Re: [Clamav-users] VIRUS? PHISH? "Western Union Transfer MTCN: 0258258718"

2009-05-12 Thread Tom Shaw
At 10:04 AM -0400 5/12/09, Charles Gregory wrote:
>Greetings!
>
>Received the following e-mail that looks like a phishing attempt,
>with an attached zipped .exe file ...
>
>I've saved the file to:
>  http://www.hwcn.org/~cgregory/virus/MTCN_INVOICE.zip
>
>I don't have the facilities to test anything, but just the fact
>that it is an attached exe in an obvious phish makes me wonder
>if this is a brand new virus (or clever scheme that should still
>be trapped)?
>
>So if someone can test/analyse the above file (it tests clean
>with this morning's clamscan), I would be interested in how it
>does its 'thing'
>
>- Charles

Charles,

Its a Zbot Trojan. You can check by sending to s...@virustotal.com 
with the word SCAN as the subject and attach the suspected malware. 
virustotal will forward to AV vendors including ClamAV.

If you want, you can forward to virus-samp...@oitc.com and we'll make 
a temporary signature for it until ClamAV folks build a analyzed 
signature. These signatures are contained in winnow_malware.hdb 
distributed along with the sanesecurity sigs.

We have submitted this one to ClamAV and build a temporary signature for it.

Tom

Complete scanning result of "MTCN_INVOICE.exe", processed in 
VirusTotal at 05/12/2009 16:28:26 (CET).

[ file data ]
* name..: MTCN_INVOICE.exe
* size..: 91136
* md5...: e359b56297b6ab3fdde471a0eef79871
* sha1..: 05d3c96587011102685aaf4a6e5072f3bb539cdc
* peid..: -

[ scan result ]
a-squared   4.0.0.101/20090512  found [Trojan-Spy.Win32.Zbot!IK]
AhnLab-V3   5.0.0.2/20090512found nothing
AntiVir 7.9.0.166/20090512  found [TR/Spy.ZBot.hab]
Antiy-AVL   2.0.3.1/20090512found nothing
Authentium  5.1.2.4/20090512found [W32/Zbot.YI]
Avast   4.8.1335.0/20090511 found nothing
AVG 8.5.0.327/20090512  found nothing
BitDefender 7.2/20090512found [Trojan.Spy.Zbot.TP]
CAT-QuickHeal   10.00/20090512  found [(Suspicious) - DNAScan]
ClamAV  0.94.1/20090512 found nothing
Comodo  1157/20090508   found nothing
DrWeb   5.0.0.12182/20090512found nothing
eSafe   7.0.17.0/20090512   found [Suspicious File]
eTrust-Vet  31.6.6501/20090512  found [Win32/Kollah.AIF]
F-Prot  4.4.4.56/20090512   found [W32/Zbot.YI]
F-Secure8.0.14470.0/20090512found [Trojan-Spy:W32/Zbot.OTC]
Fortinet3.117.0.0/20090512  found nothing
GData   19/20090512 found [Trojan.Spy.Zbot.TP]
Ikarus  T3.1.1.49.0/20090512found [Trojan-Spy.Win32.Zbot]
K7AntiVirus 7.10.732/20090511   found nothing
Kaspersky   7.0.0.125/20090512  found [Trojan-Spy.Win32.Zbot.tmu]
McAfee  5612/20090511   found nothing
McAfee+Artemis  5612/20090511   found [Artemis!E359B56297B6]
McAfee-GW-Edition   6.7.6/20090512  found [Trojan.Spy.ZBot.hab]
Microsoft   1.4602/20090512 found [PWS:Win32/Zbot.M]
NOD32   4068/20090512   found [Win32/Spy.Zbot.NJ]
Norman  6.01.05/20090512found nothing
nProtect2009.1.8.0/20090512 found nothing
Panda   10.0.0.14/20090511  found [Suspicious file]
PCTools 4.4.2.0/20090507found nothing
Prevx   3.0/20090512found nothing
Rising  21.29.14.00/20090512found nothing
Sophos  4.41.0/20090512 found [Troj/Agent-JUZ]
Sunbelt 3.2.1858.2/20090512 found [BehavesLike.Win32.Malware (v)]
Symantec1.4.4.12/20090512   found [Infostealer.Banker.C]
TheHacker   6.3.4.1.324/20090509found nothing
TrendMicro  8.950.0.1092/20090512   found nothing
VBA32   3.12.10.4/20090512  found nothing
ViRobot 2009.5.12.1731/20090512 found nothing
VirusBuster 4.6.5.0/20090511found nothing

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] freshclam permissions on database directory

2009-06-11 Thread Tom Shaw
At 10:07 AM +1000 6/11/09, Ian Cheong wrote:
>I've just done a clean (previous uninstall) default (configure;make;install
>with no options) install of clamAV0.95.2 on MacOS10.5.7. Running freshclam
>generates the following errors.
>
>ERROR: chdir_tmp: Can't create directory
>./clamav-f6cd08cec8c72896e10b38ef34215214
>WARNING: Incremental update failed, trying to download daily.cvd
>ERROR: getfile: Can't create new file
>/usr/local/share/clamav/clamav-6fbf53c3126704c0b95f1b04f7d580ea in
>/usr/local/share/clamav
>Hint: The database directory must be writable for UID 501 (me) or GID 501
>(admin users)
>
>Default permission on database:
>drwxrwxr-x   4 _clamav  _clamav   136 11 Jun 08:24 clamav
>
>Freshclam.conf:  DatabaseOwner _clamav
>
>I can easily make the error go away by giving me or everyone rw permissions
>on the clamav database directory. I note this error in various fora at least
>for MacOS and Windows.
>
>My question is:
>What is the ideal secure solution for freshclam and clamav database
>permissions?

What user/group is freshclam running as? Using 0.95.1 on 10.5.7, I 
use a periodic launchd which runs freshclam as _clamav:_clamav and it 
runs with no issues.

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] freshclam permissions on database directory

2009-06-11 Thread Tom Shaw
At 7:03 AM -0700 6/11/09, Dennis Peterson wrote:
>Ian Cheong wrote:
>>  I've just done a clean (previous uninstall) default (configure;make;install
>>  with no options) install of clamAV0.95.2 on MacOS10.5.7. Running freshclam
>>  generates the following errors.
>>
>>  ERROR: chdir_tmp: Can't create directory
>>  ./clamav-f6cd08cec8c72896e10b38ef34215214
>>  WARNING: Incremental update failed, trying to download daily.cvd
>>  ERROR: getfile: Can't create new file
>>  /usr/local/share/clamav/clamav-6fbf53c3126704c0b95f1b04f7d580ea in
>>  /usr/local/share/clamav
>>  Hint: The database directory must be writable for UID 501 (me) or GID 501
>>  (admin users)
>>
>>  Default permission on database:
>>  drwxrwxr-x   4 _clamav  _clamav   136 11 Jun 08:24 clamav
>>
>>  Freshclam.conf:  DatabaseOwner _clamav
>>
>>  I can easily make the error go away by giving me or everyone rw permissions
>>  on the clamav database directory. I note this error in various fora at least
>>  for MacOS and Windows.
>>
>>  My question is:
>>  What is the ideal secure solution for freshclam and clamav database
>>  permissions?
>>
>
>This is a concepts issue. Maintaining the signatures is not a user space
>operation. Freshclam is designed to either run automatically (as daemon) as a
>designated unprivileged user, or as a cron process run as root or as the
>designated user. As a daemon it can be started by root or the designated user.
>That designated user is the only user that requires write access to the
>signature directory. For security the designated user is the only user that
>*should* have write access to the signature directory and files. Otherwise any
>clever malware would be able to delete those signatures. It can also 
>be messy to
>manage permissions on files that all people have write access to 
>given the wide
>range of umask possibilities each user can have.
>
>If it is expected that the ClamAV clamscan scanner be used by end 
>users then the
>signature files need to be readable by all. This is because 
>clamscan, run as an
>end user, needs to read the signatures. If it is expected that 
>clamdscan is used
>by the end users then the signatures directory and files need be readable only
>by the clamd user, presumably _clamav:_clamav, and the users will need to be
>trained in how to submit files to clamd for testing. It is assumed that user
>_clamav will not necessarily have read access to all files on a system and so
>there are work-arounds.
>
>My solution is as follows:
>
>drwxr-xr-x   4 _clamav  _clamav   136 11 Jun 08:24 clamav
>-rw-r--r--   1 _clamav  _clamav  47079936  6 Jun 09:17 main.cld
>-rw-r--r--   1 _clamav  _clamav  1740800  10 Jun 12:14 daily.cld
>
>Freshclam is run as a cron process by user root, clamd is started by 
>root in an
>init script on startup and maintained by a daemon watch tool I wrote.
>
>Any user has executable permissions on clamscan, clamdscan, and sigtool. The
>clamd socket is read/write by all users.

Under OSX you should not run freshclam as a deamon but as a periodic 
process run by launchd as  _clamav:_clamav. Likewise for clamd.  THis 
allows for automatic process restart by launchd if there is a problem 
(for example the bug that caused 0.94.2 to randomly crash using 
unofficials on some systems).  Using launchd rather than startup 
scripts or cron jobs is much cleaner under OSX.

As for DB I agree that the files should be _clamav:_clamav -rw-r--r-

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] freshclam permissions on database directory

2009-06-11 Thread Tom Shaw
At 7:24 AM -0700 6/11/09, Dennis Peterson wrote:
>Tom Shaw wrote:
>
>>
>>  Under OSX you should not run freshclam as a deamon but as a periodic
>>  process run by launchd as  _clamav:_clamav. Likewise for clamd.  THis
>>  allows for automatic process restart by launchd if there is a problem
>>  (for example the bug that caused 0.94.2 to randomly crash using
>>  unofficials on some systems).  Using launchd rather than startup
>>  scripts or cron jobs is much cleaner under OSX.
>
>That is another option but certainly not a requirement of ClamAV, OS X, or
>launchd. Writing clean plist files is not necessarily a common skill. Some
>launchd info: http://www.afp548.com/article.php?story=20050620071558293,
>http://developer.apple.com/macosx/launchd.html
>
>There's more than one way to do it.

I agree. Did not mean to indicate that it was a requirement but, to 
me at least, it is a lot simpler to fill out two simple plists and 
let launchd do the heavy lifting than writing startup scripts and 
writing and maintaining daemon monitor.

That said there are almost always multiple ways to get to the same result.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] ClamAV update auf 0.95.2

2009-06-18 Thread Tom Shaw
At 1:35 AM +0200 6/18/09, Udo Stifter wrote:
>Hallo,
>
>zur Zeit nutze ich ClamAV 0.95.1 auf meinem PowerMac G4 (933 MHz, 
>1.25 GB SDRAM, Mav OS X 10.4.11).
>Seit einigen Tagen meldet freshclam folgende Fehler:
>--
>ClamAV update process started at Wed Jun 17 21:45:00 2009
>WARNING: Your ClamAV installation is OUTDATED!
>WARNING: Local version: 0.95.1 Recommended version: 0.95.2
>DON'T PANIC! Read http://www.clamav.net/support/faq
>main.cld is up to date (version: 51, sigs: 545035, f-level: 42, 
>builder: sven)
>Downloading daily-9466.cdiff [100%]
>ERROR: chdir_tmp: Can't create directory ./clamav-
>f2e7533e176a61f5a916c398ddacf497
>WARNING: Incremental update failed, trying to download daily.cvd
>Downloading daily.cvd [100%]
>daily.cvd updated (version: 9478, sigs: 30118, f-level: 43, builder: 
>ccordes)
>WARNING: Your ClamAV installation is OUTDATED!
>WARNING: Current functionality level = 42, recommended = 43
>DON'T PANIC! Read http://www.clamav.net/support/faq
>Database updated (575153 signatures) from database.clamav.net (IP: 
>130.59.10.36)
>Clamd successfully notified about the update.
>
>Leider ist die Website http://www.clamav.net/support/faq nicht 
>wirklich hilfreich für mich.
>Wer kann mir helfen, das Update auf meinem PowerMac durchzuführen?

Udo

Where did you get the install for clamav on the 
Mac?  If you created it yourself just rebuild 
using the never revision. If you got it from 
somewhere else (fink, macports, etc) just go back 
to that repository. You can also get a OSX 
install using ClamAV default configuration at 
http://www.oitc.com/ctw/clamav This will take 
care of the warning "Your ClamAV installation is 
OUTDATED!"

However, the "ERROR: chdir_tmp: Can't create 
directory" indicates your istall has permissions 
problems.

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] ClamAV update auf 0.95.2

2009-06-20 Thread Tom Shaw
At 10:26 PM +0200 6/20/09, Udo Stifter wrote:
>Am 2009-06-18 10:04, Tom Shaw schrieb:
>
>  > At 1:35 AM +0200 6/18/09, Udo Stifter wrote:
>
>  > >Hallo,
>
>  > >
>
>  > >zur Zeit nutze ich ClamAV 0.95.1 auf meinem PowerMac G4 (933 MHz,
>
>  > >1.25 GB SDRAM, Mav OS X 10.4.11).
>
>  > >Seit einigen Tagen meldet freshclam folgende Fehler:
>
>  > >--
>
>  > >ClamAV update process started at Wed Jun 17 21:45:00 2009
>
>  > >WARNING: Your ClamAV installation is OUTDATED!
>
>  > >WARNING: Local version: 0.95.1 Recommended version: 0.95.2
>
>  > >DON'T PANIC! Read 
><http://www.clamav.net/support/faq>http://www.clamav.net/support/faq
>
>  > >main.cld is up to date (version: 51, sigs: 545035, f-level: 42,
>
>  > >builder: sven)
>
>  > >Downloading daily-9466.cdiff [100%]
>
>  > >ERROR: chdir_tmp: Can't create directory ./clamav-
>
>  > >f2e7533e176a61f5a916c398ddacf497
>
>  > >WARNING: Incremental update failed, trying to download daily.cvd
>
>  > >Downloading daily.cvd [100%]
>
>  > >daily.cvd updated (version: 9478, sigs: 30118, f-level: 43, builder:
>
>  > >ccordes)
>
>  > >WARNING: Your ClamAV installation is OUTDATED!
>
>  > >WARNING: Current functionality level = 42, recommended = 43
>
>  > >DON'T PANIC! Read 
><http://www.clamav.net/support/faq>http://www.clamav.net/support/faq
>
>  > >Database updated (575153 signatures) from database.clamav.net (IP:
>
>  > >130.59.10.36)
>
>  > >Clamd successfully notified about the update.
>
>  > >
>
>  > >Leider ist die Website 
><http://www.clamav.net/support/faq>http://www.clamav.net/support/faq 
>nicht
>
>  > >wirklich hilfreich für mich.
>
>  > >Wer kann mir helfen, das Update auf meinem PowerMac durchzuführen?
>
>  >
>
>  > Udo
>
>  >
>
>  > Where did you get the install for clamav on the
>
>  > Mac?  If you created it yourself just rebuild
>
>  > using the never revision. If you got it from
>
>  > somewhere else (fink, macports, etc) just go back
>
>  > to that repository. You can also get a OSX
>
>  > install using ClamAV default configuration at
>
>  > 
><http://www.oitc.com/ctw/clamav>http://www.oitc.com/ctw/clamav 
>This will take
>
>  > care of the warning "Your ClamAV installation is
>
>  > OUTDATED!"
>
>  >
>
>  > However, the "ERROR: chdir_tmp: Can't create
>
>  > directory" indicates your istall has permissions
>
>  > problems.
>
>  >
>
>  > Tom
>
>  >
>
>  >
>
>
>I downloaded the install package ClamXav_1.1.1_Universal_e951.dmg from
>
><http://www.apple.com/downloads/macosx/networking_security/>http://www.apple.com/downloads/macosx/networking_security/
> for 
>free.
>
>The ERROR: chdir_tmp: Can't create directory 
>./clamav-f2e7533e176a61f5a916c398ddacf497
>
>depends on a faulty installation  routine I think.
>
>Im just a simple Mac user not a developer. So I 
>need someone who tells me what to do step by 
>step.
>
>I'm not familiar with Unix and cannot build any 
>installation package by myself.
>The web 
>site <http://www.oitc.com/ctw/clamav>http://www.oitc.com/ctw/clamav 
>doesn't help. I'm using OS X 10.4.11, not OS X 
>10.5!

Well ClamXav doesn't do a normal install as it 
installs clamav into /usr/local/clamXav and from 
the docs doesn't appear to run the deamon either. 
If you are just using it to do simple checks on 
your desktop or laptop you should be fine as 
0.95.1 will still work for now.

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] question about Clamav anti virus for old mac OS 9.2

2009-06-22 Thread Tom Shaw
At 2:41 PM +0100 6/22/09, off...@jimrailton.com wrote:
>Hi there.  I did read the archives and couldn't find anything about my
>query.
>
>We have two older macs, a G3 running OS 8.6 and a G4 running 9.2.  I believe
>we have a microsoft word virus that I would like to get rid of.  Is there a
>version of Clamav that will work on these old operating systems?  I've found
>the list of downloads of various versions from 0.70 to 0.95.2 and had a
>quick look at some of the info/notes for the versions, but it doesn't say
>what operating system they are suitable for.
>
>If someone could please advise me, I would be more grateful.
>

Julie,

I know of no version of ClamAV that ever worked with OS 8 or 9.

You could copy your MS Word files to an OSX machine and check them. 
You could search on eBay for an old AV program that worked on OS 8/9. 
You could email the suspect file(s) to virustotal so check them. Or 
you could turn off Macros in Word and copy the contents to new files.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] question about Clamav anti virus for old mac OS 9.2

2009-06-22 Thread Tom Shaw
At 8:04 PM -0400 6/22/09, John Jasen wrote:
>Tom Shaw wrote:
>
>>  You could copy your MS Word files to an OSX machine and check them.
>>  You could search on eBay for an old AV program that worked on OS 8/9.
>>  You could email the suspect file(s) to virustotal so check them. Or
>>  you could turn off Macros in Word and copy the contents to new files.
>
>Take the disks out, put them in a computer that can run from a linux
>live cd, hope it has HFS support, and go from there?

Well if the OS 8/9 machines' have ethernet I'd just ftp to any 
machine that has and AV system. If the files are small, copy to 
floppy and then xfer them. If you have an OSX 10.2, I think, you can 
remotely mount a OS 8/9 machine but I believe that the capability was 
deprecated in later OSX versions.

Unfortunately there is not enough data on the person's config, amount 
of files, what made them all of a sudden think they have a macro 
virus in such an old version of word, etc.

Tom
-- 
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com

Fish more and Live longer
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] question about Clamav anti virus for old mac OS 9.2

2009-06-23 Thread Tom Shaw
At 9:42 AM +0100 6/23/09, off...@jimrailton.com wrote:
>Hi there.  Thanks for all the info.
>
>The virus is : OF97/Tristate-C
>
>We are running a G4 on 9.2.2.  Theoretically we could upgrade to osX, but we
>will be getting new machines in the next couple of months, and our current
>main system (filemaker 4.1) obviously won't work on osX, as I think the
>current one is filemaker 9.  So we just need to make these machines limp
>along for a couple more months until our new database system for filemaker 9
>is written.  My main worry, as this is apparently a 'low threat virus' and
>isn't really affecting us, but when I send a word doc to someone it is
>either erased, or says it has a virus.
>
>As I was going to do some work from home and needed to take files from the
>affected machine, I didn't want to infect my brand new mac book pro!  So I
>was just trying to see whether I could kill the virus on these machines
>before moving any files.  I suppose once they are on my mac book pro they
>can be killed, but I hate the thought of deliberately introducing a virus to
>my lovely new machine.
>
>It sounds like it is not going to be possible in any easy sort of way.
>
>Thanks again, or for any further suggestions.

Julie,

I am assuming that since you know you have OF97/Tristate-C a customer 
must have told you.  OF97/Tristate-C is a MS Office virus. See

http://www.sophos.com/security/analyses/viruses-and-spyware/of97crownb.html
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=O97M_TRISTATE

This is a MS Office virus that spreads via Visual Basic.  Anyone who 
has opened those infected MS Office files will have all/most/many of 
the MS Office files on their machines have also been infected. The 
easiest way to deal with this is 1) turn off VB Macros in Word, 
Powerpoint and Excel.

This should not be an issue to you as MS Office 2008 doesn't even 
support Visual Basic. For 2004 and before, I can't remember what to 
do for these older versions of MS Office but you can set up these to 
warn you if a document contains VB Macros.

The good news is that VB macro viruses cannot propagate unless they 
are run inside of an open MS Office document.

The bad news is that you, by sending copies of these infected 
documents to others, are infecting others - specially since this 
virus disables MS Office virus protection on PC's allowing other 
viruses a way in.

Here are your options:

1) This is the cheapest dollar wise and most expensive labor wise. 
Since you say these machines have internet access and if the contents 
are not sensitive, you can just upload them to 
http://www.virustotal.com/ to have them checked.  For those that are 
infected, open them in MS Office 2008 on OSX; create a new untitled 
document; go back to the open infected document and copy the entire 
contents to the new document and save; delete the original infected 
document

2) Copy the MS Office files to an OSX machine; buy an commercial AV 
system; disinfect; destroy original infected files; copy back the 
cleaned ones.

TrendMicro: http://www.kqzyfj.com/nk105hz74z6MONUQTSSMONROQSWQ
Sophos: 
http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/mac/
Norton: http://www.symantec.com/norton/macintosh/antivirus-dual-protection

There are free/shareware options but many of these cannot disinfect. 
They only detect. As I surmise you want to clean up your act a 
commercial version may be in order. A list of free/shareware:

http://www.geckoandfly.com/2009/03/19/download-the-best-mac-os-x-anti-spyware-and-anti-virus-software-for-free/

I have to say you might be better off just hiring a local Mac guy for 
a couple of hours to make this painless.

Tom
-- 
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com

Fish more and Live longer
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] Zeus .bin files

2009-06-26 Thread Tom Shaw
Just a question on signatures...

Does the signature team not do Zeus/ZBot configuration files?  We 
have submitted a number (20+) of ".bin" files over the last 6-8 weeks 
but have yet to see these files detected using "Official" signatures. 
Should we not submit these files?

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] Signature dups

2009-06-30 Thread Tom Shaw

Does freshclam or clam on load/reload look for and remove dup signatures?

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Signature dups

2009-06-30 Thread Tom Shaw

At 11:05 PM +0200 6/30/09, Tomasz Kojm wrote:

On Tue, 30 Jun 2009 11:26:25 -0700
"Bill Landry"  wrote:


 So if I were to include a signature in my 3rd party database, and then a
 few days later ClamAV adds the same signature to the official signature
 database, that is not your problem, but rather my problem?  Seems like if
 you (ClamAV) is providing the means for including 3rd party databases,
 then wouldn't you agree that it really is ClamAV's responsibility to make
 sure that duplicate signatures do not get loaded and used?


Hi Bill,

taking care about duplicates in the engine doesn't make sense (see below).
Without a centralized system for signature maintenance we offered to 3rd
parties, it's not possible to avoid duplicates. Having said that, 
even if there

were a few thousands of duplicated sigs, it shouldn't cause any significant
slowdown to the engine.


 > We had an idea to allow 3rd party signature
 > creators to use our mechanisms for signature maintenance ([1], easy
 > checking for FPs, dups, name collisions) and also our network
 > infrastructure and freshclam to make everything more smooth but
 > unfortunately this idea didn't get much interest.

 Hmmm, first I've heard of this.  Why was there a lack of interest?


Well, I don't know why.. AFAIK, only Securiteinfo was interested in using
that solution. And in my opinion it would only have advantages - all the
mechanisms we developed for the last 7 years, including the mirror
infrastructure, could be used to maintain and distribute the 3rd party
sigs making all processes much more efficient!


 > It would be inefficient (and could be even unsafe in some cases) to do
 > such things in the engine.

 Why is that?  If ClamAV sorts all signatures when reloading, and ignores
 duplicate signatures, why would that be dangerous in the engine?


Because detecting duplicated signatures is not that easy and must be
done with a great care so that we don't incorrectly skip some unique sigs!

Eg. the following logical sigs are all duplicates:

Sig1;Target:0;0&1&(2|3);dead;beef;feed;face
Sig2;Target:0;0&((1&2)|(1&3));dead;beef;feed;face
Sig3;Target:0;0&1&(2|3);dead;beef;face;feed
Sig4;Target:0;(0|1)&2&3;feed;face;dead;beef

but this one is not (and still is very similar):

Sig5;Target:0;(0|1)&2&3;feed;dead;face;beef

Even for some very simple hex signatures there may be cases where
it's not easy to detect dups, eg. dead{3}beef is in practice a duplicate
of dead??beef but since the engine handles these signatures
differently, the situation complicates again. So in the engine we could
only implement some very limited checks, but then the other day
someone would open a bug report that this "feature" doesn't work
nicely for some sigs... (take the issue with local.ign for example)

The centralized system for signature development eliminates the
problem because one can easily see that a sample is already detected
(such samples automatically get "closed"). It could also provide some
detection of duplicates which could be later handled manually. It's
working really great for us that's why we made that offer to 3rd party
signature developers. Hopefully, we will close the bug #781 some day...


Tomas,

I like having a central DB. In fact I think the central DB should be 
queryable (eg submit signatures and get feedback if they are already 
superceded but other detections)


On a similar line I suggested to Luca a while ago that it would be go 
if you maintained a DB of MD5 signatures of files that you have 
processed.  I have submitted over 1600 unique malware files since 23 
Mar and I am pretty sure that 99% are real malware because they show 
up in my honeypot.  Unfortunately, I have 1054 outstanding that I 
have in my winnow_malware.hdb sig file that still do not have 
"official" signature for them.


As far as an MD5 DB, I would like it to include the following status: 
in queue, verified benign, and in work. This would allow me to know 
that you have it and know when something is benign. I know you must 
have something like this internally if for any reason to cull dups 
and to checkout or signature creation so adding some exposure of the 
DB shouldn't be an issue.


Unfortunately nothing has come from this

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] List bounces

2009-06-30 Thread Tom Shaw
I did my due diligence and emailed 
clamav-users-requ...@lists.clamav.net?subject=help and got the email 
contact of the owner of the list and emailed 
clamav-users-ow...@lists.clamav.net and have received no response.


Every time I post to this list I receive a "no such user here" 
response for cas...@snigelpost.org from mdae...@starmail.webnoice.se. 
The mail server for snigelpost.org is seriously missconfigured as it 
is bouncing mail to the RFC2822 FROM header instead of the required 
RFC2821 MAIL FROM handshake value.


I have wasted my time trying to contact snigelpost.org, webnoice.se, 
swebase.com, wekudata.se and utfors.se who all seem to be part of the 
problem and who do not return emails sent to postmaster, abuse, and 
their whois contacts.


So could someone at SourceFire, or ClamAV unsubscribe 
cas...@snigelpost.org and could someone in Sweden who contact the 
owner of snigelpost.org's mailserver and request kindly for them to 
configure their mailserver to be compliant with RFC 2821.


TIA,

Tom
PS Sorry about the rant
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] clamd 0.95.2 unrar

2009-07-09 Thread Tom Shaw

At 3:20 PM -0700 7/9/09, MrC wrote:

On 7/9/2009 3:14 PM, Tom Shaw wrote:

I searched the archive and could not find a solution. I have been
running without unrar support for a bit because I didn't have time to
run this down.

I compiled 0.95.2 from source and it has been running flawlessly yet I
get this warning:

LibClamAV Warning: Cannot dlopen libclamunrar_iface: file not found -
unrar support unavailable

Yet in /usr/local/lib I have:

-rwxr-xr-x 1 root wheel 60976 Feb 28 09:36 libclamunrar.6.dylib
-rw-r--r-- 1 root staff 61672 Jul 9 17:56 libclamunrar.a
lrwxrwxrwx 1 root wheel 20 Jun 16 19:32 libclamunrar.dylib ->
libclamunrar.6.dylib
-rwxr-xr-x 1 root staff 903 Jul 9 17:56 libclamunrar.la
-rwxr-xr-x 1 root wheel 18144 Feb 28 09:36 libclamunrar_iface.6.so
-rw-r--r-- 1 root staff 7080 Jul 9 17:56 libclamunrar_iface.a
-rwxr-xr-x 1 root staff 953 Jul 9 17:56 libclamunrar_iface.la
lrwxrwxrwx 1 root wheel 23 Jun 16 19:32 libclamunrar_iface.so ->
libclamunrar_iface.6.so

Help is appreciated.

Tom



32- vs. 64-bit?  The "file not found" error can come for the dynamic 
library loader when it fails.  Often this means you need the 32-bit 
compatibility libs.


mrc

I am on OSX  here is my command lines

CFLAGS="-O0" ./configure CC=/usr/bin/gcc-4.2 --disable-shared 
--enable-bigstack --enable-static

make
sudo make install

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] clamd 0.95.2 unrar

2009-07-09 Thread Tom Shaw

Steve

I don't have sudo ldconfig . I am on BSD unix (OSX)

Tom

At 10:23 AM +1200 7/10/09, steve wrote:
Content-Type: multipart/signed; micalg="pgp-sha1"; 
protocol="application/pgp-signature"; 
boundary="=-jynSTeQe1Oi6eCI5r7n5"


You might fix this with a quick

sudo ldconfig

( and some distros require that you explicitly include /usr/local/lib in
your /etc/ld.so.conf - or /etc/ld.so.cond.d/.conf  )

just to update the system catalogs...

hth,

Steve

On Thu, 2009-07-09 at 18:14 -0400, Tom Shaw wrote:

 I searched the archive and could not find a solution. I have been
 running without unrar support for a bit because I didn't have time to
 run this down.

 I compiled 0.95.2 from source and it has been running flawlessly yet
 I get this warning:

 LibClamAV Warning: Cannot dlopen libclamunrar_iface: file not found -
 unrar support unavailable

 Yet in /usr/local/lib I have:

 -rwxr-xr-x1 root   wheel60976 Feb 28 09:36 libclamunrar.6.dylib
 -rw-r--r--1 root   staff61672 Jul  9 17:56 libclamunrar.a
 lrwxrwxrwx1 root   wheel   20 Jun 16 19:32 libclamunrar.dylib
 -> libclamunrar.6.dylib
 -rwxr-xr-x1 root   staff  903 Jul  9 17:56 libclamunrar.la
 -rwxr-xr-x1 root   wheel18144 Feb 28 09:36 libclamunrar_iface.6.so
 -rw-r--r--1 root   staff 7080 Jul  9 17:56 libclamunrar_iface.a
 -rwxr-xr-x1 root   staff  953 Jul  9 17:56 libclamunrar_iface.la
 lrwxrwxrwx1 root   wheel   23 Jun 16 19:32
 libclamunrar_iface.so -> libclamunrar_iface.6.so

 Help is appreciated.

 Tom
 ___
 Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
 http://www.clamav.net/support/ml

--
Steve Holdoway 
http://www.greengecko.co.nz
MSN: st...@greengecko.co.nz
GPG Fingerprint = B337 828D 03E1 4F11 CB90  853C C8AB AF04 EF68 52E0

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

Attachment converted: Macintosh HD:signature 24.asc (/) (05376422)
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] clamd 0.95.2 unrar

2009-07-09 Thread Tom Shaw
I searched the archive and could not find a solution. I have been 
running without unrar support for a bit because I didn't have time to 
run this down.


I compiled 0.95.2 from source and it has been running flawlessly yet 
I get this warning:


LibClamAV Warning: Cannot dlopen libclamunrar_iface: file not found - 
unrar support unavailable


Yet in /usr/local/lib I have:

-rwxr-xr-x1 root   wheel60976 Feb 28 09:36 libclamunrar.6.dylib
-rw-r--r--1 root   staff61672 Jul  9 17:56 libclamunrar.a
lrwxrwxrwx1 root   wheel   20 Jun 16 19:32 libclamunrar.dylib 
-> libclamunrar.6.dylib

-rwxr-xr-x1 root   staff  903 Jul  9 17:56 libclamunrar.la
-rwxr-xr-x1 root   wheel18144 Feb 28 09:36 libclamunrar_iface.6.so
-rw-r--r--1 root   staff 7080 Jul  9 17:56 libclamunrar_iface.a
-rwxr-xr-x1 root   staff  953 Jul  9 17:56 libclamunrar_iface.la
lrwxrwxrwx1 root   wheel   23 Jun 16 19:32 
libclamunrar_iface.so -> libclamunrar_iface.6.so


Help is appreciated.

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] clamd 0.95.2 unrar

2009-07-09 Thread Tom Shaw
OK Got it fixed. Looks like incompatibilities of libraries. All is 
fine now. Thanks for your help pointing me in the right direction.


Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] Signature/Weirdness

2009-09-14 Thread Tom Shaw
I am running ClamAV 0.95.2/9806/Mon Sep 14 14:37:58 2009 when I run 
clamscan on a file I get no detection yet when I submit the same file 
to virustotal (0.94.1/20090912) I get Trojan.Zbot-4583 detected.


My clamav install has been operating fine for months on OSX 10.5.

Ideas?

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Signature/Weirdness

2009-09-14 Thread Tom Shaw

At 12:59 PM -0700 9/14/09, Bill Landry wrote:

Tom Shaw wrote:

 I am running ClamAV 0.95.2/9806/Mon Sep 14 14:37:58 2009 when I run
 clamscan on a file I get no detection yet when I submit the same file to
 virustotal (0.94.1/20090912) I get Trojan.Zbot-4583 detected.

 My clamav install has been operating fine for months on OSX 10.5.

 Ideas?


Tom, what happens if you scan the file with clamdscan?

   clamdscan --fdpass file

The reason I ask, is maybe you have to set the appropriate flags when
using clamscan vs clamdscan, as clamdscan uses clamd.conf for its setting.

Just a thought...



Bill, I get detection from my signature but not clam's

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Signature/Weirdness

2009-09-14 Thread Tom Shaw

At 2:00 PM -0700 9/14/09, Bill Landry wrote:

 > At 12:59 PM -0700 9/14/09, Bill Landry wrote:

Tom Shaw wrote:

  I am running ClamAV 0.95.2/9806/Mon Sep 14 14:37:58 2009 when I run
  clamscan on a file I get no detection yet when I submit the same file
 to
  virustotal (0.94.1/20090912) I get Trojan.Zbot-4583 detected.

  My clamav install has been operating fine for months on OSX 10.5.

  Ideas?


Tom, what happens if you scan the file with clamdscan?

clamdscan --fdpass file

The reason I ask, is maybe you have to set the appropriate flags when
using clamscan vs clamdscan, as clamdscan uses clamd.conf for its
 setting.

Just a thought...



 Bill, I get detection from my signature but not clam's


Could it be that your signature is triggering before ClamAV's?  Have you
tried running the scan without your signature included to see if ClamD
will trigger?


Hasn't triggered earlier than clamav's before. However I will try now.

That's weird it did detect it then. Wish I knew the sequence clamav 
checks through the DB's.


Is there a way to force clamscan to keep checking for all signatures? 
I tried clamdscan --help with no joy.


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Submission policies

2009-09-15 Thread Tom Shaw

Giampaolo

If you want some extra coverage you might try the 
signatures at http://sanesecurity.com. Besides 
all the great rules there, our winnow signatures, 
which are included, detect malware not yet in 
clamav as well as urls to malware. Current direct 
signatures are mapped to other AV systems at 
http://www.oitc.com/winnow/clamsigs/MalwareSignatures.html


Samples can be sent to virus-samples at oitc.com

Tom

At 10:55 PM +0200 9/15/09, Giampaolo Tomassoni wrote:

 > The answer is very simply, resources.


 The submission interface receives around 20,000 unique samples a day,
 which
 exceeds the number of signatures that can be produced in a day by the
 sigmakers.   This forces us to prioritize by what we are seeing the
 most of
 in a given time period, as those are most likely the prevalent threats.

 If you, or anyone else in the ClamAV community is interested in writing
 signatures to help improve some of the response times feel free to
 contact
 me off list.

 Cheers
 -matt


Concise and clear.

Matt, thank you very much: this wipes my doubts about submission policies
and the like.

Giampaolo



 On Mon, Sep 14, 2009 at 12:51 PM, Giampaolo Tomassoni <
 giampa...@tomassoni.biz> wrote:

 > Hi,
 >
 > I occasionally submit virus samples to ClamAV through the official
 > submission page.
 >
 > Before submission I also check these viruses with VirusTotal, where
 at
 > least
 > a bunch of AV products do often detect my samples as malware.
 >
 > If this happens, I also add a link to the VirusTotal's analysis page
 > regarding the sample I'm submitting in the "Enter a short description
 of
 > the
 > virus" field of the submission form.
 >
 > This was used to work, and soon or later I was used to be notified of
 the
 > inclusion in the ClamAV database of a new detection pattern suitable
 for my
 > sample.
 >
 > It is months, however, that I don't receive notifications anymore
 regarding
 > my submissions. Also, it seems to me that recently submissions are
 quite
 > ignored. In example, in September 9 I reported to ClamAV a malware
 which is
 > still not recognized, while it is by 30 out of 41 AV products in
 > VirusTotal...
 >
 > See:
 >
 >
 http://www.virustotal.com/analisis/716704eb975160cf84c110e6510bb45ce983
 7a774
 > dcdee6136867b4c03f4981e-
 1252908923.
 >
 > Anybody could explain what's going on with submissions? I can't find
 any
 > reliable reference to changes in the submission policies or the like.
 I
 > could only find this thread from this ML
 >
 >
 http://lurker.clamav.net/message/20081025.142726.40535408.en.html
 >
 > in which basically Bräckelmann is trying to figure out the same I am.
 But
 > no
 > reply to his question...
 >
 > Thank you,
 >
 > Giampaolo
 >
 > ___
 > Help us build a comprehensive ClamAV guide: visit
 http://wiki.clamav.net
 > http://www.clamav.net/support/ml
 >



 --
 Matthew Watchinski
 Sr. Director Vulnerability Research Team (VRT)
 Sourcefire, Inc.
 Office: 410-423-1928
 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
 ___
 Help us build a comprehensive ClamAV guide: visit
 http://wiki.clamav.net
 http://www.clamav.net/support/ml


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] DHL invoices

2009-09-23 Thread Tom Shaw

At 3:09 PM +0100 9/23/09, Steve Basford wrote:

 >

 I get lots of 'invoices' from DHL containing a zipped trojan. F-Prot
 recognizes them as Win32/Bredolab!Generic but ClamAV does not.


Hi,

Just in case this helps block them... I've been detecting these for a
while if its the same sort of fake invoices I've been receiving here,
using the Sanesecurity signatures:



I also have malware detection for these in winnow_malware.hdb. See 
http://www.oitc.com/winnow/clamsigs/MalwareSignatures.html


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] DHL invoices

2009-09-23 Thread Tom Shaw

At 8:11 PM +0300 9/23/09, Jari Fredriksson wrote:

 > On Wed, Sep 23, 2009 at 07:07:53PM +0300, Jari

 Fredriksson wrote:

 Jari Fredriksson wrote:



 Then I decided SaneSecurity is not worth it, as
 SpamAssassin catches those too, and has less false
 positives.

 SaneSecurity triggers way too often when some dumb user
 pastes a spam into his mail, or some robot sends a
 bounce with an attachment. I do not want to report
 those cases to SpamCop, Razor, DCC.. Making me writing
 tons of tests in my scripts. Too risky.



 If someone pasts a spam into their mail it is not a
 false positive. It is a post that is indistinguishable
 from spam. There are consequences for that.



 Debatable. Anyway, I do not want to punish from that
 kind of a mistake. I'm not an email nazi, while I indeed
 am a spam fighter.


 Ehm, were you scoring SaneSecurity hits like one is
 supposed to, or just plain rejecting with them? Sounds
 like the latter.



I don't run ClamAV via SpamAssassin. I have it called by 
amavisd-new, which does what it does: quarantine.


Sure hope your not using heuristics, phishing and/or safebrowsing 
options in ClamAV if you feel that way.


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] DHL invoices

2009-09-23 Thread Tom Shaw

At 10:39 PM +0300 9/23/09, Jari Fredriksson wrote:

 >>

 I don't run ClamAV via SpamAssassin. I have it called by
 amavisd-new, which does what it does: quarantine.


 Sure hope your not using heuristics, phishing and/or
 safebrowsing options in ClamAV if you feel that way.



I use amavisd-new default options, have not touched those.


These are not amavis but clamav stock options. Please read your config files.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] DHL invoices

2009-09-23 Thread Tom Shaw

At 10:42 PM +0300 9/23/09, Jari Fredriksson wrote:

 > On Wed, Sep 23, 2009 at 08:11:41PM +0300, Jari

 Fredriksson wrote:


 Ehm, were you scoring SaneSecurity hits like one is
 supposed to, or just plain rejecting with them? Sounds
 like the latter.



 I don't run ClamAV via SpamAssassin. I have it called by
 amavisd-new, which does what it does: quarantine.


 May I suggest you google for amavisd-new feature called
 "virus_name_to_spam_score_maps". You will find many
 examples on how to do it properly.



Googled. Seemed to be SaneSecurity specific stuff. Is it?


No it tell you how to score any clamav detection whish is recommended 
if you are using the default heuristics and phish detections which do 
generate FPs.


I do not use Sanesecurity currently. The quarantine gets only virii 
by stock ClamAV rules.


So? ClamAV by default implements heuristics and tries to detect phish 
all of which can cause a certain percentage of FPs.


Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] DHL invoices

2009-09-23 Thread Tom Shaw

At 11:31 PM +0300 9/23/09, Jari Fredriksson wrote:

 > At 10:39 PM +0300 9/23/09, Jari Fredriksson wrote:

  >>

  I don't run ClamAV via SpamAssassin. I have it called
  by amavisd-new, which does what it does: quarantine.


  Sure hope your not using heuristics, phishing and/or
  safebrowsing options in ClamAV if you feel that way.



 I use amavisd-new default options, have not touched
 those.


 These are not amavis but clamav stock options. Please
 read your config files.



Default Debian settings.

PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false

This is what I found about Phishing and Heuristics. Dangerous? When 
I review the quaratine anyway.


No more than sanesecurity rules and alot more than my 
winnow_malware.hdb which would have caught your virus.


Point being you might just want to consider what you have running...

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] DHL invoices

2009-09-23 Thread Tom Shaw

At 12:20 AM +0300 9/24/09, Jari Fredriksson wrote:

 >>

 This is what I found about Phishing and Heuristics.
 Dangerous? When I review the quaratine anyway.


 No more than sanesecurity rules and alot more than my
 winnow_malware.hdb which would have caught your virus.

 Point being you might just want to consider what you have
 running...

 Tom


Come'on Tom. Winnow might very well cought that, but I got it caught 
with F-Prot and BitDefender too.


The trojan itself is not my problem. My problem was that ClamAV did 
not get it, and did not allow me to report it in their website.


I give rat's ass to WinNow. If I would have been interested in 
SaneSecurity or WinNow I would have installed those again, and 
tested with them.


The ClamAV website reporting is not about WinNow, it is about ClamAV 
vanilla. Am I wrong?


Nope. Just there have been numerous posts here from sourcefire and 
clamav folks explaining that they have a backlog in creating rules so 
you should not be surprised that stock signatures might miss malware 
which is why some of the addon signature files came into existence.


I am a tad confused about your reporting comment as the clamav web 
reporting mechanism works fine at least for me and you can also 
report via virustotal as well.


Anyway glad your happy with your config.

Tom

btw its winnow as in to remove the wheat from the chaff and has 
nothing to to with Microsoft or Windows per se.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] DHL invoices

2009-09-24 Thread Tom Shaw

At 2:19 PM +0100 9/24/09, Steve Basford wrote:

 > Yeah, we already know that. Can you please cut&paste the full message

 returned by the form? Thanks,


Hi Luca,

I've *just* uploaded 4 copies of the dhl invoice malware that have been
missed by up-to-date official sigs.

These were blocked using Sanesecurity.Malware.12505.UNOFFICIAL.



Luca,

I have a couple of samples as well blocked by

winnow.malware.7065.UNOFFICIAL
winnow.malware.7066.UNOFFICIAL

if you need them. They were originally submitted on 9/18.

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] DHL invoices

2009-09-24 Thread Tom Shaw

At 9:53 AM -0400 9/24/09, Tom Shaw wrote:

At 2:19 PM +0100 9/24/09, Steve Basford wrote:

 > Yeah, we already know that. Can you please cut&paste the full message

 returned by the form? Thanks,


Hi Luca,

I've *just* uploaded 4 copies of the dhl invoice malware that have been
missed by up-to-date official sigs.

These were blocked using Sanesecurity.Malware.12505.UNOFFICIAL.



Luca,

I have a couple of samples as well blocked by

winnow.malware.7065.UNOFFICIAL
winnow.malware.7066.UNOFFICIAL

if you need them. They were originally submitted on 9/18.


PS on second look I have samples all the way back to march.

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] IRS Scam

2009-09-28 Thread Tom Shaw
Just a heads up on this piece of malware as you may have read about 
this in Computerworld or another news source.


winnow sigs distributed as part of sanesecurity have been detecting 
the scam email as well as their changing payloads housed on fast flux 
domains for almost 2 weeks


See:
http://www.computerworld.com/s/article/9138527/IRS_scam_now_world_s_biggest_e_mail_virus_problem?source=CTWNLE_nlt_dailyam_2009-09-28

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-13 Thread Tom Shaw

At 10:28 AM +0200 10/13/09, Jose-Marcio Martins da Cruz wrote:

Hello,

I have 49 virus (2 kinds only) received at our mailserver last night 
which weren't detected by ClamAV, but are detected by most other 
antivirus available at www.virustotal.com


The name of the virus, as detected by Sophos are SophoMal/Bredo-A 
(detected by 16/41) and Troj/Agent-LKL (detected by 24/41).


These are surely variants of virus already detected by Clamav.

I've just submitted one sample of each at Clamav submission interface.
Shall I submit all others ?

As long as this happens near every day since a week ago, it's 
becoming annoying.


Jose,

If you use the unofficial signatures it might help you. See 
http://www.sanesecurity.co.uk/databases.htm


One of my signatures, winnow_malware.hdb, detect numerous (over 3000 
at present) malware that are not yet detected in stock ClamAV sigs. 
The current list is documented at 
http://www.oitc.com/winnow/clamsigs/MalwareSignatures.html


Undetected virus samples or urls to the virus paylaod can be sent to 
virus_samples at oitc.com. They will be processed and added if 
necessary to winnow_malware.hdb and will be forwarded to the official 
ClamAV signature team.


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-15 Thread Tom Shaw

At 10:18 AM +0100 10/15/09, Steve Basford wrote:

 > I am interested in Tom's list of unofficial signatures - but haven't

 found the recommended way to use the signatures. Do I need to download
 them periodically - or do I just add an additional freshclam
 DataBaseMirror directive. In either case - exactly what is the url to
 download from - or to add to the freshclam directive?


Hi Richard,

Download one of the scripts here, ideally script 1 (Bill Landry):
http://sanesecurity.co.uk/download_scripts_linux.htm

Current databases are described here:

http://sanesecurity.co.uk/databases.htm

Note that rougue.hdb, phish.ndb and winnow_malware.hdb and
winnow_malware_links.ndb, all deal with malware.

Example stats:
http://www.oucs.ox.ac.uk/network/smtp/relay/stats/index.xml.ID=malware
(using phish.ndb, scam.ndb, junk.ndb)

BTW, current fake Microsoft Outlook Notification is currently being
blocked, as Sanesecurity.Malware.12699


Steve,

The samples I have of that one are being detected by ClamAV standard 
sigs as Trojan.Peed-477. Wonder why you and some others didn't detect 
it with standard sigs?  Could this be a problem?  Do you have samples 
that were undetectable?


Tom


--
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475 
(cell/voice mail,pager) US skypeline: 321-622-9098

Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com
Skype: trshaw

Fish more and Live longer
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-15 Thread Tom Shaw

At 1:23 PM +0100 10/15/09, Steve Basford wrote:

 > Undetected Outlook Express malware:

 h t t p :/ / www.iki.fi/jarif/malware/install.zip


That's one of 'em:

Sanesecurity.Rogue.736.UNOFFICIAL


Well that one didn't get detected by standard ClamAV. Must be running 
multiple payloads


That one is also typed as winnow.malware.7515/6.UNOFFICIAL

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml



Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-15 Thread Tom Shaw

At 3:14 PM +0300 10/15/09, Jari Fredriksson wrote:

Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; 
boundary="=_20nrA2UWvqBocwzbhDgZQrQ22plLxr"

Content-Disposition: inline



15.10.2009 14:55, Tom Shaw kirjoitti:


The samples I have of that one are being detected by ClamAV standard
sigs as Trojan.Peed-477. Wonder why you and some others didn't detect it
with standard sigs? Could this be a problem? Do you have samples that
were undetectable?

Tom



Undetected Outlook Express malware:
http://www.iki.fi/jarif/malware/install.zip



Thanks. Detected as winnow.malware.7515/6.UNOFFICIAL

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-15 Thread Tom Shaw

At 4:30 PM +0300 10/15/09, Jari Fredriksson wrote:

Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; 
boundary="=_6GorA2txt0CVliaTmJuBPNhCIqDzZA"

Content-Disposition: inline


Undetected IRS scam variant.

http://www.iki.fi/jarif/malware/tax-statement.exe

--
http://www.iki.fi/jarif/



"You don't have permission to access /~jarif/ikipage/malware/tax-statement.exe
on this server." :-(

Also to you have link url to that samples as well. But that should 
have been detected than winnow.malware.ts.irs.1.UNOFFICIAL unless 
they changed their attack vector.


Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-15 Thread Tom Shaw

At 1:23 PM +0100 10/15/09, Steve Basford wrote:

 > Undetected Outlook Express malware:

 h t t p :/ / www.iki.fi/jarif/malware/install.zip


That's one of 'em:

Sanesecurity.Rogue.736.UNOFFICIAL


FYI Official ClamAV sigs now detect as Trojan.Inject-2443 I just 
noticed that my  winnow.malware.7515.UNOFFICIAL was removed due to 
detection on recent official sig updates.


Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-15 Thread Tom Shaw

At 5:24 PM +0300 10/15/09, Jari Fredriksson wrote:

Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; 
boundary="=_T3prA2NkQhJdMqo4E_3U4WfuiiDVVM"

Content-Disposition: inline


Does ClamAV somehow dedicate to email format (base64) or how it is
possible that is does not recognise this

http://www.iki.fi/jarif/malware/FILE_UPS_c380a16.zip

That's an UPS fraud, W32/Bredolab.D.gen!Eldorado by F-Prot.


winnow.malware.7520/1.UNOFFICIAL

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-16 Thread Tom Shaw

At 8:42 AM +0100 10/16/09, Steve Basford wrote:

 > The script I use has a bit more finesse than this simple overview. I use a

 randomizer to prevent this process from running at the same minute past
 the hour


Note there's a *tiny* chance if the script runs at 10.07 and then 11.03,
you'll get temp block for an hour from some of the mirrors, depending if
they have setup hourly "abuse" checks.





 If Steve puts all is changes at the end of the file then this can be very
 efficient. If changes are scattered around the files then not so much.


99% of the time they are are all added at the end of the file now, which
means it's much more efficient then it used to be.

As for the databases to use, well it's up to the end user but if I was
only interested in malware only...

I'd use:

phish.ndb
rougue.hdb
winnow_malware_links.ndb
winnow_malware.hdb

For example:

Some malware in my "to look at" folder this morning...

Sanesecurity only (phish.ndb/rougue.hdb)

Scanned files: 226
Infected files: 135

Official only:

Scanned files: 226
Infected files: 119

winnow malware didn't hit.



Just to clarify winnow_malware.hdb is designed to detect malware 
payloads. Thus, it is effective in an email system only when the 
payload is attached (such as a dropper, etc). It is also very 
effective when used in file system/download checking scenarios.


winnow_malware_links.ndb is a collection of active urls and 
zeus/botnet domains used to deliver malware payloads and invoke xsite 
injections as well as hand crafted signatures to detect links to 
malware. It also contains other signatures to augment 
winnow_malware.hdb to detect malware loaded on your system.


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-16 Thread Tom Shaw

Tom Shaw wrote:



Just to clarify winnow_malware.hdb is designed to detect malware 
payloads. Thus, it is effective in an email system only when the 
payload is attached (such as a dropper, etc). It is also very 
effective when used in file system/download checking scenarios.


Thanks to Dennis and all other for the suggestions. I'm using now 
winnow_malware.hdb and rogue.hdb, and it seems to detect much better.


Just one question : if I have some non detected virus, where is the 
best place to submit samples ? Virustotal ? Clamav ? Other ?




If you submit a file to virus-samp...@oitc.com I'll process it for 
winnow_malware.hdb and at the same time send it to the ClamAV malware 
signature team and virustotal to check if others can detect.


If you submit a url to malware to virus-samp...@oitc.com I'lldownload 
the malware  process it for winnow_malware.hdb and at the same time 
send it to the ClamAV malware signature team and virustotal to check 
if others can detect.


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-16 Thread Tom Shaw

Tom Shaw wrote:



If you submit a file to virus-samp...@oitc.com I'll process it for 
winnow_malware.hdb and at the same time send it to the ClamAV 
malware signature team and virustotal to check if others can detect.


If you submit a url to malware to virus-samp...@oitc.com 
I'lldownload the malware  process it for winnow_malware.hdb and at 
the same time send it to the ClamAV malware signature team and 
virustotal to check if others can detect.


Nice ! So, if I send a simple message with just the URL in the body it's OK ?



As long as you don't obfuscate the url my scripts will isolate the 
url or the attached malware and process.


Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-16 Thread Tom Shaw

At 8:14 AM -0700 10/16/09, Dennis Peterson wrote:

Tom Shaw wrote:

Tom Shaw wrote:



If you submit a file to virus-samp...@oitc.com I'll process it 
for winnow_malware.hdb and at the same time send it to the ClamAV 
malware signature team and virustotal to check if others can 
detect.


If you submit a url to malware to virus-samp...@oitc.com 
I'lldownload the malware  process it for winnow_malware.hdb and 
at the same time send it to the ClamAV malware signature team and 
virustotal to check if others can detect.


Nice ! So, if I send a simple message with just the URL in the 
body it's OK ?




As long as you don't obfuscate the url my scripts will isolate the 
url or the attached malware and process.


Is there any possibility that the sending domain will become 
"tainted" as being a repeat source of malware?


As long as they get sent only to the submission address all will be OK ;-)

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-16 Thread Tom Shaw

At 5:21 PM +0200 10/16/09, Jose-Marcio Martins da Cruz wrote:

Tom Shaw wrote:



As long as you don't obfuscate the url my scripts will isolate the 
url or the attached malware and process.


Nice ! Can I send one URL per line ? I have 20 undetected virus.


Yes it strips out all urls just don't send with a signature that 
contains your home url or else it will get processed. Hopefully it 
will not return malware so it will be discarded as dead. ;-)


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] APER

2009-10-22 Thread Tom Shaw

At 7:02 AM -0700 10/22/09, John Rudd wrote:

Hope I haven't missed this one being discussed... but ...

APER is a project hosted at Google Code (Anti-Phishing Email Reply)
that tracks From, Reply-to, and Body URLs that match known phishing
attacks.  There are a few examples for how to use it ... but I was
wondering:

Has anyone turned this into a regularly updated set of ClamAV signatures?

I've been tasked with implementing it, and I'd love to be able to just
plug it into my existing regiment of ClamAV signatures (I currently
use MBL, MSRBL, and some (but not all) of the signatures hosted at
Sane Security).


John

Steve (sane security) was in the process of implementing at least a subset.

I have to ask however. You mentioned it contains phish urls as well. 
I have not been able to find that. However, we track phish 
urls/domains in winnow_phish_complete.ndb


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] where is 0.93 src?

2009-10-28 Thread Tom Shaw

Link of website goes to SF and there there is the sig but not the gz'd source.

Please help,

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] Whoops where is 0.95.3 src?

2009-10-28 Thread Tom Shaw

At 1:12 PM -0400 10/28/09, Tom Shaw wrote:

Link of website goes to SF and there there is the sig but not the gz'd source.

Please help,

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] load issues due to sanesecurity signatures

2009-11-02 Thread Tom Shaw

At 4:10 PM -0600 11/2/09, Noel Jones wrote:

On 11/2/2009 1:42 PM, Avinash wrote:

Hi everyone,

We are using Sanesecurity signatures in clamd for scanning mails. Recently
we are seeing some load issues on clamd server due to sanesecurity
signatures (load is automatically decreasing when the sanesecurity sigs are
removed)

Does anyone face this issue before? Sanesecurity sigs are much needed to
catch spam, is these anyway that i can fix this issue? Please help me.



Likely just one of the signature files is causing problems. Try 
disabling them one at a time until load comes down to an acceptable 
level.  I'd start with winnow.complex.patterns.ldb.


Just a question. Why disable a file that currently has only 2 rules 
in it? Wouldn't you want to 1) determine what he has enabled? After 
all safebrowsing is humongous, 2) what hardware configuration and 
scan volume he is using and 3) what else is running on the machine?


After all there are a lot of us using all sansecurity files and 
safebrowsing with no issues which would lead one to believe that 
there is not a signature file that is causing problems but more 
probably the interaction of light hardware, higher data volume and 
other processes running on the server coupled with a large number of 
signatures.


Lets first look at what Avinash wrote. He said all was well with 
ClamAV and SaneSecurity signatures until recently.


It would be nice to know what changed. If it is that the volume of 
email has increased then he needs to look at his entire setup - what 
else is running on his machine and what it contributes to the load. 
I doubt its a signature file causing problems per se.


Just my 2 cents,

Tom


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] load issues due to sanesecurity signatures

2009-11-03 Thread Tom Shaw

At 9:32 PM +0530 11/3/09, Avinash wrote:

Hi everyone,

Thanks for the quick response.

We are using the below 6 sanesecurity files.

junk.ndb
phish.ndb
scam.ndb
spear.ndb
lott.ndb
spam.ldb

Some more info:

I tried with adding these files one by one to clamd database, junk.ndb is
causing more load among all. Phish.ndb, scam.ndb and spear.ndb are also
contributing to the load.

Just to note, only the 50k sanesecurity sigs are causing load (among all
other 0.7 million sigs).
Is there anyway that we can convert sanesecurity sigs to .cld (or .cvd) with
a sigtool? (ignore if not relevant)

We are running only clamd process on a Linux x86_64 server.



Avinash

I think you need to tell us more.  We run clamd (0.95.2 and 3) on a 
small, old PPC machine under unix with all official and unofficial 
signatures with mail and other apps with no issues.


Initially you said "We are using Sanesecurity signatures in clamd for 
scanning mails. Recently we are seeing some load issues on clamd 
server due to sanesecurity signatures"


Can you explain what changed between the time all was fine and your 
recent "load" issues? Can you explain what are the "load issues"? 
What version of OS and clamd?


The more information the easier it will be for us to help.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] [Bulk] Re: Quarantine issue with new 0.95.x clamav-milter

2009-11-09 Thread Tom Shaw

At 6:28 PM -0500 11/9/09, Jerry wrote:

On Mon, 09 Nov 2009 18:08:10 -0500
Michael Orlitzky  replied:


 Jerry wrote:
 >
 > You don't want to bounce the message, yet you are telling the sender
 > that it was not delivered. That is inconsistent. Why not simply
 > send a notice to the email originator that the message was
 > quarantined? That would be consistent and factually correct.
 >

 It's not inconsistent at all. That's what you're supposed to do with
 mail you know you can't deliver at SMTP-time. The sender's mail
 server sees the "550", and reports the non-delivery to him or her.

 Accept-and-bounce has been frowned upon for some time; it's called
 backscatter and will make you a bad person:

 http://www.backscatterer.org/?target=backscatter

 Furthermore, almost all virus mail has a forged sender, so this is a
 particularly bad place to accept-and-bounce.


Unless I am totally misunderstanding you, you want a copy of the
message. Is that correct? If so, you have in fact accepted the message
no matter how you try to word it. If you then tell the originator of the
message that it was not accepted, that would be factually incorrect. At
no point did I suggest implementing a 'backscatter' routine.

You really only have two options:

1) bounce the message
2) accept it and set up routing rules for questionable mail.


Jerry,

Not to incite a flame war here but STMP error codes are not built to 
capture the nuance that Michael is wrestling with.


As I understand it he wants his mailserver to accept the message and 
quarantine it for analysis and not for later delivery and NOT deliver 
it to the recipient.


It seems to me perfectly acceptable to return a 5xx as the message 
has not been accepted for delivery to the recipient.


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] SubmitDetectionStats Error

2009-11-20 Thread Tom Shaw

At 11:14 AM +0100 11/20/09, Luca Gibelli wrote:

Hello Greg,


 FYI, I'm still getting the submission error.
 ERROR: SubmitDetectionStats: Remote server reported temporary 
failure: under maintenance


it looks like it will need some more time. I hope it will be back online
by monday.


Pardon this one's humble opinion and this is not meant to start a 
flame war but...


You know this whole situation  does sound more than a little hobby 
shoppy. Doesn't SourceFire feel more than a little embarrassed?


I can't imagine the it would be that hard to at least spool the 
reports for later processing.  Further your stats web site states 
"VRT Active Malware Report at 22:16 on 11/19/09 GMT" today which is 
clearly not true.


If you are going to provide a "realtime" service such as your stats 
then you should post reliable status of the service. Its been 7 days 
and still no status report posted to the stats page!


This can't be all that hard.

Just my 2 cents.

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] SubmitDetectionStats Error

2009-11-21 Thread Tom Shaw

At 2:16 PM +0100 11/21/09, Luca Gibelli wrote:

Hello,


 > FYI, I'm still getting the submission error.
 > ERROR: SubmitDetectionStats: Remote server reported temporary 
failure: under maintenance

 it looks like it will need some more time. I hope it will be back online
 by monday.


The service is back online.

We are trying to do the best that we can with the resources we have.

I had to take the service down because we were running short of space
and our budget currently doesn't allow to allocate more resources to this
service.

Admittedly, this sucks.

Good news is that I made use of this time to add support for "per user
statistics", a new feature that will be launched together with 0.96
(see our roadmap: http://www.clamav.net/about/roadmap).

I'm always receptive to constructive criticism and advice and I'm happy
that so many people on this mailing list were able to provide such an
high-level feedback in this occasion.


Luca,

I must admit that I do not understand what kind of space issues would 
require bringing an entire realtime reporting system offline for a 
week. That said, I and others on this list do appreciate your efforts 
especially under budget constraints.


I do feel that if clamav/sourcefire is going to provide any realtime 
service, such as stats or your standard signature distributions, you 
need to provide a status page, maybe using mrtg or something 
equivalent along with manual generated messages when situations 
become dire, to inform the user community of what is going on. 
Realtime systems owe their users proactive reporting and not 
responses to list questions such as "are you down?" hours or days 
later.


The scheduled capabilities in your roadmap for deployment just 70 to 
90 days away include even more realtime services such as extended and 
per user stats and infrastructure for 3rd party stats yet there is no 
mention of a clamav.net infrastructure operational status reporting 
system nor hardware upgrades to mitegate the current lack of 
capabilities.


Based upon your budget and equipment constraints as stated above, the 
recent outage, and considering the increased realtime services to be 
made available shortly, the user community needs a status dashhboard 
at clamav.net for now and for the future.


Luca, I know you are stressed and I will offer some help for this 
project during my free time ;-) if you need and I am sure that others 
on this list will offer support as well..


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] Detection Reporting

2009-11-25 Thread Tom Shaw
I have been looking at performing a single freshclam update and then 
distributing that update internally but I cannot find how to report 
detections from all the internal systems. Anyone have an idea on what 
I am missing?


Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Clamd & Clamav yield different results

2009-11-29 Thread Tom Shaw

At 11:57 AM -0600 11/29/09, James Babcock wrote:

Thanks so much for the prompt response.

I have an Intel iMacŠ running Mac OS 10-6-2 plus mall updates.

Using Mac's "Terminal" option, I found no MAN pages you suggest.
I am beginning to think that As a clamav user, I need a Linux version running
under my VMWare system just to get more 'UNIXfied'

Cheers, Jim B


Jim, I don't think so. I have no idea what 
ClamXAV puts clamav nor if it is up to date nor 
how it is configured. I do remember that it 
installs everything in non standard locations so 
it doesn't surprise me that you might not find it 
easily.


http://www.oitc.com/ctw/clamav/ installs 0.95.3 
in the default locations, autoconfigures 
clamd.conf and freshclam.conf and installs 
launchd plists for clamd and freshclam. 
Additionally, it integrate clamav logs into OSX 
log system.


You don't need linux to become more "unixfied" 
OSX is BSD unix under the hood after all.


Tom

PS Don't forget to set your bash profile to 
search /usr/local/bin as part of your search path 
in Terminal or else you will have to prepend 
/usr/local/bin to each "clam" command on the 
command line.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Clamd & Clamav yield different results

2009-11-29 Thread Tom Shaw

At 12:57 PM -0800 11/29/09, Dennis Peterson wrote:

James Babcock wrote:

Thanks so much for the prompt response.

I have an Intel iMacŠ running Mac OS 10-6-2 plus mall updates.

Using Mac's "Terminal" option, I found no MAN 
pages you suggest. I am beginning to think that 
As a clamav user, I need a Linux version 
running under my VMWare system just to get more 
'UNIXfied'


Cheers, Jim B


The Mac version is as Unixfied as it gets. But 
the man pages for what you're looking for may 
not exist in your default man path (in a 
terminal: echo $MANPATH). Then execute man man, 
and man manpath. Use find in a terminal to find 
all your man page locations. Spotlight won't 
work.


There is no important difference between the way 
clamAV runs in a Mac vs Linux. One important 
point has to do with the Mac file system which 
by default is case weird. It treats upper and 
lower case filenames oddly compared to Unix and 
Linux systems, and even within the Mac, 
depending on whether you are using command line 
tools or GUI tools.


I'm running ClamAV on a Mac, Sun Sparc with 
Solaris, and Linux. I'll soon have it running on 
a Mac Mini Server though on that system the case 
issues will be corrected. Anyway - it works fine 
on a Mac.


Actually, Dennis, it comes preinstalled on Mini 
Server it just located in /usr/bin and its 
version 0.95.2


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] ClamAV Memory Usage

2009-12-01 Thread Tom Shaw

At 12:39 AM + 12/2/09, Gordan Bobic wrote:

Hi,

Can anyone explain why clamd 0.95.3 might use 190MB of RAM after 5 
days of light usage (few hundred emails)? It is the single biggest 
process on my mail servers, and I'm not convinced it's size is 
reasonably justifiable. The database files under /var/lib/clamav use 
about 70MB. So, even assuming this is kept in memory at all times, 
where does the other 120MB come from?


I have looked through various mailing list and forum archives, but 
have not found a reasonable answer to this question, despite it 
being raised a few times.


Have your turned on safebrowsing in your config file?

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] How does Clam stand up to Commercial A/V?

2009-12-03 Thread Tom Shaw

At 3:50 PM +0300 12/3/09, Anatoly Pugachev wrote:

Someone with linkedin account, could be interested in commenting the
following discussion
http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&discussionID=10222162&gid=107486



Anatoly

Whats the group's name?

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] How does Clam stand up to Commercial A/V?

2009-12-03 Thread Tom Shaw

Thanks! I am "awaiting approval"

At 4:18 PM +0300 12/3/09, Anatoly Pugachev wrote:

Tom,

I'm sorry, it's "IT Core Infrastructure" group, mentioned discusstion
topic is "Wanted to get a feel of what people are using for an
Enterprise Anti-virus solution in an environment with over 200
computers. We've used Symantec AV for 5 years now." opened by Robert
Tana.

Thanks.

On 03.12.2009 / 08:10:30 -0500, Tom Shaw wrote:

 At 3:50 PM +0300 12/3/09, Anatoly Pugachev wrote:
 >Someone with linkedin account, could be interested in commenting the
 >following discussion
 
>http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&discussionID=10222162&gid=107486
 >

 Anatoly

 Whats the group's name?

 Tom



--
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475 
(cell/voice mail,pager) US skypeline: 321-622-9098

Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com
Skype: trshaw

Fish more and Live longer
To err is human.  To purr, feline
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] How does Clam stand up to Commercial A/V?

2009-12-03 Thread Tom Shaw

At 3:04 PM +0100 12/3/09, Jan Pieter Cornet wrote:

On Tue, Nov 24, 2009 at 04:17:50PM -0400, Robin wrote:

 I am administering 7 Debian based LAMP servers and am working to get
 anti-virus to scan uploads as they happen.  Since I am a lone sheep in
 the Microsoft wild of a larger organization I need to prove that Clam
 is up for the task and at least at par with commercial A/V such as
 McAfee Commandline Scanner.

 I have found a few articles stating that Clam is in some cases
 superior to most of the commercial counterparts.

 I am looking for feedback and thoughts on this so I can bring my case
 to the powers that we do not need to dish out $$ to provide virus
 protection.


Your responses are likely to be biased by asking clamav-users :)

So let me give a slightly more negative argument. ClamAV used to be
quite fast in responding to virus threats, but is currently pretty slow
in response to email viruses. We use ClamAV only to scan email on an
SMTP server(farm) (approx 3E7 msgs/day).

We run 3 virus scanners, and I get daily statistics on the number of
viruses catched by each scanner, detailing exactly which viruses were
found by which scanner.

For at least half a year, clamav has been the slowest to respond to new
threats, usually taking at least a day, sometimes two days, to catch up.
The number of viruses that ClamAV finds that the others don't, is
negligible (a handful a day, and those are usually marked as spam
anyway).

That said, we only use the standard databases, and we disabled phishing
heuristics (too much false positives). Scanning accuracy might improve
if you add other malware databases. But I don't want to spend too much
CPU and memory on ClamAV.

Note that this isn't a complaint - I realise I get what I pay for, but
given that admin time isn't free either, ClamAV is definately worse than
commercial AV products, even if you consider performance/price ratio.

Be aware that YMMV.


Jan-Pieter,

I would suggest that a selected group of unofficial signature files 
can dramatically improve performance without causing too much CPU and 
memory usage.


For example, these third party signatures detected the recent zeus 
outbreaks (not to mention the google jobs, IRS and others) in one 
case before any other AV vendor and usually the same time as 2-3.


Just my 2cents,

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Phishing detection on downloaded pages

2009-12-11 Thread Tom Shaw

At 3:53 PM +0200 12/10/09, Török Edwin wrote:

On 2009-12-10 15:41, Sundara Kaku wrote:

 Hi,

As you mentioned "clamav would scan the mail".. means..can i add
 downloaded webpage as attachment to email with (javamail api) and save
 that mail as eml file and send this file for scanning..

 is this practically possible, does clamav scans html attachments for
 phishing links and malicious javascript



No, it scans only the html body.


Edwin,

This thread brings up a number of items not in the docs.

You state here that clamav only scans the html 
body. Hopefully you don't really mean that the 
html head part and anything beont the /body tag 
is not scanned.


You also stated in this thread that to get clamav 
to process and detect in an html file you would 
have to encapsulate it in an email. WHy is that? 
Does this mean that if I use clamav to process a 
directory say, on my server, that it will not 
detect bad html files or bad php files?  This 
true for graphics as well?


What files are matched to signatures of type 1 trough 7?

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Phishing detection on downloaded pages

2009-12-11 Thread Tom Shaw

At 9:31 PM +0200 12/11/09, Török Edwin wrote:

On 2009-12-11 21:14, Tom Shaw wrote:

 At 3:53 PM +0200 12/10/09, Török Edwin wrote:

 >> On 2009-12-10 15:41, Sundara Kaku wrote:
The heuristic phishing detector only works on emails correctly, not
websites by design, hence there is no point
in running it on downloaded webpages. Why? Because a phishing email
contains a link  email of banksite ,
a phishing website will contain a login form looking similar to a banksite.
These are very different things.


True, but we have seen phishing sites that start 
with a front page that does contain links like href="...evilurl..."> update you data  so 
disabling the heuristic phishing detector would 
be counter productive.



Safebrowsing was only used on links found in emails by design, links
found in other HTML files are not checked to improve performance,
and because there are other ways to protect web browsers from malicious
URLs listed in the safebrowsing DB in near realtime (for example firefox).


Again this doesn't help when scanning a server for planted files etc.


Possible these should be options for clamdscan 
and clamscan for file based scanning?


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] ExcludePath, defining absolute path

2009-12-16 Thread Tom Shaw

At 6:11 AM + 12/16/09, dev.ad...@ntlworld.com wrote:

Hi,

I know this is an old topic that seems to have caused
some problems in the past and has apparently been fixed
in version .3, but I still can't get it to work.

I'm using OSX and I would like to scan the boot volume
but one of the directories is called 'Volumes' which
contains directories and links to other volumes which I
scan separately.

Is it possible to exclude an absolute path using the
configure variable ExcludePath?

A.

A.

Why don't you just do something like

sudo clamscan /

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] TargetType

2010-02-13 Thread Tom Shaw
How does one determine what TargetType ClamAV will assign to a file 
or attachment?  I have been all through the docs and wiki and can 
find no specifics.


Any and all help is appreciated.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] TargetType

2010-02-16 Thread Tom Shaw

At 4:15 PM + 2/16/10, Steve Basford wrote:

 >


 Attached document? I did not see an attachment. Can you send a link?


Is this the TargetType you are after...


2.3.4 Extended signature format

The extended signature format allows for specification of additional
information such as a target file type, virus offset or engine version,
making the detection more reliable. The format is:

MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]

where TargetType is one of the following numbers specifying the type of the
target file:

0 = any file
1 = Portable Executable
2 = OLE2 component (e.g. a VBA script)
3 = HTML (normalised)
4 = Mail file
5 = Graphics
6 = ELF
7 = ASCII text file (normalised)

And Offset is an asterisk or a decimal number n possibly combined with a
special modifier:

Source: http://www.clamav.com/doc/latest/signatures.pdf



Steve et all,

Yes I know all this, as I told Alain I have read all available docs 
but they (nor the wiki) do not explain how a "7" is determined (eg by 
extension if so which ones or by contents if so how), are php's and 
per'ls considered ascii, portable executable or html or what, what is 
an rtf considered an OLE or ascii orwhat, and what does a zeus bin 
file get categorized as? Answers for these and many other questions 
like these, I have searched the docs to find out with no joy.


Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] TargetType

2010-02-16 Thread Tom Shaw

On 02/16/2010 09:15 PM, Tom Shaw wrote:

 At 4:15 PM + 2/16/10, Steve Basford wrote:

  >


  Attached document? I did not see an attachment. Can you send a link?


 Is this the TargetType you are after...


 2.3.4 Extended signature format

 The extended signature format allows for specification of additional
 information such as a target file type, virus offset or engine version,
 making the detection more reliable. The format is:


MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]


 where TargetType is one of the following numbers specifying the type
 of the
 target file:

 0 = any file
 1 = Portable Executable
 2 = OLE2 component (e.g. a VBA script)
 3 = HTML (normalised)
 4 = Mail file
 5 = Graphics
 6 = ELF
 7 = ASCII text file (normalised)

 And Offset is an asterisk or a decimal number n possibly combined with a
 special modifier:

 Source: http://www.clamav.com/doc/latest/signatures.pdf



 Steve et all,

 Yes I know all this, as I told Alain I have read all available docs
 but they (nor the wiki) do not explain how a "7" is determined (eg by
 extension if so which ones or by contents if so how), are php's and
 per'ls considered ascii, portable executable or html or what, what is
 an rtf considered an OLE or ascii orwhat, and what does a zeus bin
 file get categorized as? Answers for these and many other questions
 like these, I have searched the docs to find out with no joy.


Hi Tom,

Didn't my reply answer your question?

[which I've forwarded to -users, but I forgot that it strips
attachments, here it is again]

The file type is determined by signatures in daily.ftm (or the builtin
ones in filetypes_int.h if that is missing) on a portion at the
beginning of the file.

sigtool --unpack-current daily
cat daily.ftm

As for binary versus ascii, utf8, utf16be, utf17le see textdet.c, it
looks at the beginning of the file and determines which one it could be,
based on the ratio of how many good/bad ascii,utf8, etc. characters it
seen.

Also there are some signatures that are detected on the fly (not only at
the beginning of the file), during a type0 scan:
/* bigger numbers have higher priority (in o-t-f detection) */
CL_TYPE_HTML, /* on the fly */
CL_TYPE_MAIL,  /* magic + on the fly */
CL_TYPE_SFX, /* foo SFX marker */
CL_TYPE_ZIPSFX, /* on the fly */
CL_TYPE_RARSFX, /* on the fly */
CL_TYPE_CABSFX,
CL_TYPE_ARJSFX,
CL_TYPE_NULSFT, /* on the fly */
CL_TYPE_AUTOIT,
CL_TYPE_ISHIELD_MSI,

These filetypes are used both to determine what signature to match, and
what unpacker to run.

And the mapping from CL_TYPE to signature targettypes is in matcher.h:
{ 0,"GENERIC",  0,  0, 1 },
{ CL_TYPE_MSEXE,"PE",   1,  0, 1 },
{ CL_TYPE_MSOLE2,   "OLE2", 2,  1, 0 },
{ CL_TYPE_HTML, "HTML", 3,  1, 0 },
{ CL_TYPE_MAIL, "MAIL", 4,  1, 1 },
{ CL_TYPE_GRAPHICS, "GRAPHICS", 5,  1, 0 },
{ CL_TYPE_ELF,  "ELF",  6,  1, 0 },
{ CL_TYPE_TEXT_ASCII,   "ASCII",7,  1, 1 },
/* note that this actually inclludes utf8, utf16be, and utf16le too! */

{ CL_TYPE_ERROR,"NOT USED", 8,  1, 0 },
{ CL_TYPE_MACHO,"MACH-O",   9,  1, 0 }



Thanks SO much,  Edwin!

Is there a def of .fmt format?

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] TargetType

2010-02-16 Thread Tom Shaw
Thanks, Alain. This helps. Let me noodle on the information. Is there 
a definition of the .fmt file or will I have to look through the code?


Thanks, again,

Tom

At 3:01 PM -0500 2/16/10, Alain Zidouemba wrote:

Tom:

Is this the answer you were looking for?

--
Alain S. Zidouemba
Research Engineer, Vulnerability Research Team
SOURCEfire
Tel: 1(410)423-4764
email: <mailto:alain.zidoue...@sourcefire.com>alain.zidoue...@sourcefire.com


2010/2/15 Alain Zidouemba 
<<mailto:azidoue...@sourcefire.com>azidoue...@sourcefire.com>


Courtesy of Edwin:


The file type is determined by signatures in daily.ftm (or the builtin
ones in filetypes_int.h if that is missing) on a portion at the
beginning of the file.

sigtool --unpack-current daily
cat daily.ftm

As for binary versus ascii, utf8, utf16be, utf17le see textdet.c, it
looks at the beginning of the file and determines which one it could be,
based on the ratio of how many good/bad ascii,utf8, etc. characters it
seen.

Also there are some signatures that are detected on the fly (not only at
the beginning of the file), during a type0 scan:
/* bigger numbers have higher priority (in o-t-f detection) */
  CL_TYPE_HTML, /* on the fly */
  CL_TYPE_MAIL,  /* magic + on the fly */
  CL_TYPE_SFX, /* foo SFX marker */
  CL_TYPE_ZIPSFX, /* on the fly */
  CL_TYPE_RARSFX, /* on the fly */
  CL_TYPE_CABSFX,
  CL_TYPE_ARJSFX,
  CL_TYPE_NULSFT, /* on the fly */
  CL_TYPE_AUTOIT,
  CL_TYPE_ISHIELD_MSI,

These filetypes are used both to determine what signature to match, and
what unpacker to run.

And the mapping from CL_TYPE to signature targettypes is in matcher.h:
  { 0,"GENERIC",  0,  0, 1 },
  { CL_TYPE_MSEXE,"PE",   1,  0, 1 },
  { CL_TYPE_MSOLE2,   "OLE2", 2,  1, 0 },
  { CL_TYPE_HTML, "HTML", 3,  1, 0 },
  { CL_TYPE_MAIL, "MAIL", 4,  1, 1 },
  { CL_TYPE_GRAPHICS, "GRAPHICS", 5,  1, 0 },
  { CL_TYPE_ELF,  "ELF",  6,  1, 0 },
  { CL_TYPE_TEXT_ASCII,   "ASCII",7,  1, 1 },
/* note that this actually inclludes utf8, utf16be, and utf16le too! */

  { CL_TYPE_ERROR,"NOT USED", 8,  1, 0 },
  { CL_TYPE_MACHO,"MACH-O",   9,  1, 0 }

--

Alain S. Zidouemba
Research Engineer, Vulnerability Research Team
SOURCEfire
Tel: 1(410)423-4764
email: <mailto:alain.zidoue...@sourcefire.com>alain.zidoue...@sourcefire.com


On Sat, Feb 13, 2010 at 7:30 PM, Tom Shaw 
<<mailto:ts...@oitc.com>ts...@oitc.com> wrote:

 Pardon me, Alain, but I did say I did due diligence in looking before
 asking. I have read that before and will have to day the document is lacking
 on much content.  Further it doesn't tell me squat about what/how clam
 assigned files to a TargetType.  For example how is a zeus .bin file
 categorized? or a command file or how is an "ascii" file determine to be an
 "ascii" file and ..

 Tom

 At 6:58 PM -0500 2/13/10, Alain Zidouemba wrote:


 You can find the document here:


<http://www.clamav.com/doc/latest/signatures.pdf>www.clamav.com/doc/latest/signatures.pdf

 --
 Alain S. Zidouemba
 Research Engineer, Vulnerability Research Team
 SOURCEfire
 Tel: 1(410)423-4764
 email: 
<mailto:alain.zidoue...@sourcefire.com>alain.zidoue...@sourcefire.com



 On Sat, Feb 13, 2010 at 6:50 PM, Tom Shaw 
<<mailto:ts...@oitc.com>ts...@oitc.com> wrote:


  That's GREAT, Alain but no attachment was attached :-(

  Tom

  At 6:02 PM -0500 2/13/10, Alain Zidouemba wrote:


  Tom,

  You can find the answer in the attached document.

  On Feb 13, 2010 5:49 PM, "Tom Shaw" 
<<mailto:ts...@oitc.com>ts...@oitc.com> wrote:


  How does one determine what TargetType ClamAV will assign to a file or
  attachment?  I have been all through the docs and wiki and can find no
  specifics.

  Any and all help is appreciated.

 >>>>

  Tom

  ___
  Help us build a comprehensive ClamAV guide: visit
 <http://wiki.clamav.net>http://wiki.clamav.net
  <http://www.clamav.net/support/ml>http://www.clamav.net/support/ml

  ___
  Help us build a comprehensive ClamAV guide: visit
 <http://wiki.clamav.net>http://wiki.clamav.net
  <http://www.clamav.net/support/ml>http://www.clamav.net/support/ml



  --
  Tom Shaw - Chief Engineer, OITC
  http://oitc.com>oitc.com>, 
<http://www.oitc.com/>http://www.oitc.com/ local wx:

  <http://www.oitc.com/weather>http://www.oitc.com/weather
  US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475
 (cell/voice
  mail,pager) US skypeline: 321-622-9098
  Text Paging: 
<http://www.oitc.com/Pager/sendmessage.html>http://www.oitc.com/Pager/sendmessage.html

  AIM/iChat: <mailto:trs...@ma

Re: [Clamav-users] clamav syslog and cron

2010-03-09 Thread Tom Shaw

At 6:50 PM -0400 3/9/10, Timothy Legge wrote:

Hi

I am trying to schedule a cron job to scan files and if a virus is
noticed to log that via syslog so it can be sent to a remote syslog
server.

I have successfully done this by using clamd and clamdscan however the
logs show:

Mar  9 17:45:04 server1 clamd[26200]: fd[12]: Eicar-Test-Signature FOUND

I am assuming that the fd[12] is because I used:

clamdscan --fdpass --infected --quiet

I would prefer to get the file name in the logs but I had to pass
--fdpass as the option so clamd would scan files that it did not have
permission to scan.

Should I approach this in a different way like using clamscan instead?
 It does not look like clamscan can write to syslog but I could be
wrong.



Tim

Why don't you just get rid of --fdpass and run the cron job as root?

Tom
--
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475 
(cell/voice mail,pager) US skypeline: 321-622-9098

Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com
Skype: trshaw

Fish more and Live longer
To err is human.  To purr, feline
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] quick question on freshclam

2010-03-09 Thread Tom Shaw
I want to change how I run freshclam on OSX from running as a deamon 
to running periodically using launchd.  Unfortunately, freshclam's 
returning of 1 when no updates were required causes issues with 
launchd since it thinks freshclam exited abnormally and attempts to 
respawn.


Now, I can easily put a shell script between launchd and freshclam to 
solve this (in fact I have) but it would be much cleaner if I could 
tell freshclam to return 0 for both "good" events, eg updated and no 
need to update."


Anyone got an idea on how to do this?

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] Bad link on site to 0.96RC1

2010-03-10 Thread Tom Shaw

The link on http://www.clamav.net/ to 0.96.rc1 actually downloads 0.95.3.

It should be 
http://sourceforge.net/projects/clamav/files/clamav/0.96rc1/clamav-0.96rc1.tar.gz/download


Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Bad link on site to 0.96RC1

2010-03-10 Thread Tom Shaw

At 12:39 AM +0100 3/11/10, Luca Gibelli wrote:

Hello Tom,


 The link on http://www.clamav.net/ to 0.96.rc1 actually downloads 0.95.3.


both links on www.clamav.net and www.clamav.net/download/sources work
correctly for me.


Thanks Luca. It must have been fixed because my first download was 
absolutely 0.95.3 so I navigated manually in SF.net to find the 
download originally.


Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] FYI

2010-03-11 Thread Tom Shaw
Link to 0.95.3 on http://www.clamav.net/download/sources/ actually 
goes to 0.96rc1


Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] ***** SPAM ***** ***** SPAM ***** Re: 0.96rc1 LibClamAV Warning: JIT not compiled in

2010-03-12 Thread Tom Shaw

At 2:46 PM -0600 3/12/10, George R. Kasica wrote:

We've compiled and are running here as well with Red Hat EL4 (gcc
3.4.6-11.el4_8.1) and Red Hat EL5 (gcc 4.1.2-46.el5_4.2) both of which
are the latest released versions of gcc from Red Had RPMs and are
seeing the same JIT failures...how new are you expecting the gcc to
be?

There's no way that our environment is going to be able to put
something newer out than what is released by the Distro
vendor.that it falls back to another mode is fine, but there's an
awful lot of RHEL5 out there that I'm betting is running that rev of
gcc that will see this error.


I had similar problem on OSX. I added this configure option:

--enable-llvm

and JIT compiles

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] Missed detection

2010-03-18 Thread Tom Shaw
I have a md5 based signature, winnow.malware.2015, that I created 
from a file ./malware/style25.dat-4mmrTv  The signature is:


23848f3f080237b7e2d2313496f4c00f:3680:winnow.malware.2015

I can see its in my clam sigs by:

$ sigtool --list-sigs=/usr/local/share/clamav/winnow_malware.hdb | 
grep "winnow.malware.2015"

winnow.malware.2015

Yet when I check it clamscan does not detect (using 0.95.3)

$ clamscan ./malware/style25.dat-4mmrTv
./malware/style25.dat-4mmrTv: OK

I even checked my signature using sigtool and my signature matches:

sigtool --md5 ./malware/style25.dat-4mmrTv
23848f3f080237b7e2d2313496f4c00f:3680:./malware/style25.dat-4mmrTv


Any ideas?  I have a couple more like this in my DB.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] byte code compiler configure issues

2010-04-30 Thread Tom Shaw

I have the following configure problem:

$ cd obj && ../llvm/configure --enable-optimized 
--enable-targets=host-only --disable-bindings 
--prefix=/usr/local/clamav
configure: WARNING: Unknown project (clamdriver) won't be configured 
automatically
configure: WARNING: Unknown project (ifacegen) won't be configured 
automatically

checking build system type... i386-apple-darwin9.8.0
checking host system type... i386-apple-darwin9.8.0
checking target system type... i386-apple-darwin9.8.0

Any ideas?

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] byte code compiler configure issues

2010-05-01 Thread Tom Shaw

At 8:52 AM +0300 5/1/10, Török Edwin wrote:

On 05/01/2010 01:17 AM, Tom Shaw wrote:

 I have the following configure problem:

 $ cd obj && ../llvm/configure --enable-optimized
 --enable-targets=host-only --disable-bindings --prefix=/usr/local/clamav
 configure: WARNING: Unknown project (clamdriver) won't be configured
 automatically
 configure: WARNING: Unknown project (ifacegen) won't be configured
 automatically
 checking build system type... i386-apple-darwin9.8.0
 checking host system type... i386-apple-darwin9.8.0
 checking target system type... i386-apple-darwin9.8.0

 Any ideas?


You can ignore those warnings, they are harmless (clamdriver and
ifacegen don't need to be configured, they use the makefiles from
toplevel llvm).

Did configure succeed?


Yes but make didn't :-(

CC="/usr/bin/gcc-4.2" CXX="/usr/bin/g++-4.2" 
../llvm/configure --enable-optimized 
--enable-targets=host-only --disable-bindings 
--prefix=/usr/local/clamav

(ulimit -t 3600 -v 512000 && make clambc-only -j4)


ClamBCModule.cpp  errors and gets me

llvm[3]: Compiling ClamBCOptimizers.cpp for Release build
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCModule.cpp: 
In member function 'virtual bool 
ClamBCModule::runOnModule(llvm::Module&)':
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCModule.cpp:183: 
error: 'class std::vectorstd::allocator >' has no member 
named 'data'
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCCommon.h: 
At global scope:
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCCommon.h:50: 
warning: 'clamav::apicall_begin' defined but not 
used
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCCommon.h:51: 
warning: 'clamav::apicall_end' defined but not 
used
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCCommon.h:52: 
warning: 'clamav::globals_begin' defined but not 
used
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCCommon.h:53: 
warning: 'clamav::globals_end' defined but not 
used
make[3]: *** 
[/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/obj/lib/Target/ClamBC/Release/ClamBCModule.o] 
Error 1

make[3]: *** Waiting for unfinished jobs
llvm[2]: Building Release Archive Library libLLVMTarget.a
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCCommon.h:29: 
warning: 'unsigned int 
clamav::initTypeIDs(llvm::DenseMapllvm::Type*, unsigned int, 
llvm::DenseMapInfo, 
llvm::DenseMapInfo >&, 
llvm::LLVMContext&)' defined but not used
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCCommon.h:50: 
warning: 'clamav::apicall_begin' defined but not 
used
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCCommon.h:51: 
warning: 'clamav::apicall_end' defined but not 
used
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCCommon.h:52: 
warning: 'clamav::globals_begin' defined but not 
used
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCCommon.h:53: 
warning: 'clamav::globals_end' defined but not 
used

make[2]: *** [ClamBC/.makeall] Error 2
make[1]: *** [all] Error 1
make: *** [clambc-only] Error 2

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] byte code compiler configure issues

2010-05-01 Thread Tom Shaw

At 2:40 PM +0300 5/1/10, Török Edwin wrote:

On 05/01/2010 02:20 PM, Tom Shaw wrote:


 llvm[3]: Compiling ClamBCOptimizers.cpp for Release build

/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCModule.cpp:
 In member function 'virtual bool ClamBCModule::runOnModule(llvm::Module&)':

/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCModule.cpp:183:
 error: 'class std::vector >'
 has no member named 'data'


Fixed in clambc-0.11-84-g446d4e7.
Please do a 'git pull', and try building again.


Got git but no joy:

llvm[3]: Compiling version.c for Release build
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/version.c:1:21: 
error: version.h: No such file or directory
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/version.c: 
In function 'clambc_getversion':
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/version.c:4: 
error: 'GIT_VERSION' undeclared (first use in 
this function)
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/version.c:4: 
error: (Each undeclared identifier is reported 
only once
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/version.c:4: 
error: for each function it appears in.)
make[3]: *** 
[/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/obj/lib/Target/ClamBC/Release/version.o] 
Error 1

make[3]: *** Waiting for unfinished jobs
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCWriter.cpp: 
In member function 'RetTy 
llvm::InstVisitorRetTy>::visit(llvm::Instruction&) [with SubClass 
= ClamBCWriter, RetTy = void]':
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCWriter.cpp:413: 
warning: 'opc' may be used uninitialized in this 
function
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/ClamBCWriter.cpp:413: 
note: 'opc' was declared here

make[2]: *** [ClamBC/.makeall] Error 2
make[1]: *** [all] Error 1
make: *** [clambc-only] Error 2

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] byte code compiler configure issues

2010-05-01 Thread Tom Shaw

At 10:52 PM +0300 5/1/10, Török Edwin wrote:

Please run 'make VERBOSE=1', and paste the output.


llvm[3]: Compiling version.c for Release build
if /usr/bin/gcc-4.2 
-I/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/include 
-I/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC 
-I/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/obj/include 
-I/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/obj/lib/Target/ClamBC 
-D_DEBUG -D_GNU_SOURCE -D__STDC_LIMIT_MACROS 
-D__STDC_CONSTANT_MACROS -O2  -fno-common   -m32 
-pedantic -Wno-long-long -Wall -W 
-Wno-unused-parameter -Wwrite-strings  -c -MMD 
-MP -MF 
"/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/obj/lib/Target/ClamBC/Release/version.d.tmp" 
-MT 
"/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/obj/lib/Target/ClamBC/Release/version.o" 
-MT 
"/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/obj/lib/Target/ClamBC/Release/version.d" 
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/version.c 
-o 
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/obj/lib/Target/ClamBC/Release/version.o 
; \
	then /bin/mv -f 
"/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/obj/lib/Target/ClamBC/Release/version.d.tmp" 
"/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/obj/lib/Target/ClamBC/Release/version.d"; 
else /bin/rm 
"/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/obj/lib/Target/ClamBC/Release/version.d.tmp"; 
exit 1; fi
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/version.c:1:21: 
error: version.h: No such file or directory
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/version.c: 
In function 'clambc_getversion':
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/version.c:4: 
error: 'GIT_VERSION' undeclared (first use in 
this function)
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/version.c:4: 
error: (Each undeclared identifier is reported 
only once
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/llvm/lib/Target/ClamBC/version.c:4: 
error: for each function it appears in.)
make[3]: *** 
[/Users/tshaw/Sites/clamav/clamav-bytecode-compiler/obj/lib/Target/ClamBC/Release/version.o] 
Error 1

make[2]: *** [ClamBC/.makeall] Error 2
make[1]: *** [Target/.makeall] Error 2
make: *** [all] Error 1


--
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 
321-729-6258(fax), 321-258-2475 (cell/voice 
mail,pager) US skypeline: 321-622-9098

Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com
Skype: trshaw

Fish more and Live longer
To err is human.  To purr, feline
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] byte code compiler configure issues

2010-05-02 Thread Tom Shaw

At 10:45 AM +0300 5/2/10, Török Edwin wrote:

On 05/02/2010 12:49 AM, Tom Shaw wrote:

 At 10:52 PM +0300 5/1/10, Török Edwin wrote:

 Please run 'make VERBOSE=1', and paste the output.


 llvm[3]: Compiling version.c for Release build


Thanks, please 'git pull' and try building again.




Edwin,

No joy:

/Users/tshaw/Sites/clamav/clamav-bytecode-compiler.old/clamav-bytecode-compiler/obj/tools/opt/Release/GraphPrinters.o 
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler.old/clamav-bytecode-compiler/obj/tools/opt/Release/PrintSCC.o 
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler.old/clamav-bytecode-compiler/obj/tools/opt/Release/opt.o 
\
	-lLLVMipo -lLLVMScalarOpts 
-lLLVMInstCombine -lLLVMInstrumentation 
-lLLVMTransformUtils -lLLVMipa -lLLVMAnalysis 
-lLLVMTarget -lLLVMMC -lLLVMAsmParser 
-lLLVMBitWriter -lLLVMBitReader -lLLVMCore 
-lLLVMSupport -lLLVMSystem   -lpthread -lm

Undefined symbols:
  "llvm::Value::getUnderlyingObject()", referenced from:

llvm::LoopDependenceAnalysis::analysePair(llvm::LoopDependenceAnalysis::DependencePair*) 
constin 
libLLVMAnalysis.a(LoopDependenceAnalysis.o)


llvm::LoopDependenceAnalysis::analysePair(llvm::LoopDependenceAnalysis::DependencePair*) 
constin 
libLLVMAnalysis.a(LoopDependenceAnalysis.o)

  "typeinfo for llvm::ScalarEvolution", referenced from:
  __ZTIN4llvm15ScalarEvolutionE$non_lazy_ptr 
in libLLVMScalarOpts.a(LoopDeletion.o)
  __ZTIN4llvm15ScalarEvolutionE$non_lazy_ptr 
in libLLVMAnalysis.a(LoopDependenceAnalysis.o)
  __ZTIN4llvm15ScalarEvolutionE$non_lazy_ptr 
in libLLVMScalarOpts.a(LoopRotation.o)

  "typeinfo for llvm::LoopPass", referenced from:
  typeinfo for (anonymous 
namespace)::LoopDeletionin 
libLLVMScalarOpts.a(LoopDeletion.o)
  typeinfo for (anonymous 
namespace)::LoopExtractorin 
libLLVMipo.a(LoopExtractor.o)
  typeinfo for (anonymous namespace)::LCSSAin 
libLLVMTransformUtils.a(LCSSA.o)
  typeinfo for llvm::LoopDependenceAnalysisin 
libLLVMAnalysis.a(LoopDependenceAnalysis.o)
  typeinfo for (anonymous 
namespace)::LoopRotatein 
libLLVMScalarOpts.a(LoopRotation.o)

  "typeinfo for llvm::TargetData", referenced from:
  __ZTIN4llvm10TargetDataE$non_lazy_ptr in 
libLLVMAnalysis.a(LazyValueInfo.o)

  "typeinfo for llvm::CallGraph", referenced from:
  __ZTIN4llvm9CallGraphE$non_lazy_ptr in libLLVMipo.a(PruneEH.o)
  "typeinfo for llvm::CallGraphSCCPass", referenced from:
  typeinfo for (anonymous namespace)::PruneEHin libLLVMipo.a(PruneEH.o)
  "typeinfo for llvm::Inliner", referenced from:
  typeinfo for (anonymous 
namespace)::AlwaysInlinerin 
libLLVMipo.a(InlineAlways.o)
  typeinfo for (anonymous 
namespace)::SimpleInlinerin 
libLLVMipo.a(InlineSimple.o)

  "typeinfo for llvm::LoopInfo", referenced from:
  __ZTIN4llvm8LoopInfoE$non_lazy_ptr in libLLVMScalarOpts.a(LoopDeletion.o)
  __ZTIN4llvm8LoopInfoE$non_lazy_ptr in libLLVMScalarOpts.a(LoopRotation.o)
  "typeinfo for llvm::AliasAnalysis", referenced from:
  __ZTIN4llvm13AliasAnalysisE$non_lazy_ptr in 
libLLVMAnalysis.a(AliasSetTracker.o)
  typeinfo for llvm::LibCallAliasAnalysisin 
libLLVMAnalysis.a(LibCallAliasAnalysis.o)
  __ZTIN4llvm13AliasAnalysisE$non_lazy_ptr in 
libLLVMAnalysis.a(LoopDependenceAnalysis.o)

ld: symbol(s) not found
collect2: ld returned 1 exit status
make[2]: *** 
[/Users/tshaw/Sites/clamav/clamav-bytecode-compiler.old/clamav-bytecode-compiler/obj/Release/bin/opt] 
Error 1

make[1]: *** [opt/.makeall] Error 2
make: *** [all] Error 1

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] byte code compiler configure issues

2010-05-02 Thread Tom Shaw

At 4:46 PM +0300 5/2/10, Török Edwin wrote:

On 05/02/2010 04:44 PM, Tom Shaw wrote:

 At 10:45 AM +0300 5/2/10, Török Edwin wrote:

 On 05/02/2010 12:49 AM, Tom Shaw wrote:

  At 10:52 PM +0300 5/1/10, Török Edwin wrote:

  Please run 'make VERBOSE=1', and paste the output.


  llvm[3]: Compiling version.c for Release build


 Thanks, please 'git pull' and try building again.




 Edwin,

 No joy:


Use 'make clambc-only', that is what the manual says ;)



I did and got the error and then made with make 
VERBOSE=1 like you asked the last time ;-)  I 
have made again like you asked (which isn't what 
is in the docs in para 1.3.2 and 1.4 )


Still no joy:

/Users/tshaw/Sites/clamav/clamav-bytecode-compiler.old/clamav-bytecode-compiler/llvm/projects/clamdriver/clamdriver/driver.cpp: 
In function 'int CompileSubprocess(const char**, 
int, llvm::sys::Path&, bool, bool, 
llvm::sys::Path&)':
/Users/tshaw/Sites/clamav/clamav-bytecode-compiler.old/clamav-bytecode-compiler/llvm/projects/clamdriver/clamdriver/driver.cpp:453: 
error: 'class std::vectorstd::allocator >' has no member named 
'data'
make[3]: *** 
[/Users/tshaw/Sites/clamav/clamav-bytecode-compiler.old/clamav-bytecode-compiler/obj/projects/clamdriver/clamdriver/Release/driver.o] 
Error 1

make[2]: *** [all] Error 1
make[1]: *** [all] Error 1
make: *** [clambc-only] Error 2

--
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 
321-729-6258(fax), 321-258-2475 (cell/voice 
mail,pager) US skypeline: 321-622-9098

Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com
Skype: trshaw

Fish more and Live longer
To err is human.  To purr, feline
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] byte code compiler configure issues

2010-05-02 Thread Tom Shaw

At 6:07 PM +0300 5/2/10, Török Edwin wrote:

On 05/02/2010 05:33 PM, Tom Shaw wrote:

 At 4:46 PM +0300 5/2/10, Török Edwin wrote:

 On 05/02/2010 04:44 PM, Tom Shaw wrote:

  At 10:45 AM +0300 5/2/10, Török Edwin wrote:

  On 05/02/2010 12:49 AM, Tom Shaw wrote:

   At 10:52 PM +0300 5/1/10, Török Edwin wrote:

   Please run 'make VERBOSE=1', and paste the output.


   llvm[3]: Compiling version.c for Release build


  Thanks, please 'git pull' and try building again.




  Edwin,

  No joy:


 Use 'make clambc-only', that is what the manual says ;)



 I did and got the error and then made with make VERBOSE=1 like you asked
 the last time ;-)  I have made again like you asked (which isn't what is
 in the docs in para 1.3.2 and 1.4 )

 Still no joy:


/Users/tshaw/Sites/clamav/clamav-bytecode-compiler.old/clamav-bytecode-compiler/llvm/projects/clamdriver/clamdriver/driver.cpp:
 In function 'int CompileSubprocess(const char**, int, llvm::sys::Path&,
 bool, bool, llvm::sys::Path&)':

/Users/tshaw/Sites/clamav/clamav-bytecode-compiler.old/clamav-bytecode-compiler/llvm/projects/clamdriver/clamdriver/driver.cpp:453:
 error: 'class std::vector >' has no member
 named 'data'


We're getting closer.
This is one more case of .data() usage, I just commited something to fix it.

Please try now.

BTW what platform are you doing this on? Mac OS X 10.6?


Trying now let you know in about 10

10.5.8 right now. 10.6 after we get this working

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] byte code compiler configure issues

2010-05-02 Thread Tom Shaw

At 6:07 PM +0300 5/2/10, Török Edwin wrote:

We're getting closer.
T


Thanks, Edwin. That worked. Installed and tried to get version but got:

$ /usr/local/clamav/bin/clambc-compiler -v
clang -cc1 version 1.1 based upon llvm 2.7 hosted on i386-apple-darwin9
re2c: error: cannot re-open 
error: re2c command failed with exit code 1 (use -v to see invocation)

Compiler exited with code 1!

Going to now look for an example to insure its working correctly.

Thanks again.

Tom
PS

What the heck is the .data() function?
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] byte code compiler configure issues

2010-05-02 Thread Tom Shaw

At 12:27 PM -0700 5/2/10, Dennis Peterson wrote:

On 5/2/10 8:14 AM, Tom Shaw wrote:



Trying now let you know in about 10

10.5.8 right now. 10.6 after we get this working

Tom


I was able to compile .96 in Snow Leopard with no modification.



Thanks Dennis. I had no problems for ClamAV (did have a temp issue 
when not compiling for machine specific eg patching for PPC and 
patching universal compile)  Here I was trying to get the bytecode 
compiler up and running.


Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] byte code compiler configure issues

2010-05-03 Thread Tom Shaw

At 5:48 AM -0700 5/3/10, Jim Preston wrote:

Dennis Peterson wrote:

On 5/2/10 8:14 AM, Tom Shaw wrote:



Trying now let you know in about 10

10.5.8 right now. 10.6 after we get this working

Tom


I was able to compile .96 in Snow Leopard with no modification.

dp


Hi Dennis,

Did not know you used OS X. Was the Snow Leopard compile in Client, 
Server, or both?




Jim it works for both. Just change conf file to match the sever 
sockets and turn off the stock laund's and add your own.


Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] byte code compiler configure issues

2010-05-03 Thread Tom Shaw

At 6:06 AM -0700 5/3/10, Jim Preston wrote:

Tom Shaw wrote:

At 5:48 AM -0700 5/3/10, Jim Preston wrote:

Dennis Peterson wrote:

On 5/2/10 8:14 AM, Tom Shaw wrote:



Trying now let you know in about 10

10.5.8 right now. 10.6 after we get this working

Tom


I was able to compile .96 in Snow Leopard with no modification.

dp


Hi Dennis,

Did not know you used OS X. Was the Snow Leopard compile in 
Client, Server, or both?




Jim it works for both. Just change conf file to match the sever 
sockets and turn off the stock laund's and add your own.


Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Thanks Tom! I am currently using Leopard Client and Server but . 
going to be moving to SL some point this year. Already rolling out 
SL client for workstations and have a test SL server  but have not 
tried to update ClamAV on the test server beyond .09.5.3


Thanks, Jim



Jim

I have a universal build if you need it.

Tom
--
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475 
(cell/voice mail,pager) US skypeline: 321-622-9098

Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com
Skype: trshaw

Fish more and Live longer
To err is human.  To purr, feline
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] 0.96.1 Daemon permissions on Mac OS 10.6.4?

2010-07-12 Thread Tom Shaw

At 11:13 AM -0400 7/12/10, eimslist wrote:
Hi All: I had a problem subscribing to this list, so I apologize if 
this is a double-post!


I installed ClamAV 0.96.1 from source on Mac OS 10.6.4 (client, not
server) as part of an ASSP intallation.

Logs are currently in /var/log/clamav/clamd.log and 
/var/log/clamav/freshclam.log


If I run freshclam, though, I receive an error:

Jul 12 09:34:43 mail net.clamav.clamd[950]: ERROR: Can't initialize the
internal logger
Jul 12 09:34:43 mail net.clamav.clamd[950]: ERROR: Can't open
/var/log/clamav/clamd.log in append mode (check permissions!).
Jul 12 09:34:43 mail com.apple.launchd[1] (net.clamav.clamd[950]): Exited
with exit code: 1
Jul 12 09:34:43 mail com.apple.launchd[1] (net.clamav.clamd): Throttling
respawn: Will start in 10 seconds
Jul 12 09:34:43 mail net.clamav.freshclam[951]: ERROR: Problem with internal
logger (UpdateLogFile =
/var/log/clamav/freshclam.log).
Jul 12 09:34:43 mail net.clamav.freshclam[951]: ERROR: Can't open
/var/log/clamav/freshclam.log in
append mode (check permissions!).
Jul 12 09:34:43 mail com.apple.launchd[1] (net.clamav.freshclam[951]):
Exited with exit code: 62

I've been googling around and seeing many different clues related to
permissions, but nothing that seems to apply correctly. Before I go fubar my
install I was hoping someone may have solved this on OSX?



Again this is a permissions error. Both clamd and freshclam should 
run as group _clamav (under leopard and above) if not as owner 
_clamav. Check your config files. If you manually need to run use 
sudo freshclam


Tom
--
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475 
(cell/voice mail,pager) US skypeline: 321-622-9098

Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com
Skype: trshaw

Fish more and Live longer
To err is human.  To purr, feline
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] writing rules

2009-01-26 Thread Tom Shaw
I have run into some problems creating rules. I 
am trying to create phish rules as

R[Filter]:RealURL:DisplayedURL[:FuncLevelSpec]
or
MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]

and I am having two problems.

First problem has to do with UTF/UNICODE 
characters as well as various codepages which are 
used in place of ascii in spam and phish. What 
makes this more difficult is that one email might 
contain ascii, another UTF, and yet another 
Latin-2 all representing the same signature. So 
how does one create a regex for the "R" rules 
and/or a HEX sequence that can deal with various 
character sets?

My second source of confusion is with target type. The options are

* 0 = any Þle
* 1 = Portable Executable
* 2 = OLE2 component (e.g. a VBA script)
* 3 = HTML (normalised)
* 4 = Mail file
* 5 = Graphics
* 6 = ELF
* 7 = ASCII text Þle (normalised)

but how does clamd tell what kind of file it is 
so it knows what rule types need  to be run?  If 
its a "mail file" does it automatically deal with 
attachment and mime types and character sets? 
There are other questions but they all break down 
to what do these really mean for rules and when 
do they really count?

TIA,

Tom


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] rule writing

2009-02-25 Thread Tom Shaw
OK I have read all the docs and gotten some feedback here (Thanks 
Steve, Scott and Edwin) but I am still a little confused and can't 
seem to find comprehensive docs to read.  The below questions are for 
hex signatures. I also am confused on some of the others but those 
questions will come later...

1) Docs included with 0.94.2 download (signatures.pdf) say to put hex 
sigs in *.db files yet I see others putting them in *.ndb. What's the 
difference in format and where does one find the docs on *.ndb format?

2) Could someone explain: characters are elided?

3) Type 0 (any file) is exactly raw contents of the file? Or something else?

4) Type 1 Portable executable is what? What differentiates this from Type 0?

5) Type 2 OLE2 Component is what? I think it is MS Office files but 
is it anything else? Or is it the OLE DLL files? What differentiates 
this from Type 0?

6) Type 4 Mail file is what? I think it is just raw mail contents. Is 
this correct? What differentiates this from Type 0? It appear that 
when writing rules you need to create dups to deal with line endings 
one with 0a for running on non-windows systems and 0d0a for running 
on windows systems. This is confusing for me. Is this true? Is it 
true for Type 0 et al?

7) Type 5 Graphics file is what? I think it is just rawcontents of 
gif, jpg, tiff, png, bmp, etc. Is this correct? What differentiates 
this from Type 0?

8) Type 6 ELF file appears to be just an executable? What 
differentiates this from Type 0 in terms of rule writing?

9) Type 7 ASCII file appears to have all the tags removed (if they 
were there) and everything moved to lowercase? Is this correct and 
what about characters outside of the standard 127 of ASCII?

10) It appears to me that some of the purpose of the 7 file types is 
to limit when a rule is applied and not the content on what the rule 
applies to probably to reduce false detects. Is there any other 
reason?

11) Any suggestions on where I can find out how to understand and decode .ftm?

Thanks for all that have and will help. I think when I understand 
this all I will post a summary doc to help others.

TIA,

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] rule writing

2009-02-26 Thread Tom Shaw
Nigel,

Looks like your typing is getting better ;-)  Thanks for the 
suggestion. I had already signed up. Hoping to be able to read more 
before the webinar so I can get the most out of it.

Tom

At 11:15 PM -0500 2/25/09, Nigel Horne wrote:
>Tom, don't forget about next week's Webinar discussion about how to
>write signatures for ClamAV. Please see
>http://www.clamav.net/2009/02/09/clamav-users-webcast/ for further details.
>
>-Nigel
>
>P.S. Thanks for all the "get well" messages. I'm getting better, but
>very slowly and it's still painful.
>
>--
>Nigel Horne, nigel.ho...@sourcefire.com
>Director of Product Management (ClamAV), Sourcefire,
>http://www.sourcefire.com
>+1 301 518 7944 or +1 706 705 4022 FAX: +44 870 705 9334 ICQ: 20252325
>
>ClamAV is a registered trademark of Sourcefire Inc.
>
>___
>Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>http://www.clamav.net/support/ml


-- 
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com

Never argue with an idiot: a bystander can't tell the difference. - Mark Twain

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] 0.95RC1 availability

2009-02-28 Thread Tom Shaw
At 12:08 PM -0500 2/27/09, Nigel Horne wrote:
>Folks,
>
>0.95 RC1 was published on Wednesday 25/2/09.
>
>For details of the new features please refer to the Changelog.
>
>A what's new document that gives an overview of the new and improved
>features is currently in preparation for publication on www.clamav.net.
>
>For technical information please refer to
>https://wiki.clamav.net/Main/UpgradeNotes095 .
>
>We encourage as many people as possible to test this release candidate
>by downloading it from www.clamav.net. If you don't have access to a
>test machine you can still help us by downloading it and checking that
>it compiles and links on your platform. If you do have a test
>machine/model/network please help us by loading ClamAV 0.95RC1 and
>testing it.
>
>All bug reports should be filed at http://bugs.clamav.net.
>
>We also encourage all 3rd party developers of products and
>distribution/port maintainers to download and check this update so that
>you can go live as soon as the final version is released. The release
>is scheduled for 16th March.

Nigel,

I have compiled and started testing on OSX 10.5.6. So far other than 
some newly identified malformed rules in securiteinfo.hdb which Bill 
already reported all is well.

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] malformed securiteinfo.hdb

2009-02-28 Thread Tom Shaw
Bill

Have you informed SecuriteInfo about the issues with the 
securiteinfo.hdb signature database file? Do you know when it might 
be fixed? I would like to put 0.95rcx and all unofficials in test but 
so far I have had to disable to SecuriteInfo's updates in your script 
to operate the new clam

TIA,

Tom

-- 
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com

Fish more and Live longer
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] 0.95 rc1 OSX 10.5 issues

2009-02-28 Thread Tom Shaw
Some issues:

socat ran fine on 0.94.2 but on 0.95.rc1

echo PING|socat - /var/tmp/clamd.socket

is silent yet I can type

socat - /var/tmp/clamd.socket

and then type PING on the command line and I get PONG

I have to admit this confuses me.

Then, I ran clamdscan ~/ and it mostly worked except I got the 
following read errors but checking permissions the files all had read 
access. It should be noted that so far running assp with 
File::Scan::ClamAV v1.91 seems to be working fine so far.

Sat Feb 28 18:39:38 2009 -> 
/Users/tshaw/Documents/assp/clamav/clamav-0.95rc1/test/.split/split.clam.arjaa: 
Can't read file ERROR

-rw-r--r--@ 1 tshaw  staff  197 Dec 10 13:41 
/Users/tshaw/Documents/assp/clamav/clamav-0.95rc1/test/.split/split.clam.arjaa

Sat Feb 28 18:37:19 2009 -> 
/Users/tshaw/Documents/assp/clamav/clamav-0.94.2/test/.split/split.clam.arjaa: 
Can't read file ERROR

-rw-r--r--@ 1 tshaw  staff  197 Nov 21 17:24 
/Users/tshaw/Documents/assp/clamav/clamav-0.94.2/test/.split/split.clam.arjaa

Tom

-- 
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com

Fish more and Live longer
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] 0.95 rc1 OSX 10.5 issues

2009-03-01 Thread Tom Shaw
At 6:16 PM -0800 2/28/09, Bill Landry wrote:
>Tom Shaw wrote:
>>  Some issues:
>>
>>  socat ran fine on 0.94.2 but on 0.95.rc1
>>
>>  echo PING|socat - /var/tmp/clamd.socket
>>
>>  is silent yet I can type
>
>Tom, are you sure that is the correct path to your clamd.socket?  Just
>curious, because socat if working and responding with PONG fine for me
>when I PING my clamd.socket with 0.95.rc1:
>
>clamscan -V
>ClamAV 0.95rc1/9047/Wed Feb 25 02:59:41 2009
>
>echo PING | socat - /var/amavis/clamd.sock
>PONG

Yes, that is correct port in conig, and same port that was working 
fine in your "unofficial script" and same port used with 
File::Scan::ClamAV and, like I said socat works if I type PING in 
from the terminal.

All the above worked fine on 0.94.2 as is a carbon copy of the 
operational system. With 0.95, File::Scan::ClamAV works fine:

Sun Mar  1 07:38:38 2009 -> stream(127.0@1812): 
Sanesecurity.Dipl.8334.UNOFFICIAL FOUND

as does clamdscan:

$ clamdscan ~/
/Users/tshaw/Library/Mail/Mac-trshaw/Drafts.imapmbox/Messages/1434.emlx: 
Eicar-Test-Signature FOUND

I am totally confused,

Tom

-- 
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com

Fish more and Live longer
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] 0.95 rc1 OSX 10.5 issues

2009-03-01 Thread Tom Shaw
At 6:20 PM -0800 2/28/09, Bill Landry wrote:
>Bill Landry wrote:
>>  Tom Shaw wrote:
>>>  Some issues:
>>>
>>>  socat ran fine on 0.94.2 but on 0.95.rc1
>>>
>>>  echo PING|socat - /var/tmp/clamd.socket
>>>
>>>  is silent yet I can type
>>
>>  Tom, are you sure that is the correct path to your clamd.socket?  Just
>>  curious, because socat if working and responding with PONG fine for me
>>  when I PING my clamd.socket with 0.95.rc1:
>>
>>  clamscan -V
>>  ClamAV 0.95rc1/9047/Wed Feb 25 02:59:41 2009
>>
>>  echo PING | socat - /var/amavis/clamd.sock
>>  PONG
>
>Works with perl too:
>
>perl -MIO::Socket::UNIX -we '$s = IO::Socket::UNIX->new(shift);
>$s->print("PING"); print $s->getline; $s->close' /var/amavis/clamd.sock
>PONG

Now I am even more confused. Perl works for me also:

$ perl -MIO::Socket::UNIX -we '$s = IO::Socket::UNIX->new(shift);
$s->print("PING"); print $s->getline; $s->close' /var/tmp/clamd.socket
PONG

and like I said socat works when I type on the terminal:

$ socat - /var/tmp/clamd.socket
PING
PONG

-- 
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com

Fish more and Live longer
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] 0.95 rc1 OSX 10.5 issues

2009-03-01 Thread Tom Shaw
At 3:04 PM +0200 3/1/09, Török Edwin wrote:
>On 2009-03-01 14:57, Tom Shaw wrote:
>>  At 6:16 PM -0800 2/28/09, Bill Landry wrote:
>>  
>>>  Tom Shaw wrote:
>>>
>>>>   Some issues:
>>>>
>>>>   socat ran fine on 0.94.2 but on 0.95.rc1
>>>>
>>>>   echo PING|socat - /var/tmp/clamd.socket
>>>>
>>>>   is silent yet I can type
>>>>  
>>>  Tom, are you sure that is the correct path to your clamd.socket?  Just
>>>  curious, because socat if working and responding with PONG fine for me
>>>  when I PING my clamd.socket with 0.95.rc1:
>>>
>>>  clamscan -V
>>>  ClamAV 0.95rc1/9047/Wed Feb 25 02:59:41 2009
>>>
>>>  echo PING | socat - /var/amavis/clamd.sock
>>>  PONG
>>>
>>
>>  Yes, that is correct port in conig, and same port that was working
>>  fine in your "unofficial script" and same port used with
>>  File::Scan::ClamAV and, like I said socat works if I type PING in
>>  from the terminal.
>>
>>  All the above worked fine on 0.94.2 as is a carbon copy of the
>>  operational system. With 0.95, File::Scan::ClamAV works fine:
>>
>>  Sun Mar  1 07:38:38 2009 -> stream(127.0@1812):
>>  Sanesecurity.Dipl.8334.UNOFFICIAL FOUND
>>
>>  as does clamdscan:
>>
>>  $ clamdscan ~/
>>  /Users/tshaw/Library/Mail/Mac-trshaw/Drafts.imapmbox/Messages/1434.emlx:
>>  Eicar-Test-Signature FOUND
>>
>>  I am totally confused,
>>  
>
>What does this output:
>$ echo PING | strace socat - /var/tmp/clamd.socket
>$ echo -ne "nPING\n" | strace socat - /var/tmp/clamd.socket

Edwin,

OSX doesn't come with strace. I'll download a 
copy from sourceforge and report back.

Tom
-- 
Tom Shaw - Chief Engineer, OITC
, http://www.oitc.com/ local wx: http://www.oitc.com/weather
US Phone Numbers: 321-984-3714, 
321-729-6258(fax), 321-258-2475(cell/voice 
mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trs...@mac.com

Fish more and Live longer
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] 0.95 rc1 OSX 10.5 issues

2009-03-01 Thread Tom Shaw
At 10:55 AM -0500 3/1/09, Tom Shaw wrote:
>At 3:04 PM +0200 3/1/09, Török Edwin wrote:
>>On 2009-03-01 14:57, Tom Shaw wrote:
>>>   At 6:16 PM -0800 2/28/09, Bill Landry wrote:
>>> 
>>>>   Tom Shaw wrote:
>>>>   
>>>>>Some issues:
>>>>>
>>>>>socat ran fine on 0.94.2 but on 0.95.rc1
>>>>>
>>>>>echo PING|socat - /var/tmp/clamd.socket
>>>>>
>>>>>is silent yet I can type
>>>>> 
>>>>   Tom, are you sure that is the correct path to your clamd.socket?  Just
>>>>   curious, because socat if working and responding with PONG fine for me
>>>>   when I PING my clamd.socket with 0.95.rc1:
>>>>
>>>>   clamscan -V
>>>>   ClamAV 0.95rc1/9047/Wed Feb 25 02:59:41 2009
>>>>
>>>>   echo PING | socat - /var/amavis/clamd.sock
>>>>   PONG
>>>>   
>>>
>>>   Yes, that is correct port in conig, and same port that was working
>>>   fine in your "unofficial script" and same port used with
>>>   File::Scan::ClamAV and, like I said socat works if I type PING in
>>>   from the terminal.
>>>
>>>   All the above worked fine on 0.94.2 as is a carbon copy of the
>>>   operational system. With 0.95, File::Scan::ClamAV works fine:
>>>
>>>   Sun Mar  1 07:38:38 2009 -> stream(127.0@1812):
>>>   Sanesecurity.Dipl.8334.UNOFFICIAL FOUND
>>>
>>>   as does clamdscan:
>>>
>>>   $ clamdscan ~/
>>>   /Users/tshaw/Library/Mail/Mac-trshaw/Drafts.imapmbox/Messages/1434.emlx:
>>>   Eicar-Test-Signature FOUND
>>>
>>>   I am totally confused,
>>> 
>>
>>What does this output:
>>$ echo PING | strace socat - /var/tmp/clamd.socket
>>$ echo -ne "nPING\n" | strace socat - /var/tmp/clamd.socket
>
>Edwin,
>
>OSX doesn't come with strace. I'll download a
>copy from sourceforge and report back.

strace reports no support of darwin :-(  Any other suggestions?

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] 0.95 rc1 OSX 10.5 issues

2009-03-01 Thread Tom Shaw
At 9:26 AM -0800 3/1/09, Bill Landry wrote:
>Tom Shaw wrote:
>>>>>
>>>>  What does this output:
>  >>> $ echo PING | strace socat - /var/tmp/clamd.socket
>>>>  $ echo -ne "nPING\n" | strace socat - /var/tmp/clamd.socket
>  >> Edwin,
>>>
>>>  OSX doesn't come with strace. I'll download a
>>>  copy from sourceforge and report back.
>>
>>  strace reports no support of darwin :-(  Any other suggestions?
>>
>>  Tom
>
>Does darwin support "truss" (man truss)?

The equivalent is dtruss.

pike:~ tshaw$ echo PING | sudo dtruss socat - /var/tmp/clamd.socket
SYSCALL(args)= return
issetugid(0x0, 0x0, 0x0) = 0 0
__sysctl(0xBFFFE88C, 0x2, 0xBFFFE894)= 0 0
__sysctl(0xBFFFE894, 0x2, 0xBFFFE938)= 0 0
shared_region_check_np(0xBFFFE9D0, 0xBFFFE938, 0xBFFFE93C)   = 0 0
getpid(0xBFFFE9D0, 0xBFFFE938, 0xBFFFE93C)   = 17275 0
__sysctl(0xBFFFE9D8, 0x3, 0xBFFFE9AC)= 0 0
__sysctl(0xBFFFE9D8, 0x3, 0xBFFFE9B8)= 0 0
stat("/usr/lib/dtrace/libdtrace_dyld.dylib\0", 0xBFFFC9F0, 
0xBFFFE4A8)  = 0 0
open("/usr/lib/dtrace/libdtrace_dyld.dylib\0", 0x0, 0x0) = 3 0
pread(0x3, "\312\376\272\276\0", 0x1000, 0x0)= 4096 0
pread(0x3, "\376\355\372\316\0", 0x1000, 0x1000) = 4096 0
mmap(0x3E000, 0x1000, 0x5, 0x12, 0x3, 0xFEEDFACEDEAFBEAD) 
 = 0x3E000 0
mmap(0x3F000, 0x1000, 0x3, 0x12, 0x3, 0xFEEDFACEDEAFBEAD) 
 = 0x3F000 0
mmap(0x4, 0x1A10, 0x1, 0x12, 0x3, 0xFEEDFACEDEAFBEAD) 
 = 0x4 0
fcntl(0x3, 0x2C, 0xBFFFC038) = 0 0
close(0x3)   = 0 0
stat("/usr/lib/libwrap.7.dylib\0", 0xBFFFC750, 0xBFFFE208)   = 0 0
open("/usr/lib/libwrap.7.dylib\0", 0x0, 0x0) = 3 0
pread(0x3, "\312\376\272\276\0", 0x1000, 0x0)= 4096 0
pread(0x3, "\376\355\372\316\0", 0x1000, 0x1000) = 4096 0
mmap(0x42000, 0x5000, 0x5, 0x12, 0x3, 0xFEEDFACEDEAFBEAD) 
 = 0x42000 0
mmap(0x47000, 0x1000, 0x3, 0x12, 0x3, 0xFEEDFACEDEAFBEAD) 
 = 0x47000 0
mmap(0x48000, 0x2BC0, 0x1, 0x12, 0x3, 0xFEEDFACEDEAFBEAD) 
 = 0x48000 0
fcntl(0x3, 0x2C, 0xBFFFBDE8) = 0 0
fcntl(0x3, 0x2C, 0xBFFFBDE8) = 0 0
close(0x3)   = 0 0
stat("/usr/lib/libutil.dylib\0", 0xBFFFC750, 0xBFFFE208) = 0 0
open("/usr/lib/libutil.dylib\0", 0x0, 0x0)   = 3 0
pread(0x3, "\312\376\272\276\0", 0x1000, 0x0)= 4096 0
pread(0x3, "\376\355\372\316\0", 0x1000, 0x1000) = 4096 0
mmap(0x4B000, 0x3000, 0x5, 0x12, 0x3, 0xFEEDFACEDEAFBEAD) 
 = 0x4B000 0
mmap(0x4E000, 0x1000, 0x3, 0x12, 0x3, 0xFEEDFACEDEAFBEAD) 
 = 0x4E000 0
mmap(0x4F000, 0x2180, 0x1, 0x12, 0x3, 0xFEEDFACEDEAFBEAD) 
 = 0x4F000 0
fcntl(0x3, 0x2C, 0xBFFFBDA8) = 0 0
fcntl(0x3, 0x2C, 0xBFFFBDA8) = 0 0
close(0x3)   = 0 0
stat("/usr/lib/libresolv.9.dylib\0", 0xBFFFC750, 0xBFFFE208) = 0 0
stat("/usr/lib/libssl.0.9.7.dylib\0", 0xBFFFC750, 0xBFFFE208)= 0 0
stat("/usr/lib/libcrypto.0.9.7.dylib\0", 0xBFFFC750, 0xBFFFE208) 
 = 0 0
stat("/usr/lib/libgcc_s.1.dylib\0", 0xBFFFC750, 0xBFFFE208)  = 0 0
stat("/usr/lib/libSystem.B.dylib\0", 0xBFFFC750, 0xBFFFE208) = 0 0
stat("/usr/lib/system/libmathCommon.A.dylib\0", 0xBFFFC470, 
0xBFFFDF28)  = 0 0
__sysctl(0xBFFFE7E8, 0x3, 0xBFFFE7D8)= 0 0
open("/dev/dtracehelper\0", 0x2, 0xBFFFE7D8) = 3 0
ioctl(0x3, 0x80086804, 0xBFFFE7E0)   = 0 0
close(0x3)   = 0 0
__sysctl(0xBFFFE7E8, 0x3, 0xBFFFE7D8)= 0 0
__sysctl(0xBFFFE628, 0x2, 0xBFFFE620)= 0 0
bsdthread_register(0x9300FEE8, 0x9304B078, 0x1000)   = 0 0
open_nocancel("/dev/urandom\0", 0x0, 0x1000) = 3 0
read_nocancel(0x3, 
"#(Z<\304EU\326mw\035\207\023PL\024\365\b\244:'\247[\373\020\302/T\331\230\3172\0",
 
0x20)= 32 0
close_nocancel(0x3)  = 0 0
mmap(0x0, 0x3000, 0x3, 0x1002, 0x100, 0xFEEDFACEDEAFBEAD) 
 = 0x52000 0
mmap(0x0, 0x20, 0x3, 0x1002, 0x700, 0xFEEDFACEDEAFBEAD) 
 = 0x55000 0
munmap(0x55000, 0xAB000) = 0 0
munmap(0x20, 0x55000)= 0 0
mmap(0x0, 0x3000, 0x3, 0x1002, 0x100, 0xFEEDFACEDEAFBEAD) 
 = 0x55000 0
getpid(0x0, 0x3000, 0x3) = 17275 0
mmap(0x0, 0x100, 0x3, 0x1002, 0x200, 0xFEEDFACEDEAFBEAD) 
 = 0x20 0
munmap(0x20, 0x60)   = 0 0
mu

Re: [Clamav-users] 0.95 rc1 OSX 10.5 issues

2009-03-01 Thread Tom Shaw
At 9:34 PM +0200 3/1/09, Török Edwin wrote:
>On 2009-03-01 20:43, Tom Shaw wrote:
>>  At 9:26 AM -0800 3/1/09, Bill Landry wrote:
>>  
>>>  Tom Shaw wrote:
>>>
>>>>>>   What does this output:
>>>>>>  
>>>   >>> $ echo PING | strace socat - /var/tmp/clamd.socket
>>>
>>>>>>   $ echo -ne "nPING\n" | strace socat - /var/tmp/clamd.socket
>>>>>>  
>>>   >> Edwin,
>>>
>>>>>   OSX doesn't come with strace. I'll download a
>>>>>   copy from sourceforge and report back.
>>>>>
>>>>   strace reports no support of darwin :-(  Any other suggestions?
>>>>
>>>>   Tom
>>>>  
>>>  Does darwin support "truss" (man truss)?
>>>
>>
>>  The equivalent is dtruss.
>>  
>
>Ok, can you also run clamd under dtruss?
>(Perhaps with an empty database, otherwise it takes ages, set
>DatabaseDirectory to /tmp/db, and
>create a single file /tmp/db/empty.db:
>none=00112233445566778899
>
>
>>  pike:~ tshaw$ echo PING | sudo dtruss socat - /var/tmp/clamd.socket
>>  write(0x3, "PING\n\0", 0x5)  = 5 0
>>  select(0x4, 0xB2C8, 0xB348, 0xB3C8, 0x0) = 2 0
>>  dtrace: error on enabled probe ID 1741 (ID 13125:
>>  syscall::read:return): invalid address (0x58000) in action #12 at DIF
>>  offset 52
>>  shutdown(0x3, 0x1, 0x3)  = 0 0
>>  select(0x4, 0xB2C8, 0xB348, 0xB3C8, 0xB4DC)  = 1 0
>>  dtrace: error on enabled probe ID 1741 (ID 13125:
>>  syscall::read:return): invalid address (0x58000) in action #12 at DIF
>>  offset 52
>>  shutdown(0x3, 0x1, 0x3)  = -1 Err#57
>>  ioctl(0x1, 0x802C7414, 0x800CFC) = 0 0
>>  shutdown(0x3, 0x2, 0x3)  = -1 Err#57
>
>This is strange, so there is data available on the socket (select
>returning 2, resp. 1), but
>there is something wrong when socat calls read.
>Does this work with netcat, if you enable TCPSocket 3310?
>
>P.S.: we should continue this in a bugreport, please open one.

Done #1441

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] Crash withThird-Party Sigs

2009-03-06 Thread Tom Shaw
At 9:04 AM + 3/6/09, Steve Basford wrote:
>  > No, it  just has all sorts of characters in the virus name, like ][.
>
>Chris/All...
>
>If you want to manually fix, try replaing "][Date:" with  "-"
>
>see if that passes the 0.95RC1 tests


Actually its just the : that's causing the problem. Replace : with - 
and its fine.

Tom

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] ClamAV and VirusTotal

2009-03-17 Thread Tom Shaw
Any particular reason why they are using 0.94.1 (and it appears with 
the most non aggressive settings)?  You are not showing off your best 
side...

Just my2 cents

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] test for SafeBrowsing?

2009-03-18 Thread Tom Shaw
At 7:20 AM -0700 3/18/09, Dennis Peterson wrote:
>Erwan David wrote:
>>  On Wed, Mar 18, 2009 at 01:55:14PM CET, Dennis 
>>Peterson  said:
>>>  Moray Henderson (ICT) wrote:
>  From: Török Edwin [mailto:edwinto...@gmail.com]
>>>  Try using  for the URL.
>>>
>>  Is that a requirement? If so we should get the spammers on board because
>  some of
>>  them may not know this :).
>  No, there are more places from where URLs can be extracted, but "  href" is one that must work.
  With modern email clients "helpfully" 
presenting text that looks like a URL as a 
real URL at the client end, SafeBrowsing 
really ought to check the plain text, not 
just within html tags. 
http://pastebin.com/m13232c54 may be just 
plain text when transmitted and scanned, but 
it's an "" by the time I read it: 
underlined, blue, and turns my cursor to a 
pointy finger with a pop-up box saying "Click 
to follow link".
>>>  I don't imagine the world's premier spammers are sitting at their laptop in
>>>  their shorts sending out thousands of spams 
>>>with Thunderbird. There are purpose
>>>  built products for this and can format the mail any way they wish.
>>>
>>
>>  What was said is that many MUA, *receiving* a mail with an URL in the
>>  text will automatically create a link from it. It has bothing to do
>>  with the sending software.
>>
>>
>
>I see - I think we're all recommending that ClamAV detect URL's regardless of
>how they're presented in the message. And that will certainly include encoded
>URL's and all the HTML tricks that can be used to disguise them from scanning
>software. I would not suggest they go so far as 
>to build in a JavaScript engine
>to find those URL's that are intended to be 
>constructed in the browser or MUA at
>rendering time, but it may come to that at some point.

And deal with character encodings prior to rule application

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


Re: [Clamav-users] ClamAV and VirusTotal

2009-03-19 Thread Tom Shaw
At 8:35 PM +0100 3/19/09, Julio Canto wrote:
>Sarocet escribió:
>>  Julio Canto wrote:
>>>  Paul Whelan escribió:
>>>  
  must be the clamwin version then 
 which is a strange 
'official
  channel'.

>>>  Hi again,
>>>  You're wrong assuming that, therefore you should not accuse us of using
>>>  'strange official channels'. All engines and parameters used - including
>>>  the ones from ClamAV - at VirusTotal are decided and provided with the
>>>  vendors involved
>>  The wording doesn't seem to "En el caso de ClamAV se ha optado por
>>  ClamWin Free Antivirus". It looks like an
>>  internal decision to use ClamWin, not that the ClamAV developers
>>  recommended it.
>
>It was a naming error, mostly because of some initial 'chaos' because
>the lack of a single point of consulting regarding this matters. The
>version we've been using the last years is the one that is sent to us by
>ClamAV official development team.

Julio

You are about to be one major rev behind (and are 
currently 1 minor rev behind).  I would reco that 
you and ClamAV people get together and update / 
configure for performance

Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


[Clamav-users] What's the turnaround for new signatures?

2009-03-22 Thread Tom Shaw
What's the turnaround for new signatures?  I submitted these 7 days 
ago both directly and via virustotal (see below) yet today my clamd 
0.94.2 (main 50 daily 9149) doesn't detect new copies arriving.

Tom

Complete scanning result of "/Flash_Adobe11.exe", processed in 
VirusTotal at 03/16/2009 22:01:54 (CET).

[ file data ]
* name..: /Flash_Adobe11.exe
* size..: 36352
* md5...: d17008513f2c93933b92a392260c5cda
* sha1..: f551a3bb040c6d0ee824d05adc04c9b5aaa44c10
* peid..: -

[ scan result ]
a-squared   4.0.0.101/20090316  found nothing
AhnLab-V3   5.0.0.2/20090316found nothing
AntiVir 7.9.0.116/20090316  found nothing
Authentium  5.1.0.4/20090316found nothing
Avast   4.8.1335.0/20090316 found nothing
AVG 8.0.0.237/20090316  found nothing
BitDefender 7.2/20090316found nothing
CAT-QuickHeal   10.00/20090316  found nothing
ClamAV  0.94.1/20090316 found nothing
Comodo  1060/20090316   found nothing
DrWeb   4.44.0.09170/20090316   found nothing
eSafe   7.0.17.0/20090315   found [Suspicious File]
eTrust-Vet  31.6.6388/20090309  found nothing
F-Prot  4.4.4.56/20090316   found nothing
F-Secure8.0.14470.0/20090316found nothing
Fortinet3.117.0.0/20090316  found nothing
GData   19/20090316 found nothing
Ikarus  T3.1.1.45.0/20090316found nothing
K7AntiVirus 7.10.673/20090316   found nothing
Kaspersky   7.0.0.125/20090316  found nothing
McAfee  /20090316   found nothing
McAfee+Artemis  /20090316   found nothing
McAfee-GW-Edition   6.7.6/20090316  found nothing
Microsoft   1.4405/20090316 found nothing
NOD32   3938/20090316   found nothing
Norman  6.00.06/20090316found nothing
nProtect2009.1.8.0/20090316 found nothing
Panda   10.0.0.10/20090316  found [Suspicious file]
PCTools 4.4.2.0/20090316found nothing
Prevx1  V2/20090316 found [High Risk Cloaked Malware]
Rising  21.21.02.00/20090316found nothing
Sophos  4.39.0/20090316 found [Mal/EncPk-HJ]
Sunbelt 3.2.1858.2/20090315 found nothing
Symantec1.4.4.12/20090316   found [Infostealer.Snifula]
TheHacker   6.3.3.0.283/20090316found nothing
TrendMicro  8.700.0.1004/20090316   found nothing
VBA32   3.12.10.1/20090316  found [Win32.PSW.Papras.AQ]
ViRobot 2009.3.16.1650/20090316 found nothing
VirusBuster 4.6.5.0/20090316found nothing

[ notes ]
ThreatExpert info: 
http://www.threatexpert.com/report.aspx?md5=d17008513f2c93933b92a392260c5cda
Prevx info: 
http://info.prevx.com/aboutprogramtext.asp?PX5=BBC12D9300FF1AFF8E940021B31B6A00EC2AE2A9
CWSandbox info: 
http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=d17008513f2c93933b92a392260c5cda
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


  1   2   >