To give a quick update on this, a new version of safebrowsing.cvd was
published yesterday that removes all but a minimal number of signatures
needed for it to be loaded correctly by ClamAV. The block on
safebrowsing.cvd download attempts was also lifted, and a corresponding
zero-byte CDIFF publish
y into memory at the
same time, but the benefit is that if a new CVD does have issues loading
for some reasons then it won't replace the previous set of CVDs that clamd
has been able to load successfully.
-Andrew
Andrew Williams
Malware Research Team
Cisco Talos
On Fri, Mar 5, 2021 at 1:53 P
Michel,
Thanks for reporting this to us. This signature hit is indeed a false
positive, and the signature should be dropped shortly
-Andrew
Andrew Williams
Malware Research Team
Cisco Talos
On Mon, Jul 6, 2020 at 1:19 PM Ralf Hildebrandt via clamav-users <
clamav-users@lists.clamav.
sigtool can be used to show the starting offset of signature matches, like
in the example below:
$ sigtool --test-sigs manual/sigs.ldb build/test.exe
VIRUS NAME: Test.Sig.LDB_1of2_PE_ICON_1
TDB: Engine:51-255,Target:1,IconGroup1:TEST_ICON_GROUP_1
LOGICAL EXPRESSION: 0
* SUBSIG ID 0
+-> OFFSET: A
Paul,
You should be able to use `--with-systemdsystemunitdir=no` to make it so
that `make install` won't try to register clamd as a systemd service
-Andrew
On Sun, Apr 19, 2020 at 1:26 PM Paul Kosinski via clamav-users <
clamav-users@lists.clamav.net> wrote:
> I finally built 0.102.2 a few days
se).
Hope that helps! Let me know if you have any other questions
-Andrew
Andrew Williams
Malware Research Team
Cisco Talos
On Mon, Oct 14, 2019 at 4:35 AM Irshad via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi Guys,
>
> I have a multiple signed malwares. I want to c
It looks like that error message comes from
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/clamdscan/proto.c#L112,
and is generated when a call to getaddrinfo (a C standard library function)
fails. The values passed to this call are directly based on what's in the
clamd config file, so
There is a configuration option to have ClamAV only load the official
signatures but this setting is disabled by default (it's the
OfficialDatabaseOnly setting for clamd, and '--official-db-only' for
clamscan). One exception to this is for bytecode signatures - only
official bytecode signatures are
about this - your observation is a good
reminder to us that a large all-zero file makes a good test case for
catching signatures that might have egregious performance impacts. :)
-Andrew
Andrew Williams
Malware Research Team
Cisco Talos
On Tue, Jul 9, 2019 at 11:07 PM Taizo ITO wrote:
> He
haven't yet taken any concrete actions on this front (to my knowledge).
-Andrew
Andrew Williams
Malware Research Team
Cisco Talos
On Tue, Jul 9, 2019 at 3:39 PM Paul Kosinski via clamav-users <
clamav-users@lists.clamav.net> wrote:
> I have uploaded 4 CVDs and 2 CLDs to:
>
>
Does your platform have GNU time or strace? Try running clamscan with
'/usr/bin/time -v' and/or 'strace -c' and compare the output with that of
your Ubuntu host.
I wonder if loading the signature DB is causing excessive page faults on
the system without as much memory (time -v will tell you how m
r any other cases of unreasonably slow
scan times, and we will do our best to investigate. Thank you!
-Andrew
Andrew Williams
Malware Research Team
Cisco Talos
On Wed, Apr 10, 2019 at 8:57 PM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:
> JME,
>
>
Nibin,
For text files, ClamAV will do normalization (which, among other things,
will condense whitespace) and scan against that file as well, so maybe the
PHP script after normalization is < 1024 bytes? To confirm, try running
clamscan with '--debug --leave-temps' and then look for messages like
cuments and
spreadsheets won't pass our False Positive testing.
Thanks again, and let me know if you have any questions
-Andrew
Andrew Williams
Malware Research Engineer
Cisco Talos
On Wed, Apr 10, 2019 at 1:44 PM Graeme Fowler via clamav-users <
clamav-users@lists.clamav.net> wrote:
>
Michael,
The reported detections are likely false positives (I too am seeing matches
on Chrome cache files). The signature will be dropped soon.
Thanks for bringing this to our attention.
-Andrew
Andrew Williams
Malware Research Team
Cisco Talos
On Tue, Mar 12, 2019 at 7:08 PM Michael Newman
sie-security
> ,
> >
> >there is "no logs" for amd64
> >o.O
> >Other log files seems to show Debian compiles with yara support.
> >For example :
> >
> https://buildd.debian.org/status/fetch.php?pkg=clamav&arch=i386&ver=0.100.2%2Bdfsg-0%2B
Hey Arnaud,
I recently noticed a bug that causes .pwdb files to not be loaded from the
db directory when ClamAV is compiled without Yara support. Is your ClamAV
built with Yara support, and if not, can you try compiling with Yara
support and see whether this fixes the issue for you? This issue w
17 matches
Mail list logo
