Re: [clamav-users] sigwhitelist.ign2 whitelist not working
We have the same problem with signatures we want to whitelist. Was this problem ever solved? P. On Tue, Nov 12, 2013 at 12:39 PM, Andreas Schulze wrote: > Am 12.11.2013 10:06 schrieb Steve Basford: > > > > > We added a file "local.ign2" containing one line: > "Worm.Bagle.H-zippwd-1" > > > clamscan called again and - nothing changed. Still marked as virus... > > > Any hints/ideas? > > > > Hi Andreas, > > > > Make sure you don't have a space at the end of the sig name in the .ign2 > > file: > > > > "Sanesecurity.Malware.22454.ZipHeur" works > > "Sanesecurity.Malware.22454.ZipHeur " fails > yes, we doublechecked that and there is no space. > > -- > Andreas Schulze > Internetdienste | P252 > > DATEV eG > 90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 > E-Mail info @datev.de | Internet www.datev.de > Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, > GenReg Nr.70 > Vorstand > Prof. Dieter Kempf (Vorsitzender) > Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) > Dipl.-Kfm. Michael Leistenschneider > Dipl.-Kfm. Dr. Robert Mayr > Jörg Rabe v. Pappenheim > Dipl.-Vw. Eckhard Schwarzer > Vorsitzender des Aufsichtsrates: Reinhard Verholen > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] sigwhitelist.ign2 whitelist not working
Steve, We try to whitelist 2 sigs % cat local.ign2 SecuriteInfo.com.Spammer.ec-messenger.com.UNOFFICIAL SecuriteInfo.com.Spammer.addemar.com.UNOFFICIAL On Tue, Dec 9, 2014 at 2:28 PM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Tue, December 9, 2014 1:23 pm, polloxx wrote: > > We have the same problem with signatures we want to whitelist. Was this > > problem ever solved? > Hi, > > What sig name are you whitelisting? > > Cheers, > > Steve > Sanesecurity.com > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] sigwhitelist.ign2 whitelist not working
Thanks Steve, that works. On Tue, Dec 9, 2014 at 2:43 PM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Tue, December 9, 2014 1:33 pm, polloxx wrote: > > > > % cat local.ign2 > > SecuriteInfo.com.Spammer.ec-messenger.com.UNOFFICIAL > > SecuriteInfo.com.Spammer.addemar.com.UNOFFICIAL > > Ah, ok...remove the ".UNOFFICIAL" off the end and restart clamd. > > > Cheers, > > Steve > Sanesecurity.com > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] url scanner
Since more and more malware is not attached to a mail but only an url to it, detecting it is challenge. Is there any good url scanner avalable for Clamav? Thx, P. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] url scanner
Thanks to all for the suggestions. surbl rbl is already in place. On Fri, Dec 19, 2014 at 2:36 AM, Dennis Peterson wrote: > > On 12/18/14 6:29 AM, polloxx wrote: > >> Since more and more malware is not attached to a mail but only an url to >> it, detecting it is challenge. Is there any good url scanner avalable for >> Clamav? >> >> Thx, >> P. >> > The Sendmail/Postfix milter J-Chkmail (and front end for ClamAV) can use > DNS or regular expressions to detect URLs. I keep a local DNS table of > bogus uri's built from spam traps and uncaught spam, and also use > multi.uribl.com (see http://uribl.com/) which has a comprehensive > DNS-based URL list. The regex aspect of it can filter on complete URI > content rather just on host names. It is incredibly effective and > inexpensive in terms of CPU and time. > > Learn more at http://www.j-chkmail.org/ > > dp > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Custom clamav rule to block exe and scr files in archive.
We use amavisd to quarantaine all MS executable files, including zipped files. I asked a similar question in amavis. ML at 4/4/13. Replies from the members were quite helpful: First check if .exe extension is not commented out in $banned_filename_re definition, then check that 'zip' is not commented out in @decoders definition in your amavisd.conf. This is enough. "Filename banning" is in fact a misnomer because when you switch on banning files with .exe extension, the file content is also checked, so if an executable has for example a .pdf extension, it will be banned. On Thu, Feb 5, 2015 at 2:22 PM, Benny Pedersen wrote: > Virgo Pärna skrev den 2015-02-05 13:59: > > Well, foxhole is something I never thought to Google:) >> > > +1 > > Clamav does unpack archives recursively up to 16 levels (by default). >> > > yep, it just create another problem, zip bomps > > For clamd it is set with MaxRecursion configuration value, for clamscan >> with --max-recursion=N command line switch. So that rule matches still. >> > > unless the scr is nasted 17 times in zip > > so i think foxhole need to test if zip contains another zip, when > --max-recursion=1 > > And I do doubt, that such viruses are hidden deeper. I would at >> least think, that odds of users accidentally executing such file would >> decrease with deeper nesting. >> > > if just end users did not press to see attachment from unknown senders, it > would be less of a problem, and if microsoft blocks installers or exe files > from unknown signers when users running administrator mode, it would make a > big diffrence > > i try to defend developpers to not create clamav as a elf installer :=) > > there is lots of such badnees already > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] EquationAPT sigs
Thanks Steve. On Thu, Feb 19, 2015 at 10:05 AM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > Hi All, > > EquationAPT is in the news... so in case this is useful... > > copy the following to EquationAPT.hdb: > > 03718676311de33dd0b8f4f18cffd488:376320:Sanesecurity.Rogue.EquationAPT.1 > 0a209ac0de4ac033f31d6ba9191a8f7a:184320:Sanesecurity.Rogue.EquationAPT.2 > 11fb08b9126cdb4668b3f5135cf7a6c5:212480:Sanesecurity.Rogue.EquationAPT.3 > 24a6ec8ebf9c0867ed1c097f4a653b8d:163840:Sanesecurity.Rogue.EquationAPT.4 > 2a12630ff976ba0994143ca93fecd17f:221184:Sanesecurity.Rogue.EquationAPT.5 > 4556ce5eb007af1de5bd3b457f0b216d:380928:Sanesecurity.Rogue.EquationAPT.6 > 6fe6c03b938580ebf9b82f3b9cd4c4aa:62464:Sanesecurity.Rogue.EquationAPT.7 > 752af597e6d9fd70396accc0b9013dbe:132608:Sanesecurity.Rogue.EquationAPT.8 > 9180d5affe1e5df0717d7385e7f54386:17920:Sanesecurity.Rogue.EquationAPT.9 > 9b1ca66aab784dc5f1dfe635d8f8a904:573440:Sanesecurity.Rogue.EquationAPT.10 > > For those using rogue.hdb detection is there already. > > clamscan --datbase=EquationAPT.hdb --infected etc. etc. > > Cheers, > > Steve > Web : sanesecurity.com > Blog: sanesecurity.blogspot.com > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] PUAexclude
Dear, What categories can be excluded by PUAexclude? The documentation for that seems not available. Thx, P. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] mail follow url
In http://www.clamav.net/documents/installing-clamav#requirements I read: Optional: GMP: for digital signatures *cURL: for mail follow url* Does this mean that clamav scans URL's in mails? Thanks, P. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] no new signatures
Dear, Since the migration we have no new signatures: freshclam.log shows: Fri Mar 18 14:34:15 2016 -> -- Fri Mar 18 14:34:15 2016 -> ClamAV update process started at Fri Mar 18 14:34:15 2016 Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is OUTDATED! Fri Mar 18 14:34:15 2016 -> WARNING: Local version: 0.98.1 Recommended version: 0.99.1 Fri Mar 18 14:34:15 2016 -> DON'T PANIC! Read http://www.clamav.net/support/faq Fri Mar 18 14:34:15 2016 -> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) Fri Mar 18 14:34:15 2016 -> daily.cvd is up to date (version: 21466, sigs: 83889, f-level: 63, builder: amishhammer) Fri Mar 18 14:34:15 2016 -> bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer) What's wrong with our config? P. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] no new signatures
Thanks for the answers folks. One last question: will the new databases still work on version 0.98.1? On Fri, Mar 18, 2016 at 4:01 PM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Fri, March 18, 2016 2:05 pm, Helmut Hullen wrote: > > Hallo, polloxx, > > > > > > Du meintest am 18.03.16: > > > > > >> Fri Mar 18 14:34:15 2016 -> ClamAV update process started at Fri Mar > >> 18 14:34:15 2016 > >> Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is > >> OUTDATED! > >> > > > > > > So what - updated or not updated? > > > Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is > OUTDATED! > > Fri Mar 18 14:34:15 2016 -> WARNING: Local version: 0.98.1 Recommended > > version: 0.99.1 > > The above just means that 0.98.1 is currently being used, but should > be upgraded to 0.99.1 which is the latest version of the engine. > > The signatures haven't been updated since Friday. > > Cheers, > > Steve > Web : sanesecurity.com > Blog: sanesecurity.blogspot.com > Twitter: @sanesecurity > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV(R) blog: ClamAV Signature Interface maintenance is now complete! New Main.cvd!
Still no updates? On Thu, Mar 17, 2016 at 4:24 AM, Joel Esler (jesler) wrote: > > http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.htm< > http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html?m=1 > >l > > ClamAV Signature Interface maintenance is now complete! New Main.cvd! > Our ClamAV Signature Interface maintenance is now complete. While we > apologize for the delay, the rollout of the the new Signature Interface > inside of ClamAV will result in several new features for the community, and > I wanted to tell you about some of them: > > First, the first new “main.cvd” in about two years. This main.cvd has > been completely re-written from scratch, and while the function of the > “main” is largely the same, it’s been rewritten to not only enforce order > to the signatures, but naming convention as well. For example: > > W97M.Ethan.AK-1 has moved to Doc.Trojan.Ethan > Worm.Padowor.A-zippwd has moved to Win.Worm.Padowor > Adware.Smshoax has moved to Win.Adware.Smshoax > > Re-naming of the signatures may affect a local user’s whitelist. If you > have excluded certain signatures in the past that are now firing, we ask > that you both submit the file to us for false positive remediation (if you > believe it to be a false positive), and rename the signature whitelist on > your side. > > This new main is 109Mb in size, and contains 4 million signatures for > ClamAV. Now that the main.cvd has been rewritten, it is now easier for us > to create diffs, which means upgrading the main more often, and making the > “daily.cvd” smaller more often. > > Second, we now have the ability to offer different types of CVDs. For > instance, we now have the ability to distribute 3rd party signatures that > are officially signed by ClamAV, but updated through the ClamAV global > mirror network. If we wanted to separate out “policy” type signatures from > the daily.cvd into their own cvd, we can now do that. > > Third, while we have not removed some of the older signature formats, we > did convert those older signatures to the newer formats to empty those > older “cvd”s out. > > For example: > “db" signatures were consolidated into “ndb" signatures > “zmd" and “rmd" archive signatures we moved to the “cdb" container > signature format > > These formats are not new, they simply have never been published before. > This includes other formats such as “hsb", “msb", “sfp", and “crb". The > older formats are supported for now, we are simply no longer publishing > them. > > Fourth, newer features, like the ability to write signatures based on the > SHA256 of a file have been added to the system, and we can now publish that > type of detection. > > We’d like to thank you for your patience. > > ClamAV team > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1
Since the new Clamav database we have a lot more false positives for PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1. What can we do about this, except disabling PUA? p. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1
That's known to me Steve. I'm afraid malware will not be detected in that case. P. On Thu, Mar 31, 2016 at 3:43 PM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Thu, March 31, 2016 2:33 pm, polloxx wrote: > > Since the new Clamav database we have a lot more false positives for > > PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1. > > What can we do about this, except disabling PUA? > > Create a local.ign2 with the following lines: > > PUA.Pdf.Trojan.EmbeddedJS-1 > PUA.Win.Trojan.EmbeddedPDF-1 > > Place in ClamAV database folder and restart clamd > > Cheers, > > Steve > Web : sanesecurity.com > Blog: sanesecurity.blogspot.com > Twitter: @sanesecurity > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1
Thanks Noël. On Thu, Mar 31, 2016 at 5:36 PM, Noel Jones wrote: > Known malware will still be detected, even if you ignore the > troublesome PUA sigs. > > These aren't really false positives since the .pdf really does > contain javascript. So the sigs are working as intended. > > The alternative is to communicate to your users that .pdf files > containing javascript are not allowed in email. Unfortunately, > *many* legit .pdf files contain javascript. > > This is more of a local policy decision than a tech decision. > > > -- Noel Jones > > > > On 3/31/2016 9:25 AM, polloxx wrote: > > That's known to me Steve. > > I'm afraid malware will not be detected in that case. > > > > P. > > > > On Thu, Mar 31, 2016 at 3:43 PM, Steve Basford < > > steveb_cla...@sanesecurity.com> wrote: > > > >> > >> On Thu, March 31, 2016 2:33 pm, polloxx wrote: > >>> Since the new Clamav database we have a lot more false positives for > >>> PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1. > >>> What can we do about this, except disabling PUA? > >> > >> Create a local.ign2 with the following lines: > >> > >> PUA.Pdf.Trojan.EmbeddedJS-1 > >> PUA.Win.Trojan.EmbeddedPDF-1 > >> > >> Place in ClamAV database folder and restart clamd > >> > >> Cheers, > >> > >> Steve > >> Web : sanesecurity.com > >> Blog: sanesecurity.blogspot.com > >> Twitter: @sanesecurity > >> > >> ___ > >> Help us build a comprehensive ClamAV guide: > >> https://github.com/vrtadmin/clamav-faq > >> > >> http://www.clamav.net/contact.html#ml > >> > > ___ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [Clamav-announce] announcing ClamAV 0.97.1
On Thu, Jun 9, 2011 at 11:33 AM, Luca Gibelli wrote: > > Dear ClamAV users, > > > This is a bugfix release recommended for all users. Please refer to the > ChangeLog file for details. > > Download : http://downloads.sourceforge.net/clamav/clamav-0.97.1.tar.gz > PGP sig : http://downloads.sourceforge.net/clamav/clamav-0.97.1.tar.gz.sig > Bugfixes : http://www.clamav.net/release-info/bugs/0.97.1 > ChangeLog: http://www.clamav.net/release-info/changelog/0.97.1 > Any idea when the Debian package will be available? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-announce] announcing ClamAV 0.97.1
>> Any idea when the Debian package will be available? > > It is already available in unstable (I think it was already the day after the > release), > for volatile (or is it squeeze-updates now?) I don't know. > Edwin, It's not in the stable a.k.a. Squeeze updates. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Virus not detected by Clamav
Dear, One of our customers got a virus not detected by Clamav:dhl-express-prtcopy-Delivery-Failure-Notification-HXZsVlN[...].exe A fake DHL non-delivery report. Other engines do detect it: BitDefender 7.2 2011.06.27 Trojan.Zbot.1911 F-Secure 9.0.16440.0 2011.06.27 Trojan.Zbot.1911 Kaspersky 9.0.0.837 2011.06.27 Trojan-Spy.Win32.Zbot.bpsx Sent it to Totalvirus 2 days ago. Are there other user with the same problem? Any solution? Thx, P. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On Wed, Jun 29, 2011 at 11:45 AM, Henrik K wrote: > On Wed, Jun 29, 2011 at 12:27:46PM +0300, Mihamina Rakotomandimby wrote: >> > On Wed, 29 Jun 2011 11:24:24 +0200 >> > polloxx wrote: >> >> > Are there other user with the same problem? Any solution? >> >> I have the same problem. >> I manage a mail server used by a vendor of DHL. >> >> Pretty annoying as far as all emails from DHL are sensible and >> important for the suers :-) >> >> Unfortunately, I have found no solution... yet. > > So your users receive lot of legimate exes? > It was a zip file. > If you are expecting ClamAV to be a 0day magic tool without having lots of > other defences (spamassassin etc) and lots of custom rules, then yes, there > is no solution. > The virus was found Monday morning. According to Virus Total 31/41 engines do detect it. Unfortunately Clamav did not. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On Wed, Jun 29, 2011 at 12:49 PM, Joel Esler wrote: > If you have a sample of the file, submitting it through ClamAV's submission > interface makes it "bubble up" so the rule writers can get to it faster. > > (instead of waiting for it to come through Virustotal) > Joel, I did that yesertday. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
Still not recognised. On Wed, Jun 29, 2011 at 4:00 PM, Mihamina Rakotomandimby wrote: >> On Wed, 29 Jun 2011 12:45:37 +0300 >> Henrik K wrote: >> So your users receive lot of legimate exes? > > Nope, exes are zipped > > -- > RMA. > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-announce] announcing ClamAV 0.97.2
On Mon, Jul 25, 2011 at 6:09 PM, Luca Gibelli wrote: > Dear ClamAV users, > > ClamAV 0.97.2 fixes problems with the bytecode engine, Safebrowsing > detection, hash matcher, and other minor issues. Please see > the ChangeLog file for details. > > Download : http://downloads.sourceforge.net/clamav/clamav-0.97.2.tar.gz > PGP sig : http://downloads.sourceforge.net/clamav/clamav-0.97.2.tar.gz.sig > Bugfixes : http://www.clamav.net/release-info/bugs/0.97.2 > ChangeLog: http://www.clamav.net/release-info/changelog/0.97.2 > > *** Announcement *** > > The ClamAV project is launching a new service called "Third Party web > interface". It will allow selected individuals/organizations to publish > ClamAV Virus Databases (CVD) through the ClamAV mirror network. > > If you choose to publish your signatures through our Third Party > web interface you will benefit from the following: > > - before publishing the signatures, we will test them for > false positives against our false positive file collection. > - before publishing the signatures, we'll verify that the latest two > major versions of ClamAV can load them correctly. > - the signatures will be digitally signed and packaged into a single > .cvd compressed file. > - there will be no ".UNOFFICIAL" suffix in the detection names. > - a custom prefix will be added to the detection names, identifying the > organization which published the signature. > - updates will be distributed both as full CVD files and cdiff > incremental updates. Users will benefit from lower network traffic. > - the .cvd and .cdiff files will be distributed through the > ClamAV mirror network. > - the service should result in faster remediation of false positives. > - ClamAV users will be able to download the third party databases > using freshclam, by adding a single line to freshclam.conf, what > should make signature maintenance significantly easier. > > The service is still in beta, you are welcome to contact Luca Gibelli > if you intend to join the beta program. > > We especially welcome those who already distribute their own unofficial > signatures to join. A list of databases distributed by the new service > will be available at http://www.clamav.net/download/cvd/3rdparty > > We will be happy to answer any questions you might have. > > -- > The ClamAV team (http://www.clamav.net/team) > > -- > Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL anti-virus toolkit > [Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it > PGP key id 5EFC5582 @ any key-server || http://www.clamav.net/gpg/luca.gpg > ___ > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce > When will the package be available in Debian Squeeze? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] undetected virus
Dear list, We received a virus not detected by Clamav. VirusTotal shows a 23/43 detection ratio. Trend Micro recogises it as TROJ_GEN.R06C8AN. Yesterday I submitted a sample to Clamav. But till now it's not detected. https://www.virustotal.com/file/d6a2ae622adae26cc7988e68edfa6898364b423a47b8eeebb3d917459cd99a68/analysis/ What should be the reason of this? P. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] undetected virus
On Tue, Jan 24, 2012 at 9:05 AM, Al Varnell wrote: > On Jan 23, 2012, at 11:44 PM, polloxx wrote: > >> We received a virus not detected by Clamav. VirusTotal shows a 23/43 >> detection ratio. Trend Micro recogises it as TROJ_GEN.R06C8AN. >> Yesterday I submitted a sample to Clamav. But till now it's not detected. >> https://www.virustotal.com/file/d6a2ae622adae26cc7988e68edfa6898364b423a47b8eeebb3d917459cd99a68/analysis/ >> >> What should be the reason of this? > > The clamav team consist of volunteers who work as quickly as they can, when > they can. You should not expect immediate action, especially if it was a > busy weekend. > I know Al. That's not my point. P. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] undetected virus
On Tue, Jan 24, 2012 at 9:13 PM, Joel Esler wrote: > This has been handled. > I noticed this. Thanks. P. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] False Positives
Dear list, How do we mark signatures as a false positive in our sig datavase? Thx P. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False Positives
I will Alain, But I want a quick way to whitelist as a shortcut, because our users are complaining. :( On Mon, Aug 13, 2012 at 3:23 PM, Alain Zidouemba wrote: > Please report your FP(s) here: > http://www.clamav.net/lang/en/sendvirus/submit-fp/ > > - Alain > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False Positives
Thanks Steve. I also reported the FP. On Mon, Aug 13, 2012 at 3:41 PM, Steve Basford wrote: > >> I will Alain, >> >> But I want a quick way to whitelist as a shortcut, because our users >> are complaining. :( > > > Put the problem signature name in a file called local.ign2 and restart clamd. > > eg: > > MBL_303159 > MBL_312128 > Worm.Mydoom-20009 > > etc. etc. > > Cheers, > > Steve > Sanesecurity > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] XF.Sic.E False positive
Just a quick note to inform you that the FP for XF.Sic.E I submited to http://www.clamav.net/lang/en/sendvirus/submit-fp/ on Aug 13 is still in the database. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] XF.Sic.E False positive
Because a VirusTotal scan results in only Clamav (1/42) marking it as infected. On Mon, Aug 27, 2012 at 4:29 PM, Alain Zidouemba wrote: > In the RF822 message that you sent in, found: > > "An Excel Formula Macro Virus (XF.Classic)) > Hydrocodone/APAP 10-650 For Your Computer > (C) The Narkotic Network 1998 > **Simple Payload** > **Set Our Values and Paths**5 > **Add New Workbook, Infect It, Save It As Book1.xls** > **Infect Workbook**". > > > Why do you think it's a false positive? > > > - Alain > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] question about sanesecurity
On Mon, Nov 26, 2012 at 8:25 PM, Al Varnell wrote: > On 11/26/12 9:02 AM, "polloxx" wrote: > >> Are signatures for Belgian or Dutch bank-phishing mails (ING, >> BNP-Paribas-Fortis, Belfius, etc) included in these databases? >> > Open the "daily" portion of your database with a text editor and in the > "daily.pdb" section you will find all the institutions used by the > Heuristics scanning engine (e.g. H:paypal.be). > > But if you have a question for SaneSecurity you should be addressing it > directly with them and not ClamAV > <http://www.sanesecurity.com/contactus.htm> > > Sorry Al, I'll reply off-list to Steve. P. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
