[clamav-users] cl_engine_free()

Hi, I'm using libclamav in a forking mail filter. After the library is loaded, it is passed to a forked child for every file. This has always worked fine, except for the time taken by cl_engine_free(). I find the program hanging at mpool_free() for quite some time. The problem is when the

[clamav-users] Nonsensical noreplies from ClamAV team

...@tana.it Alessandro Vesely, Thank you again for your submission. Your File: purchase-ORD (SHA256: 2ac2bb49a9135954a298cbb3e52b3ecfcb1e5e2dc6d83fac7052d4c3833ac11a) Our initial assessment shows that this file is possibly clean. If you provided a description that suggests otherwise, we will further

[clamav-users] Is there anything to do about encrypted viruses?

Hi all, today I received a message with an encrypted zip attachment. I saved the attachment and loaded it to VirusTotal, where no scanner detected anything: https://www.virustotal.com/gui/file/2cef2c979e60c1e2892e6a494814dd65db14c2076102279e6e74737d36c115a5/detection Then I unzipped the file u

Re: [clamav-users] clamav-milter and "whitelist"

On Sun 22/Dec/2019 12:26:04 +0100 Gerard E. Seibert via clamav-users wrote: > I have this line in that file: > > From:market...@snopes.com > > However, that file is being blocked with this message in the > clamav-milter.log file: > > Fri Dec 20 20:12:00 2019 -> Message from > to > <> in

Re: [clamav-users] Does ClamAV detect stalkerware?

On Sat 23/Nov/2019 11:00:46 +0100 Al Varnell via clamav-users wrote: > On Nov 23, 2019, at 00:29, Alessandro Vesely via clamav-users wrote: >> >> Now, I don't even know whether ClamAV runs on Android (I'm the proud user of >> a Nokia 2760).  However, I'd like to

[clamav-users] Does ClamAV detect stalkerware?

Hi all, first of all, what is stalkerware? https://stopstalkerware.org/about/what-is-stalkerware/ Kaspersky, for one, detect it since April: https://www.vice.com/en_us/article/vbw9g8/kaspersky-lab-alert-stalkerware-domestic-abuse Now, I don't even know whether ClamAV runs on Android (I'm the pro

Re: [clamav-users] clamd using ~1GB memory on Debian Stretch

On Mon 13/May/2019 16:55:57 +0200 Avinash Sonawane via clamav-users wrote: > Now, for loading time, when I start firefox within 5-6 seconds it > immediately fills up 250+ Mb memory so for 950+ Mb (clamd) loading time > shouldn't be that of an issue. I use more or less average ~1GB too: PID USE

Re: [clamav-users] Slow reload

On Fri 22/Mar/2019 16:14:28 +0100 Bowie Bailey wrote: > On 3/22/2019 10:54 AM, Bowie Bailey wrote: >> >> The only problem I have found is that >> since my databases take so long to load, avfilter_sig times out when >> reloading the >> virus definitions.  Is there a way to increase the timeout for

Re: [clamav-users] Slow reload

On Thu 21/Mar/2019 21:21:45 +0100 Bowie Bailey wrote: > >> >> At that point, the top of the header should be plenty of virus_header's (one >> for each invocation): >> >> ale@pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ head eicar.mail >> ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL E

Re: [clamav-users] Slow reload

On Thu 21/Mar/2019 15:05:59 +0100 Bowie Bailey wrote: > > $ pkg-config --atleast-version=0.101.0 libclamav --print-errors > Package libclamav was not found in the pkg-config search path. > Perhaps you should add the directory containing `libclamav.pc' > to the PKG_CONFIG_PATH environment variable

Re: [clamav-users] Slow reload

On Wed 20/Mar/2019 21:52:49 +0100 Bowie Bailey wrote: > > I'm trying to build avfilter, but it is complaining that it can't find > libclamav.  I > have ClamAV 0.101.1 installed (built from source).  I was able to find > libclamav.so > in /usr/local/lib64/.  Do I need to specify that directory so

Re: [clamav-users] Slow reload

On Wed 20/Mar/2019 14:53:28 +0100 Bowie Bailey wrote: > On 3/20/2019 8:42 AM, Alessandro Vesely via clamav-users wrote: >> On Tue 19/Mar/2019 15:35:39 +0100 Bowie Bailey wrote: >> >>> ClamAV is taking about 2 1/2 minutes to reload its database on my mail >>> serv

Re: [clamav-users] Slow reload

On Tue 19/Mar/2019 15:35:39 +0100 Bowie Bailey wrote: > ClamAV is taking about 2 1/2 minutes to reload its database on my mail > server.  This > seems to frequently happen when we are sending an email, so the Thunderbird > will time > out on the send (although the message will frequently go thro

Re: [clamav-users] Incompatible clamav.h changes

Hi Micah, On Fri 01/Mar/2019 03:34:10 +0100 Micah Snyder (micasnyd) wrote: > > Your attachment is correct. I will also note that the following macros enable > the same feature. The name "collect metadata" seemed to be more intelligible > than simply "properties": > > -#define CL_SCAN_FILE_PRO

Re: [clamav-users] Incompatible clamav.h changes

Hi Micah, Thank you so much for your prompt reply. On Wed 27/Feb/2019 20:48:44 +0100 Micah Snyder \(micasnyd\) via clamav-users wrote: > > You're correct, there are non-backwards compatible changes in clamav.h in > version 0.101. The libclamav major version number as also increased to > high

[clamav-users] Incompatible clamav.h changes

Hi, clamav.h has changed in version 101, resulting in compile errors like so: avfilter.c:270:21: error: ‘CL_SCAN_STDOPT’ undeclared (first use in this function); did you mean ‘CL_DB_STDOPT’? a->scan_options = CL_SCAN_STDOPT; ^~ CL_DB_STDOPT

Re: [clamav-users] Using clamav to test for bad links in incoming emails

On Sat 09/Feb/2019 00:07:28 +0100 Gene Heskett wrote: > > Has anyone rigged clamd to check what looks like questionable links > contained in incoming emails? It seems over the last 2 weeks my spam has > tripled, and I suspect the real payload is in the urls in the message. Shouldn't that be don

[clamav-users] How do heuristics block MS Office xml OLE blobs?

Hi all, I'm trying to block Office files which contain executable stuff. Decalage's mraptor works fine, except it doesn't cover Office 2007 and similar. Those have 4-char extensions, like xlsx (Xml), xlsm (Macro), xlsb (Binary), and many more. For a tentative list, see e.g.: https://kb.inter

Re: [clamav-users] Mailing list DMARC problem

On Wed 31/Oct/2018 13:23:27 +0100 Maarten Broekman wrote: > Or, I don't know, recipients that are enforcing DMARC could simply follow the > steps from the previous section. The mailing list doesn't own the messages > sent > to it (we don't see "From: clamav-users"). > > Recipients should whiteli

Re: [clamav-users] Mailing list DMARC problem

On Wed 31/Oct/2018 10:47:34 +0100 Al Varnell wrote: > I'm not sure it's even possible to be compliant given the currently used > list software. Yes, it is: https://mailman.readthedocs.io/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html The most commonly used workaround is bullet #3 of

Re: [clamav-users] Keymarble Yara rule?

On Wed 15/Aug/2018 01:48:07 +0200 Al Varnell wrote: > Sorry, I wasn't clear. I meant the malware sample, not your dummy. To retrieve a sample from VirusTotal, one must work for a _company_ subscribed to their premium services... Best Ale -- ___ c

Re: [clamav-users] Keymarble Yara rule?

On Mon 13/Aug/2018 00:27:55 +0200 Al Varnell wrote: > I don't quite understand why you think it might not detect it.  > > Text strings are not required to have an even number of digits. The hex > equivalent to that string would be: {62 63 39 [...] 34 30}. As > long as the string appears in a file

Re: [clamav-users] Keymarble Yara rule?

On Sun 12/Aug/2018 14:04:06 +0200 Arnaud Jacques wrote: > > > Le 12/08/2018 à 13:59, Alessandro Vesely a écrit : >> On Sat 11/Aug/2018 19:43:34 +0200 G.w. Haywood wrote: >> >>> Hi there, >>> >>> On Sat, 11 Aug 2018, Alessandro Vesely wrote: >&

Re: [clamav-users] Keymarble Yara rule?

On Sat 11/Aug/2018 19:43:34 +0200 G.w. Haywood wrote: > Hi there, > > On Sat, 11 Aug 2018, Alessandro Vesely wrote: > > Re: Keymarble Yara rule? >>   4d 5a 74 68 69 73 20 69  73 20 61 20 64 75 6d 6d  |MZthis is a >> dumm| >> 0010  79 20 6b 65 79

Re: [clamav-users] Keymarble Yara rule?

On Sat 11/Aug/2018 23:11:07 +0200 Al Varnell wrote: > Here's the VirusTotal page on this file > > and it does show that ClamAV detects it as Win.Trojan.Agent-6641267-0 > which was just a

Re: [clamav-users] Keymarble Yara rule?

o it would probably be looking > for a PE file which your dummy does not appear to be. Other scanners probably > do something similar. > > Sorry, but my Yara knowledge is too limited to offer more. > > Sent from my iPad > > -Al- > ClamXAV User > >> On Aug 10,

[clamav-users] Keymarble Yara rule?

Hi all, has anybody seen this Malware Analysis Report (AR18-221A) MAR-10135536-17 – North Korean Trojan: KEYMARBLE https://www.us-cert.gov/ncas/analysis-reports/AR18-221A ? I created a file "keymarble-dummy", whose hex dump looks like so: 4d 5a 74 68 69 73 20 69 73 20 61 20 64 75 6d 6d

[clamav-users] Anyone uses US-CERT's yara rules?

US-CERT alerts often contain a "consolidated rule set for malware associated with" the relevant activity. See e.g.: https://www.us-cert.gov/ncas/alerts/TA18-074A Yara rules are listed, so that they can be copied and pasted into a file to be saved in /var/lib/clamav in order for clamscan to use

[clamav-users] Messages with multiple infections, was CL_SCAN_ALLMATCHES (or --allmatch or -z)

How does one find out if there are multiple viruses in a single file? The problem is to avoid a possibly harmless virus to mask severe infections. Another problem, for users of older library versions, is how to know if the pointer returned is an array of strings or a single string. Is this the

[clamav-users] CL_SCAN_ALLMATCHES (or --allmatch or -z)

Hi all! There used to be a hack in libclamav, whereby function cli_append_virus() added the virus name to an array when SCAN_ALL was true. It was a hack because a caller argument had different types according to that flag. The hack was temporary, and it seems to be gone in recent versions.

Re: [clamav-users] Email.Phishing.DblDom-60 -- issue

This was a false positive itself. I got: Virus-Found: Email.Phishing.DblDom-53 Sanesecurity.Phishing.Cur.744.UNOFFICIAL (I wonder how could this message pass. This reply is doomed to be blocked...) Ale On Wed 30/Mar/2016 20:18:52 +0200 Alain Zidouemba wrote: > $ sigtool -fEmail.Phishing.DblDo

Re: [clamav-users] clamav email error after submission of a virus sample

ho made that decision blog a few lines telling something > more than such statement, please? > > That blog would be for users who disable some javascript, and may be confused > by https://noscript.net/about/cloudflare.com;cloudflare.com and similar links > quoted below. > > Ale

Re: [clamav-users] clamav email error after submission of a virus sample

tps://noscript.net/about/cloudflare.com;cloudflare.com and similar links quoted below. Ale -- > On Mar 4, 2016, at 6:20 AM, Alessandro Vesely > mailto:ves...@tana.it>> wrote: > > On Thu 03/Mar/2016 03:34:15 +0100 Joel Esler (jesler) wrote: > > We are working on the sub

Re: [clamav-users] clamav email error after submission of a virus sample

On Thu 03/Mar/2016 03:34:15 +0100 Joel Esler (jesler) wrote: > > We are working on the submission process as we speak to make this simpler. Since you're at it, uploading a sample doesn't seem to work unless cloudflare.com is enabled. I'd rather keep it disabled, since someone on WoT reported it

[clamav-users] Sanesecurity .hdb databases integrity tested BAD

Hi, I've been getting these log it's for a couple of days now: Clamscan reports Sanesecurity honeynet.hdb database integrity tested BAD - SKIPPING rsync: link_stat "/var/cache/clamav-unofficial-sigs/si-dbs/honeynet.hdb" failed: No such file or directory (2) rsync error: some files/attrs were no

Re: [clamav-users] Error using libclamav (cli_scanraw error)

On Tue 04/Nov/2014 18:30:28 +0100 Shawn Webb wrote: > On Tue, Nov 4, 2014 at 12:27 PM, Alessandro Vesely wrote: > >> Hi, >> I use libclamav to have a mail filter scan mail. It works fine at mine. >> However, I shared the code with someone and it doesn't work at

[clamav-users] Error using libclamav (cli_scanraw error)

Hi, I use libclamav to have a mail filter scan mail. It works fine at mine. However, I shared the code with someone and it doesn't work at his --he reads in BCC. We both use 0.98.4. We managed to run the same test with debug enabled. On his system he got: LibClamAV debug: Module STATS Off

Re: [clamav-users] No False Positive Detected (Heuristics)

On Tue 28/Oct/2014 10:07:15 +0100 Al Varnell wrote: I don’t use it, but the blacklist information would appear to be coming with the optional information provided by Google SafeBrowsing. I don’t see why it’s being flagged at this time, but it has been blacklisted 13 times over the past 90 days,

[clamav-users] No False Positive Detected (Heuristics)

Hi, I submitted a sample email which was blocked with Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net However, the site rejected the submission saying it detects no false positive in it. I'm running Debian, that is 0.98.4, and databases are up to date... See below for the has

[clamav-users] Solving heuristics by DKIM

Hi, I happened to whitelist social sites, by creating a local.wdb which allows Banca Sella (a legitimate bank) to link to them in the footer of their newsletter: M:www.facebook.com:www.sella.it M:plus.google.com:www.sella.it M:www.youtube.com:www.sella.it Thinking twice, those newslette

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

On Mon 06/Oct/2014 15:37:34 +0200 Tim Smith wrote: >> are you really trying to compare response times from PAID >> solutions to the free/community maintained ones > > Of course not, the paid solutions will always be better. Careful betting on that... It's the famous-last-words sort of phra

Re: [clamav-users] ClamAV®: The new ClamAV.net is here!

On Tue 26/Aug/2014 20:56:27 +0200 Joel Esler (jesler) wrote: > > http://blog.clamav.net/2014/08/the-new-clamavnet-is-here.html Thanks for that web site refurbishing. But let me note a couple of points about the mailing list: *No DKIM signature*. In some cases there is an author DKIM signature,

Re: [clamav-users] Bank's newsletter tagged as Heuristics.Phishing.Email

Hi Steve, On Fri 18/Jul/2014 19:00:08 +0200 Steven Morgan wrote: > > Also, have a look at the document phishsigs_howto.pdf in the ClamAV docs/ > directory. It contains some info on identifying the reason for the phish > detection and on how to write whitelist signatures. Hm... why.py doesn't see

[clamav-users] Bank's newsletter tagged as Heuristics.Phishing.Email

Hi, I use libclamav for email filtering, and wonder how to handle these cases. Although spammy, that newsletter appears to be fully legitimate. It originated from sella.it, and contains several links to that bank's site, as well as links to facebook, twitter, google+, and youtube. The message ha