error: Opcode 45 of type 0 is not implemented yet!
>> >> LibClamAV Warning: Bytcode 20 failed to run: Invalid argument
> passed
>> > to
>> >> function
>> >>
>> >>
>> >> LibClamAV Warning: Bytecode run timed out in interpreter after
>> > 19255000
>> >> opcodes
>> >>
>> >> LibClamAV Warning: Bytcode 1 failed to run: Unknown error code
>> >>
>> >> LibClamAV Warning: Bytecode run timed out in interpreter after
>> >> 139 opcodes LibClamAV Warning: Bytcode 39 failed to run:
> Unknown
>> >> error
>> > code
>> >
>> > I have been seeing the same behavior on my systems, though with
>> > Bytecode
>> > 37 and 38.
>> >
>> > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
>> > flag set LibClamAV Warning: [Bytecode JIT]: recovered from error
>> > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
>> error!
>> > LibClamAV Warning: Bytcode 37 failed to run: Unknown error code
>> >
>> > I get the same error regardless of whether I have --bytecode-
>> timeout=0
>> > set or not.
>> >
>> > Anyone know what's going on?
>> >
>> > --Maarten
>> > ___
>> > Help us build a comprehensive ClamAV guide: visit
>> > http://wiki.clamav.net http://www.clamav.net/support/ml
>> ___
>> Help us build a comprehensive ClamAV guide: visit
>> http://wiki.clamav.net http://www.clamav.net/support/ml
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] LibClamAV Warnings

[Matt Olney]

Try now?

On Fri, Nov 16, 2012 at 11:41 AM, Maarten Broekman
 wrote:
> I have a bugzilla account but I don't have the right permissions to see
> that bug.
> You are not authorized to access bug #6139.
>
> --Maarten
>
>> -Original Message-
>> From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-
>> boun...@lists.clamav.net] On Behalf Of Matt Olney
>> Sent: Friday, November 16, 2012 11:33 AM
>> To: ClamAV users ML
>> Subject: Re: [clamav-users] LibClamAV Warnings
>>
>> Can you attach that sample to this bug:
>> https://bugzilla.clamav.net/show_bug.cgi?id=6139
>>
>> Or if you don't have and don't want a bugzilla account, you can zip it
>> up, password protect it and then send it to me.
>>
>> Matt
>>
>> On Fri, Nov 16, 2012 at 11:30 AM, Maarten Broekman
>>  wrote:
>> > Yep.  I have a .js file that triggers the Bytecode 37 error.  I've
>> > filed a bug against the CVD with it.
>> > Bug 6140 - Bytecode 37 failed to run: Unknown error code
>> >
>> > --Maarten
>> >
>> >> -Original Message-
>> >> From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-
>> >> boun...@lists.clamav.net] On Behalf Of Matt Olney
>> >> Sent: Friday, November 16, 2012 11:15 AM
>> >> To: ClamAV users ML
>> >> Subject: Re: [clamav-users] LibClamAV Warnings
>> >>
>> >> We're looking into it, guys.  Don't have an answer right now, but
>> >> thanks for the info.  By chance, do you have a sample that triggers
>> >> this behavior?
>> >>
>> >> Matt
>> >>
>> >> On Fri, Nov 16, 2012 at 11:04 AM, Maarten Broekman
>> >>  wrote:
>> >> >> -Original Message-
>> >> >> LibClamAV Warning: Bytecode run timed out in interpreter after
>> >> 765000
>> >> >> opcodes LibClamAV Warning: Bytcode 16 failed to run: Unknown
>> error
>> >> > code
>> >> >> LibClamAV Warning: Bytecode runtime error at line 95, col 13
>> >> >> LibClamAV
>> >> >> Error: Opcode 45 of type 0 is not implemented yet!
>> >> >> LibClamAV Warning: Bytcode 16 failed to run: Invalid argument
>> > passed
>> >> > to
>> >> >> function
>> >> >>
>> >> >> LibClamAV Warning: Bytecode run timed out in interpreter after
>> >> 68
>> >> >> opcodes LibClamAV Warning: Bytcode 20 failed to run: Unknown
>> error
>> >> > code
>> >> >> LibClamAV Warning: Bytecode runtime error at line 95, col 13
>> >> >> LibClamAV
>> >> >> Error: Opcode 45 of type 0 is not implemented yet!
>> >> >> LibClamAV Warning: Bytcode 20 failed to run: Invalid argument
>> > passed
>> >> > to
>> >> >> function
>> >> >>
>> >> >>
>> >> >> LibClamAV Warning: Bytecode run timed out in interpreter after
>> >> > 19255000
>> >> >> opcodes
>> >> >>
>> >> >> LibClamAV Warning: Bytcode 1 failed to run: Unknown error code
>> >> >>
>> >> >> LibClamAV Warning: Bytecode run timed out in interpreter after
>> >> >> 139 opcodes LibClamAV Warning: Bytcode 39 failed to run:
>> > Unknown
>> >> >> error
>> >> > code
>> >> >
>> >> > I have been seeing the same behavior on my systems, though with
>> >> > Bytecode
>> >> > 37 and 38.
>> >> >
>> >> > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out,
> timeout
>> >> > flag set LibClamAV Warning: [Bytecode JIT]: recovered from error
>> >> > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
>> >> error!
>> >> > LibClamAV Warning: Bytcode 37 failed to run: Unknown error code
>> >> >
>> >> > I get the same error regardless of whether I have --bytecode-
>> >> timeout=0
>> >> > set or not.
>> >> >
>> >> > Anyone know what's going on?
>> >> >
>> >> > --Maarten
>> >> > ___
>> >> > Help us build a comprehensive ClamAV guide: visit
>> >> > http://wiki.clamav.net http://www.clamav.net/support/ml
>> >> ___
>> >> Help us build a comprehensive ClamAV guide: visit
>> >> http://wiki.clamav.net http://www.clamav.net/support/ml
>> > ___
>> > Help us build a comprehensive ClamAV guide: visit
>> > http://wiki.clamav.net http://www.clamav.net/support/ml
>> ___
>> Help us build a comprehensive ClamAV guide: visit
>> http://wiki.clamav.net http://www.clamav.net/support/ml
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] PHP.Exploit.CVE_2011_4153-3 false positive

[Matt Olney]

Can you zip these up, password protect the zip and email them to
v...@sourcefire.com?

Matt

On Tue, Nov 20, 2012 at 4:23 AM, Anssi Johansson  wrote:
> Hi,
>
> $ clamscan php*.bz2
> php-5.4.0.tar.bz2: PHP.Exploit.CVE_2011_4153-3 FOUND
> php-5.4.1.tar.bz2: PHP.Exploit.CVE_2011_4153-3 FOUND
> php-5.4.3.tar.bz2: PHP.Exploit.CVE_2011_4153-3 FOUND
>
> $ md5sum php*.bz2
> 04bb6f9d71ea86ba05685439d50db074  php-5.4.0.tar.bz2
> 5b9529ed89dbc48c498e9693d1af3caf  php-5.4.1.tar.bz2
> 51f9488bf8682399b802c48656315cac  php-5.4.3.tar.bz2
>
> $ clamscan --version
> ClamAV 0.97.6/15602/Mon Nov 19 23:29:58 2012
>
> I tried submitting these as false positives through the FP reporting page
> some days ago, but the FP submit page said that "This file is not detected
> by ClamAV."
>
> The md5sums of those files match the md5sums published on
> http://php.net/releases/index.php
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] SourceFire support - signature file updates

[Matt Olney]

OK, there is a bit of a translation error here.  We are no longer
selling commercial support for deployments of ClamAV.  We do of course
continue to produce signatures that are available to all users of
ClamAV.

Robin, can you email me privately the name of your sales manager so I
can get in touch with him to clear this up?

Matt

On Tue, Nov 27, 2012 at 4:32 AM,   wrote:
> Hi,
>
> Our regional SourceFire sales manager has made the following statement:
>
>  I can confirm as discussed that the product (ClamAV) is now
> officially no longer supported as a product and therefore you will no
> longer receive signatures. 
>
> Can anyone clarify what this means in terms of continuing to download
> new signature files via freshclam?  Or are signature file updates to
> cease?
>
> Regards,
> Robin
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] SourceFire support - signature file updates

[Matt Olney]

(Dennis Peterson)++

On Tue, Nov 27, 2012 at 8:29 PM, Dennis Peterson  wrote:
> On 11/27/12 2:19 PM, Nigel Houghton wrote:
>>
>>
>> On Nov 27, 2012, at 2:17 PM, Dennis Peterson  wrote:
>>
>>> I was hoping to hear from someone higher up than a mentalist time lord.
>>
>>
>> Well, if Rassilon wasn't in a time lock he might reply, but since he is,
>> I'm it.
>
>
> It would have helped quite a lot if you had mentioned you are a demi-god.
>
> dp
>
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] ClamAV 0.97.7 available?

[Matt Olney]

Yeah, we could have done better on this.  I'll review the release
procedures and see if we can't improve them.  More info tomorrow, this is
just an informal note :)

Matt


On Thu, Mar 14, 2013 at 6:03 PM, Lawrence K. Chen, P.Eng. wrote:

>
>
> - Original Message -
> > On Mar 14, 2013, at 12:42 PM, "Lawrence K. Chen, P.Eng."
> >  wrote:
> >
> > > This is annoying.
> > >
> > > There was no announcement on clamav-announce of 0.97.6
> >
> > .
> >
> >
> > Sent from Janet's iPad
> >
> > -Al-
> > --
> > Al Varnell
>
> I didn't get that email.
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] New Version of ClamAV

[Matt Olney]

Hey all,



We're currently scoping out the next version of ClamAV.  We have a number
of ideas in house, but I wanted to solicit some feedback from our users
about what you might be interested in seeing.



Before you ask, we don't have a lot of information that we're ready to
share on our end about what we're planning, so I don't want to promise
anything yet.  In general we're looking to expand the detection capability,
the engine's stability and make the system a little more usable.  As we
firm things up, we'll let you guys know more about what we're working on.



We will also be interested, as we get further down the road, in beta
testers.  I think you'll see a lot of new functionality in ClamAV and we'd
appreciate as many eyes as possible on it once we're ready to show it off.



And no, we don't have an estimated release date :)



Thanks in advance for your ideas!  Please send your ideas to this list so
we can track them.



Matt
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] New Version of ClamAV

[Matt Olney]

Spiro, a messenger has just arrived by horse.  Apparently we have released
ClamAV 0.97.7 :)

We'll do better next time :)

Matt


On Wed, Mar 20, 2013 at 8:45 PM, Spiro Harvey  wrote:

> > We're currently scoping out the next version of ClamAV.  We have a
> > number of ideas in house, but I wanted to solicit some feedback from
> > our users about what you might be interested in seeing.
>
> Timely release announcement on the mailing list.
>
> /ducks ;)
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] New Version of ClamAV

[Matt Olney]

Ian, if you can put more detail about your zombie issue into a bug, it
would be easier for us to deal with it.

Thanks,

Matt


On Thu, Mar 21, 2013 at 7:57 AM, Ian Eiloart  wrote:

>
> On 20 Mar 2013, at 14:35, Matt Olney  wrote:
>
> > efore you ask, we don't have a lot of information that we're ready to
> > share on our end about what we're planning, so I don't want to promise
> > anything yet.  In general we're looking to expand the detection
> capability,
> > the engine's stability and make the system a little more usable.  As we
> > firm things up, we'll let you guys know more about what we're working on.
> > ….
> > Thanks in advance for your ideas!  Please send your ideas to this list so
> > we can track them.
>
> Focus on stability and usability. I use Exim, Clam, and Spamassassin (in
> order of descending importance). I regard Exim as essential for continuity
> of service.
>
> Clam, when available, is trusted absolutely to reject emails that are a
> security threat to my network - so it's important to me that it's as
> available as possible. Unfortunately, it occasionally hangs leaving zombie
> processes that require a reboot to fix. When it's available, I want it to
> block malware attachments, but I also want it to block emails with links to
> malware, and links to phishing sites. BTW, I use Clam to scan outbound
> email, as well as inbound, in order to improve herd immunity to infections.
>
> One thing that I'd like to do with outbound email is to prevent people
> from emailing their own passwords. Something along these lines:
> https://grepular.com/Defending_Against_Spear_Phishing_with_Exim That's a
> useful tool, but it's Exim specific, and it would be neat to have clam deal
> with this.
>
> --
> Ian Eiloart
> Postmaster, University of Sussex
> +44 (0) 1273 87-3148
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Memory level

[Matt Olney]

HI Christian,

Yep, we've heard that a couple of times.  We'll do our best to address it.

Matt


On Fri, Mar 22, 2013 at 12:40 PM, Christian Salway wrote:

> In your new version, can you please consider how to run it on low memory
> systems (<512MB) for spamassassin other than direct from the command line
> which takes time to load each time it's called.
>
> Our basic internet servers we roll out to dedicated clients run on the
> Amazon EC2 micro servers and consist of mysql, postfix, dovecot, apache,
> spamassassin and clamd (disabled).  Disabled because it consumes too much
> RAM and deemed the least required because antivirus is readily available on
> desktops, tablets and phones and most clients would prefer to deal with one
> or two virus' messages than 100's of spam messages.
>
> At the moment, on the Amazon EC2 micro servers, there is 512Mb RAM
> available, of which, clamd consumes 30% if enabled, taking the RAM load
> from
> 165/512MB to 337/512MB, and that's before the server has started processing
> anything.
>
> Kind regards,
> Christian
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] SubmitDetectionStats error message after update

[Matt Olney]

Jerry, is this still an issue for you?  Our systems team says there was an
issue with the box but that has been resolved.

Please let us know,

Matt


On Sun, Mar 24, 2013 at 7:15 AM, Jerry  wrote:

> Ever since I updated "clamav" the other day, the "freshclam.log" has
> been filling up with the following.
>
> Sun Mar 24 06:43:43 2013 -> Received signal: wake up
> Sun Mar 24 06:43:43 2013 -> ClamAV update process started at Sun Mar 24
> 06:43:43 2013
> Sun Mar 24 06:43:43 2013 -> main.cld is up to date (version: 54, sigs:
> 1044387, f-level: 60, builder: sven)
> Sun Mar 24 06:43:43 2013 -> daily.cld is up to date (version: 16892, sigs:
> 981794, f-level: 63, builder: neo)
> Sun Mar 24 06:43:43 2013 -> bytecode.cld is up to date (version: 214,
> sigs: 41, f-level: 63, builder: neo)
> Sun Mar 24 06:44:32 2013 -> nonblock_recv: recv timing out (30 secs)
> Sun Mar 24 06:44:32 2013 -> ERROR: SubmitDetectionStats: Can't read from
> socket
>
>
> The actual setting is:
>
> SubmitDetectionStats /usr/local/etc/clamd.conf
>
> Everything was working fine until the update. Nothing was modified and
> I have tried to do a hard reboot to see if it made any difference, but
> it didn't.
>
> I welcome any suggestions.
>
> --
> Jerry ♔
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the Reply-To header.
> __
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Memory level

[Matt Olney]

Not really sure what other people are thinking. ClamAV is built into
Sourcefire's advanced malware protection product (FireAMP).  So we use it,
at least.

Matt


On Sun, Mar 24, 2013 at 10:19 AM, Benny Pedersen  wrote:

> Matt Olney skrev den 2013-03-22 18:49:
>
>
>  Yep, we've heard that a couple of times.  We'll do our best to address it.
>>
>
> being on clouds with sigle user clamd is waste of ram :)
>
> i find this very funny that a cloud service cant provide cloud service
> with clamd
>
> are clamd not powerfull enough yet ?
>
> __**_
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/**ml <http://www.clamav.net/support/ml>
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] http://blog.clamav.net/2013/02/resolving-issues-with-freshclam.html

[Matt Olney]

Benny,

I don't completely understand what you're saying.  Do you have an issue and
you tried the fix?  I'm not sure which URL you'r talking about that says
73, so I'm sort of at a loss as to how to help you.

Matt


On Sun, Mar 24, 2013 at 10:22 AM, Benny Pedersen  wrote:

> daily.cvd is still here on 63 after doing this "fix"
>
> note that the url says 73, so is it fixed now ?
> __**_
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/**ml 
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Memory level

[Matt Olney]

All of that is being looked at in the freshclam rewrite portion of the next
version of ClamAV.


On Tue, Mar 26, 2013 at 11:33 AM, Benny Pedersen  wrote:

> Matt Olney skrev den 2013-03-26 14:10:
>
>  Not really sure what other people are thinking. ClamAV is built into
>> Sourcefire's advanced malware protection product (FireAMP).  So we use it,
>> at least.
>>
>
> will it be opensource, with license key ?, well for now i happy with
> clamav, its good to use for stopping phishing and paypal wannabees :)
>
> what i have thinked about is that main and daily is being big files, is
> there planned to get them smaller ?, maybe with some kind of expire
> signatures ?, take in to account on 3dr party signatures that hit just once
> :(
>
> i have yet to see freshclam report stats to webpage :(
>
> if something changes i like to have main daily and one more for hits
> widely now on all freshclam reporters, that could reduce mem footprint, but
> still keep signatures for virus hitting in wild, and who wants it all can
> tell freshclam to get it all
>
> will main eventuly be optional, just like safebrowsing ?
>
> one more: will clamav-milter have selective pua so it can use diff pua
> then clamd ?
>
> this will hopefully make it more possible to make pua pr recipient in
> clamav-milter
>
> __**_
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/**ml <http://www.clamav.net/support/ml>
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] looking for Bill Landry

[Matt Olney]

Hey Paul,

You asked about the status of ClamAV supporting third party signatures.  As
far as I know there is no barrier to entry, other than an understanding the
signature format, to creating a third-party signature set.  We always
welcome people that enhance the value of the engine by contributing
additional content.

Is there more to the question that I need to answer?

Matt


On Sun, Nov 25, 2012 at 10:19 PM, Paul Wise  wrote:

> Hi all,
>
> Bill Landry is the developer of clamav-unofficial-sigs and since I'm the
> Debian maintainer of that, I need to discuss some things with him but
> his domain inetmsg.com doesn't respond to HTTP or SMTP connections. Does
> anyone know what happened to him or if he moved to a different domain?
>
> PS: whats the status of clamav support for third-party signatures?
>
> --
> bye,
> pabs
>
> http://wiki.debian.org/PaulWise
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] freshclam can't download daily.cvd

[Matt Olney]

Please review the information here and let us know if this addresses your
problem:

http://blog.clamav.net/2013/02/resolving-issues-with-freshclam.html

I'll get with the appropriate person and see if updating the mirror-problem
page is appropriate.

Matt


On Fri, May 17, 2013 at 10:32 AM, Cedric Knight  wrote:

> Hello
>
> Running clamav 0.97.6 and then 0.97.8 on a Debian squeeze server, since 14
> Feb this year freshclam has been consistently failing with
>
>  ERROR: getpatch: Can't download daily-16682.cdiff from
> database.clamav.net
>  WARNING: Incremental update failed, trying to download daily.cvd
>  ...
>  Ignoring mirror 217.135.32.99 (has connected too many times with an
> outdated version)
>  ERROR: Can't download daily.cvd from database.clamav.net
>  Giving up on database.clamav.net...
>  Update failed. Your network may be down or none of the mirrors listed in
> /etc/clamav/freshclam.conf is working. Check
> http://www.clamav.net/support/**mirror-problemfor
>  possible reasons.
>
> One solution (delete daily.cvd and run freshclam again) has been covered
> here on 15 Feb  com/lists/clamav/users/57663#**57663>.
> However, that solution is not necessarily obvious, and there is other
> advice out there such as reducing number of Checks per day to less than 6
> and waiting at least 24 hours  viewtopic.php?f=5&t=97058>,
> which didn't work for me.  (The upgrade to 0.97.8 also reduced Checks to 3.)
>
> Another solution that I found was setting a HTTPProxyServer and
> HTTPProxyPort in freshclam.conf.  So are the mirrors blocking the IPv4
> address used by my freshclam?  And if so, why, is there any way to remove
> the block, and why is the restriction only enforced when the old daily.cvd
> is present?
>
> I'm wondering how many ClamAV installations there might be out there which
> are "stuck on updates prior to daily.cvd version
> 16685" months later, without the owners even knowing.  The updates usually
> work very nicely thank you, and the errors may not get noticed.
>
> Could this be fixed by an update to the freshclam client, or perhaps to
> the mirrors?  At least could http://www.clamav.net/support/**
> mirror-problem  be updated
> to reflect this?
>
> Thanks
>
> CK
> __**_
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/**ml 
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] news: Cisco Announces Agreement to Acquire Sourcefire

[Matt Olney]

What exactly did you need to know re:: database types.  The format for the
signatures are detailed, per database type, in this document:

http://www.clamav.net/doc/latest/signatures.pdf

Matt


On Thu, Jul 25, 2013 at 2:11 PM, Benny Pedersen  wrote:

> Greg Folkert skrev den 2013-07-25 16:45:
>
>  > http://blog.clamav.net/2013/**07/a-continued-commitment-to-**
>>> open-source.html
>>>
>>> > Hopefully this will help out :)
>>> Time will tell.
>>> paul
>>>
>>
>> Wow, that was a *MUCH* better and much more simple response than I was
>> going to do... and passed on making.
>>
>> Time will tell and one can hope.
>>
>
> me to :)
>
> i cant find docs on database types or how to create pua category :(
>
> __**_
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/**ml 
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] clamd taking too long to restart?

[Matt Olney]

Sowhat qualifies as a kitchen sink-load?

Matt


On Tue, Aug 13, 2013 at 11:25 PM, Vincent Fox  wrote:

> Hi,
>
> Previously I was using a short list of signatures and startup time of 30
> seconds
> which was acceptable.  Well it didn't get noticed much.
>
> However recently I added a kitchen sink of extra databases like winnow etc.
> Now startup time is 2.5 minutes, which becomes noticeable.
>
> Any way to ameliorate this?
>
>
> __**_
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/**ml 
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] clamd taking too long to restart?

[Matt Olney]

OK...I'll do some testing tomorrow and see if we can't come up with some
information for you.

Matt


On Wed, Aug 14, 2013 at 12:12 AM, Vincent Fox  wrote:

> On 8/13/2013 8:49 PM, Matt Olney wrote:
>
>> Sowhat qualifies as a kitchen sink-load?
>>
>>
>>  Most everything that SaneSecurity hosts that is low or medium risk:
>
> ss_dbs="
>blurl.ndb
>bofhland_cracked_URL.ndb
>bofhland_malware_URL.ndb
>bofhland_phishing_URL.ndb
>bofhland_malware_attach.hdb
>crdfam.clamav.hdb
>junk.ndb
>jurlbl.ndb
>jurlbla.ndb
>lott.ndb
>phish.ndb
>phishtank.ndb
>porcupine.ndb
>rogue.hdb
>sanesecurity.ftm
>sigwhitelist.ign2
>scam.ndb
>scamnailer.ndb
>spam.ldb
>spamimg.hdb
>spamattach.hdb
>spear.ndb
>spearl.ndb
>winnow.attachments.hdb
>winnow_bad_cw.hdb
>winnow.complex.patterns.ldb
>winnow_extended_malware.hdb
>winnow_extended_malware_links.**ndb
>winnow_malware.hdb
>winnow_malware_links.ndb
>winnow_phish_complete_url.ndb
>winnow_spam_complete.ndb
> "
> si_dbs="
>securiteinfoelf.hdb
>securiteinfosh.hdb
>securiteinfopdf.hdb
>securiteinfooffice.hdb
>securiteinfohtml.hdb
>securiteinfodos.hdb
>securiteinfobat.hdb
>securiteinfo.hdb
> "
> mbl_dbs="
>mbl.ndb
> "
>
> My mail routers are VM's and not the fastest things around but neither
> are they 486's pulled from a scrap heap:
>
> [root@msa3 etc]# grep name /proc/cpuinfo
> model name  : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz
> model name  : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz
> model name  : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz
> model name  : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz
> [root@msa3 etc]# grep MemTotal /proc/mem*
> MemTotal:8057768 kB
>
>
>
> __**_
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/**ml <http://www.clamav.net/support/ml>
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] clamd taking too long to restart?

[Matt Olney]

OK, we've been able to reproduce the problem and it is, as you all
suspected revolving around the www. matching.  I've asked one of the
developers to look at it, and we should be able to provide some
best-practice guidelines on how to construct rules to avoid this situation.
 We'll also review if code changes are appropriate, but given how the tree
operates, I don't immediately expect that to be the case.

Matt
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] clamd taking too long to restart?

[Matt Olney]

Nope.  0.98 is getting patches applied to it and will then move to QA &
regression and finally to release engineering.  There is a lot going on in
0.98, and we'll have more information once we finalize a build.

Matt


On Wed, Aug 14, 2013 at 5:03 PM, A K Varnell  wrote:

> On Aug 14, 2013, at 1:54 PM, Joel Esler  wrote:
> > On Aug 14, 2013, at 2:34 PM, Steve Basford <
> steveb_cla...@sanesecurity.com> wrote:
> >
> >>> We'll also review if code changes are appropriate, but given how the
> tree
> >>> operates, I don't immediately expect that to be the case.
> >>
> >> Out of interest are there any "roadmaps"/future improvements for ClamAV
> >> that are being discussed, as the last changelog update was May (before
> the
> >> takeover)?
> >
> > Steve,
> >
> > Just to clarify, at this time we’ve just announced Cisco acquiring
> Sourcefire.  It takes time for the deal to be approved and go through.
> >
> > I’ll let Matt speak to the specifics of the roadmap.
>
> So I gather the 0.98 release that was announced back in February is in a
> holding pattern pending final approval once the Cisco acquisition has been
> approved and their processes put into place?
>
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] clamd taking too long to restart?

[Matt Olney]

This is actually really good data.  Thanks for taking the time out to
evaluate these files.

First, have you modified bofhland_cracked_URL.ndb at all?  I'm getting 20+
seconds to load that.

On the flip side, I'm getting sub-second loading times for
winnow_phish_complete.ndb, winnow_phish_complete_url.ndb and phish.ndb.
 I'm running this on a beefy macbook pro with 16Gb of RAM, so I'm not sure
if that helps or not in this particular case.

Scamnailer is a little longer at 1.5 seconds.

But, if I were guessing, the pattern for "http://";  for winnow_phish.  for
phish.ndb, it looks like a lot of sigs in the form
PK{WILDCARD_ANY_STRING(LENGTH==28)}  Which would demonstrate the same
behavior.

We'll have to do more checkingon scamnailer.  There is a ton of alternating
patterns, and really no repeating static contents that I can see in a
cursory glance.  We'll check it out and get more information.

Again, thanks for the data, we'll keep it in mind as we work on coming
versions.

Matt




On Thu, Aug 15, 2013 at 7:45 AM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:

>
> >
> >> I've done some analysis of ClamAV with just this signature set, and the
> >> loading is simply slowing down as it runs through the list.
>
> * Third Party dbs *
>
> Hi,
>
> While looking into the database loading time issue, thought it might be
> an idea to quickly scan the same "small" file with each database, just to
> see what scanning time each database took and the amount of memory the
> *single* database used.
>
> When using multiple db's it's not the whole story... but just in case it's
> useful
>
> bofhland_cracked_URL.ndb: Time: 6.593 sec
> bofhland_cracked_URL.ndb: Memory: 29.777 MB
>
> bofhland_malware_attach.hdb: Time: 0.047 sec
> bofhland_malware_attach.hdb: Memory: 4.331 MB
>
> bofhland_malware_URL.ndb: Time: 0.125 sec
> bofhland_malware_URL.ndb: Memory: 7.816 MB
>
> bofhland_phishing_URL.ndb: Time: 0.047 sec
> bofhland_phishing_URL.ndb: Memory: 4.741 MB
>
> crdfam.clamav.hdb: Time: 0.062 sec
> crdfam.clamav.hdb: Memory: 5.046 MB
>
> foxhole_all.ccdb: Time: 0.046 sec
> foxhole_all.cdb: Memory: 4.308 MB
>
> foxhole_filename.ccdb: Time: 0.047 sec
> foxhole_filename.cdb: Memory: 4.308 MB
>
> foxhole_generic.ccdb: Time: 0.047 sec
> foxhole_generic.cdb: Memory: 4.312 MB
>
> junk.ndb: Time: 0.860 sec
> junk.ndb: Memory: 18.866 MB
>
> jurlbl.ndb: Time: 0.078 sec
> jurlbl.ndb: Memory: 5.281 MB
>
> jurlbla.ndb: Time: 0.125 sec
> jurlbla.ndb: Memory: 6.386 MB
>
> lott.ndb: Time: 0.078 sec
> lott.ndb: Memory: 5.206 MB
>
> phish.ndb: Time: 2.390 sec
> phish.ndb: Memory: 14.546 MB
>
> phishtank.ndb: Time: 0.157 sec
> phishtank.ndb: Memory: 5.699 MB
>
> porcupine.ndb: Time: 0.078 sec
> porcupine.ndb: Memory: 5.898 MB
>
> rogue.hdb: Time: 0.047 sec
> rogue.hdb: Memory: 4.652 MB
>
> scam.ndb: Time: 0.407 sec
> scam.ndb: Memory: 11.585 MB
>
> scamnailer.ndb: Time: 4.609 sec
> scamnailer.ndb: Memory: 22.085 MB
>
> spam.lcdb: Time: 0.047 sec
> spam.ldb: Memory: 4.515 MB
>
> spamattach.hdb: Time: 0.047 sec
> spamattach.hdb: Memory: 4.308 MB
>
> spamimg.hdb: Time: 0.047 sec
> spamimg.hdb: Memory: 4.398 MB
>
> spear.ndb: Time: 0.610 sec
> spear.ndb: Memory: 12.140 MB
>
> spearl.ndb: Time: 0.063 sec
> spearl.ndb: Memory: 5.089 MB
>
> winnow.attachments.hdb: Time: 0.047 sec
> winnow.attachments.hdb: Memory: 4.370 MB
>
> winnow.complex.patterns.lcdb: Time: 0.047 sec
> winnow.complex.patterns.ldb: Memory: 4.320 MB
>
> winnow_bad_cw.hdb: Time: 0.046 sec
> winnow_bad_cw.hdb: Memory: 4.308 MB
>
> winnow_extended_malware.hdb: Time: 0.109 sec
> winnow_extended_malware.hdb: Memory: 7.413 MB
>
> winnow_extended_malware_links.ndb: Time: 0.046 sec
> winnow_extended_malware_links.ndb: Memory: 4.308 MB
>
> winnow_malware.hdb: Time: 0.110 sec
> winnow_malware.hdb: Memory: 7.777 MB
>
> winnow_malware_links.ndb: Time: 0.125 sec
> winnow_malware_links.ndb: Memory: 7.128 MB
>
> winnow_phish_complete.ndb: Time: 4.907 sec
> winnow_phish_complete.ndb: Memory: 7.577 MB
>
> winnow_phish_complete_url.ndb: Time: 4.922 sec
> winnow_phish_complete_url.ndb: Memory: 7.577 MB
>
> winnow_spam_complete.ndb: Time: 0.125 sec
> winnow_spam_complete.ndb: Memory: 7.097 MB
>
>
> Cheers,
>
> Steve
> Sanesecurity
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Compilation failed for ClamAV 0.98 on AIX 6.1

[Matt Olney]

Added information to bug
https://bugzilla.clamav.net/show_bug.cgi?id=8993in case the failures
are related.  We'll provide info here when we resolve
the issues.


On Wed, Sep 25, 2013 at 8:34 AM, ANANT S ATHAVALE  wrote:

> Dear List,
>
> Compilation of ClamAV 0.98 fails on AIX 6.1 with gcc 4.2.0.
>
> make  all-recursive
> Making all in libltdl
> cp ./argz_.h argz.h-t
> mv argz.h-t argz.h
> make  all-am
>   CC dlopen.lo
>   CCLD   dlopen.la
>   CC libltdlc_la-preopen.lo
>   CC libltdlc_la-lt__alloc.lo
>   CC libltdlc_la-lt_dlloader.lo
>   CC libltdlc_la-lt_error.lo
>   CC libltdlc_la-ltdl.lo
>   CC libltdlc_la-slist.lo
>   CC argz.lo
>   CC lt__strl.lo
>   CCLD   libltdlc.la
> Target "all-am" is up to date.
> Making all in libclamav
> make  all-recursive
>   CC libclamav_la-matcher-ac.lo
>   CC libclamav_la-matcher-bm.lo
>   CC libclamav_la-matcher-hash.lo
>   CC libclamav_la-matcher.lo
>   CC libclamav_la-others.lo
> In file included from others.c:60:
> clamav.h:32:1: warning: "STAT" redefined
> In file included from /usr/include/dirent.h:35,
>  from others.c:36:
> /usr/include/sys/dir.h:270:1: warning: this is the location of the previous
> definition
>   CC libclamav_la-readdb.lo
> In file included from readdb.c:42:
> clamav.h:32:1: warning: "STAT" redefined
> In file included from /usr/include/dirent.h:35,
>  from readdb.c:32:
> /usr/include/sys/dir.h:270:1: warning: this is the location of the previous
> definition
>   CC libclamav_la-cvd.lo
>   CC libclamav_la-dsig.lo
>   CC libclamav_la-scanners.lo
> In file included from scanners.c:51:
> clamav.h:32:1: warning: "STAT" redefined
> In file included from /usr/include/dirent.h:35,
>  from scanners.c:41:
> /usr/include/sys/dir.h:270:1: warning: this is the location of the previous
> definition
>   CC libclamav_la-textdet.lo
>   CC libclamav_la-filetypes.lo
>   CC libclamav_la-rtf.lo
>   CC libclamav_la-blob.lo
>   CC libclamav_la-mbox.lo
> mbox.c: In function 'rfc1341':
> mbox.c:2816: error: called object '1' is not a function
> make: 1254-004 The error code from the last command is 1.
>
> Stop.
> make: 1254-004 The error code from the last command is 1.
>
> Stop.
> make: 1254-004 The error code from the last command is 2.
>
> Stop.
> make: 1254-004 The error code from the last command is 1.
>
> Stop.
> make: 1254-004 The error code from the last command is 2.
>
> Stop.
>
> Any hints to resolve this issue.
>
> The same gcc was used to compile 0.97.8 and it had worked.
> --
>   Regards
>Anant
> --**--**
> --
> Confidentiality Notice: This e-mail message, including any attachments, is
> for
> the sole use of the intended recipient(s) and may contain confidential and
> privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the original
> message.
> --**--**
> --
>
> __**_
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/**clamav-faq
> http://www.clamav.net/support/**ml 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml