Is the failing machine running out of memory running engine = cl_engine_new()
David Shrimpton
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive
g
freshclam --datadir
I think any settings other than database location from freshclam.conf would
apply. So if you were just trying to
get an example main.cvd you might see side effects you don't want like
freshclam writing to a configu
are obfuscated
and likely will vary with each sample. A regex signature to get any variable
name would be better.
David Shrimpton
From: clamav-users on behalf of Arnaud
Jacques
Sent: Saturday, April 6, 2019 12:27 AM
To: clamav-users@lists.clamav.
gs
shows sensible output for the above signature, so I am not sure this is the
exact one causing the sigtool error.
The problem started from database version 25410 upgrade , so it appears one (or
more) sigs are Malformed in 25410
ClamAV 0.100.2/25410/Fri
t
are now CL_TYPE_SWF so
some sigs for flash using CL_TYPE_ZIP may no longer work.
David Shrimpton
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive Cl
: NONE
+-> DECODED SUBSIGNATURE:
= "re" end if
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
exe /c start
David Shrimpton
From: clamav-users on behalf of Carlos
García Gómez
Sent: Saturday, January
a newline (to mark the end of headers)
(Use qf instead of hf for a non quarantine queue file,
but also bear in mind that queue processing by the mail daemon
may be writing to a qf but not a hf file.)
Rescan and clamav should recognize as email file and extract
and scan any attachments
> These signatures were generated out of attachments to know bad spam files.
> We'll have a look.
>
I generated the null byte files from sizes 1 to 1 and ran clamav against
them
and came up with 785 signatures that matched the null byte files and are
therefore
broken.
I'd speculate that
On Wed, 28 Sep 2016, Joel Esler (jesler) wrote:
> These signatures were generated out of attachments to know bad spam files.
> We'll have a look.
>
clamscan -z on pdf shows:
Win.Trojan.Agent-1696579
Win.Trojan.Agent-1696632
Win.Trojan.Agent-1696690
Win.Trojan.Agent-1696882
Win.Trojan.Agent-16
uses the hit on Win.Trojan.Agent-1696554.
Might be something wrong with many more sigs from Version: 9 ?
Might be worth doing all the null byte files from 1 to X in size
and running clamscan against them.
David Shrimpton
___
Help us build a compr
7 Deal.pdf
Is the original malware sample for which the signature was intended still
available
and does it have the above sha256sum ?
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www
ening the same pdf.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
iscard if a 'real' virus
or just add a warning if only Heuristics.OLE2.ContainsMacros
was returned. Or you could treat unofficial hits with more caution
eg add warning only and official hits more aggressively eg discard.
But -z is broken with OLE2 ,so you must decide to use OLE2BlockMacros
The same problem occurs with .docx which are zip but not with .doc
which are 'CDF V2 Document' which are the OLE2 file itself.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
ot sigtool.
clamav appears to still extract the macros and signatures
written against the macro code still work.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Using #match as a condition in a yara rule to
count the occurences of $match doesn't appear to
work where $match is a regex.
#match only appears to work if $match is a string literal
eg "abc123"
Is #match intended to work with a regex ?
--
a hit on Heuristics.OLE2.ContainsMacros.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
encrypted zip or ole2 with macros, differently to files that matched
a real sig. eg do logging only instead of discarding.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net
ner or the contained file and also won't
know if the contained file itself was scanned or not.
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
es however have a --heuristic-scan-precedence equivalent
to HeuristicScanPrecedence from clamd.conf which controls behaviour
of OLE2BlockMacros if file is detected by both Heuristic and real signatures.
Is there a way to turn on the OLE2BlockMacros behaviour with clamscan ?
--
David Shrimpton
I
or not.
I note the same md5sum:size in winnow_malware.hdb
924d8e14ccb2604effc455e1a584cb80:93184:winnow.malware.135963
Seems like some sort of weird bug exercised by the signature set
in my local databases when scan-ole2=yes .
I'll keep trying to narrow it down.
--
David Shrimpto
from badmacro are detected
--
David Shrimpton
Information Technology Services | The University of Queensland
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
false positive.
If it can't be fixed then ome clearer explanation of the OLE2 scanning would be
helpful as its misleading at present.
--
David Shrimpton
Information Technology Services | The University of Queensland
___
Help us build a c
Shield
> file formats may use this compression.
>
I am seeing a similar error message "CL_EFORMAT: Bad format or broken data
ERROR"
on some .xls .doc and .pdf files since upgrade to 0.87.5.
--
David Shrimpton
Systems Programmer
University of Queensland
__
ExtendedDetectionInfo no
in clamd.conf and restarting clamd seems
to have no influence over this.
Is there a way of turning off the hash and file size in
the virus name returned in response to a SCAN
command , (rather than writing a regex to parse
the result )?
--
David Shrimpton
Systems Programmer
.
(Note the virus naming has changed from
Encrypted.Zip to Heuristic.Encrypted.Zip
in versions >= 0.96rc1)
Has anyone else observed the same problem
since upgrading to 0.96 ?
--
David Shrimpton
Systems Programmer ITS
University of Queensland
___
H
Thanks for replies,
Submitted new bug report:
Bug #1660
--
David Shrimpton
Systems Programmer ITS
University of Queensland
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
another file is not
reported as Encrypted.Zip when ArchiveBlockEncrypted is on in clamd.conf,
so it would still be possible to send a virus within an encrypted zip
by simply appending a few bytes to the start of the archive.
--
David Shrimpton
Systems Programmer ITS
University of Queensland
On Wed, 29 Oct 2008, Noel Jones wrote:
> David Shrimpton wrote:
> >
> > This suggests creating a local.ign file eg
> >
> > daily.ndb:319:W97M.Static
> > clamscan appear to indicate it was loading the file.
>
> Sounds as if you did it correctly, I have no
On Wed, 29 Oct 2008, Noel Jones wrote:
> Submit false positives to the clamav team for analysis.
> http://www.clamav.net/sendvirus/
Thanks, Was done earlier.
>
> It appears this has already been fixed - I can't find a
> signature named W97M.Static in the current clam database.
W97M.Static was
rint pack("H*",$_),"\n"'
VirusProtection
echo 536176654e6f726d616c50726f6d7074 | perl -ne 'chomp ;print
pack("H*",$_),"\n"'
SaveNormalPrompt
Surely this signature is incorrect .
Is there a way of disabling it ?
--
David Shrimpton
Sample Submitted.
thanks
David
>
> Please submit a sample at http://www.clamav.org/sendvirus/
>
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
base file by adding a name, type and offset
(use sigtool --list to make sure the name you choose doesn't clash
with an existing one. Also choose a name you think won't clash with
a future clamav signature name )
On Fri, 2 May 2008, David Shrimpton wrote:
> Thanks,
>
Thanks,
This quote from the bugzilla posts is quite amusing:
"As for the official clamav signatures, please stand assured that when the new
code will be in the stable release, all the broken signatures will be properly
fixed."
--
David Shrimpton
On Fri, 2 May 2008, Steve Bas
files scanned ?
If so, are these files only scanned against a subset of the
signatures and not the hexdump signatures ?
What has changed in 0.93 to cause WScr.Unsafe.D (and presumeably other viuses)
to no longer be detected and is there a fix for this ?
rsion of the
virus text)
The implication of the above is that clamav 0.93 would now
no longer detect many once prevalent viruses for which it
only has hexdump signatures.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide: vi
ed (arec == %u).\n",
ctx->arec);
if(BLOCKMAX) {
*ctx->virname = "Archive.ExceededRecursionLimit";
return CL_VIRUS;
}
return CL_CLEAN;
}
In 0.93 the if(BLOCKMAX) part is deleted.
I think that CL_EMAXREC
Worm.Bagle.Gen-zippwd-8 remains.
Can anyone please explain why these signatures have disappeared ?
This has also happened with other virus signatures in the past
and viruses previously detected are no longer detected.
--
David Shrimpton Systems Programmer
Software Infrastructure
quot;
and allowed directly.
--
David Shrimpton Systems Programmer
Software Infrastructure, Information Technology Services
University of Qld 4072
Brisbane Australia
___
http://lurker.clamav.net/list/clamav-users.html
fyClamd
in freshclam.conf.
Oct 11 07:51:29 pow1 freshclam[29134]: ERROR: Clamd was NOT notified: Both
socket types (TCP and local) declared in /usr/local/etc/clamd.conf
--
David Shrimpton Systems Programmer
Software Infrastructure, Information Technology Services
University o
r AU mirror clamav.island.net.au
responds with "daily.cvd was not found"
A workaround for this is to comment out
DatabaseMirror db.au.clamav.net
DatabaseMirror database.clamav.net
in freshclam.conf and add a DatabaseMirror line pointing
to a mirror host that has an uptodate daily.cvd
--
42 matches
Mail list logo
