Re: [clamav-users] LibClamAV Warning: Unsupported message format `http'

Tilman, Please attach here: https://bugzilla.clamav.net/show_bug.cgi?id=12002 Thanks, Steve On Fri, Dec 22, 2017 at 9:35 AM, Steven Morgan wrote: > Tilman, > > Thanks for the notification, we will check out the code. I'll open a bug > report where you can post your

Re: [clamav-users] LibClamAV Warning: Unsupported message format `http'

Tilman, Thanks for the notification, we will check out the code. I'll open a bug report where you can post your sample. Steve On Fri, Dec 22, 2017 at 9:03 AM, Tilman Schmidt wrote: > ClamAV running on Ubuntu Xenial, package version > 0.99.2+dfsg-0ubuntu0.16.04.2, emits the following warning me

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.3 beta2 has been released!

Thanks Benny, please try it now. Bug 12000 was closed as a duplicate of https://bugzilla.clamav.net/show_bug.cgi?id=11999. Steve On Tue, Dec 19, 2017 at 12:39 PM, Benny Pedersen wrote: > Steven Morgan skrev den 2017-12-19 17:33: > >> https://bugzilla.clamav.net/show_bug.cgi?id=

Re: [clamav-users] Recommended workstation usage?

Dan, I like OnAccess myself, protecting such things as email, download directory, web cache, or wherever else files come into you system. There have been several blogs and list discussions on using OnAccess effectively. Check out the [clamav-users] archives. Hope this helps, Steve On Tue, Dec 19

Re: [clamav-users] Counting scanned objects with clamdscan?

Dan, There is a ticket about this. I am not sure whether the needed info is always available to clamdscan. https://bugzilla.clamav.net/show_bug.cgi?id=11922 Steve On Tue, Dec 19, 2017 at 11:02 AM, Dan Rawson wrote: > How can I count the files/objects scanned? This works fine with clamscan > (

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.3 beta2 has been released!

https://bugzilla.clamav.net/show_bug.cgi?id=12000 is the ticket. Steve On Tue, Dec 19, 2017 at 10:59 AM, Joel Esler (jesler) wrote: > Can you please open a ticket in bugzilla.clamav.net bugzilla.clamav.net>? > > > -- > Joel Esler | Talos: Manager | jes...@cisco.com > >

Re: [clamav-users] Improving clamscan speed?

Dan, I have opened ticket https://bugzilla.clamav.net/show_bug.cgi?id=11990 to track ClamAV performance issues. Please post any additional ClamAV performance related info there. Steve ___ clamav-users mailing list clamav-users@lists.clamav.net http://l

Re: [clamav-users] How to abort a scan

Hi Chaitanya, You can send the SHUTDOWN command to terminate clamd, Other than that, once the scanning engine is passed a scan request, it needs to complete so that system resources are properly released. There also some clamd configuration parameters to limit the amount of scanning (see MaxScansi

Re: [clamav-users] CVE fix status

Zetan, I've added you to the cc list. Please try it now. Steve On Tue, Nov 21, 2017 at 11:58 AM, Zetan Drableg wrote: > Thank you. After signing up with bugzilla I still get the message " You are > not authorized to access bug #11961. " > > ___ clama

Re: [clamav-users] CVE fix status

I think some may be fixed already. I've opened ticket 11961 in the ClamAV bugzilla for followup and tracking. Steve On Mon, Nov 20, 2017 at 2:54 PM, Zetan Drableg wrote: > Hi, > Anyone know when these CVEs will be fixed? Does clamav provide a 0.99.2 > security fix branch or I need to consume 0

Re: [clamav-users] Virus Malvare not detected

Mark, Please open a bug report about this issue at bugzilla.clamav.net. Please include your file and we can look into the issues. Thanks, Steve On Wed, Nov 15, 2017 at 2:45 PM, Mark Foley wrote: > I'm going to continue piggybacking onto this thread as it deals with > Clamav's > non-discovery

Re: [clamav-users] LibClamAV Warning

Hi, Thanks for the report. Tracking the issue here: https://bugzilla.clamav.net/show_bug.cgi?id=11930 Steve On Tue, Oct 17, 2017 at 2:46 AM, Hajo Locke wrote: > Hello, > > today i see a warning when starting a manuell clamscan: > > # clamscan -ir > LibClamAV Warning: Don't know how to creat

Re: [clamav-users] Injection Vulnerability in 0.99.2

Hi, The fact that using clamd over TCP has insecurities has come up before. If using clamd, it is recommended to use the local socket option rather than a TCP socket. # The daemon can work in local mode, network mode or both. # Due to security reasons we recommend the local mode. Until it is fix

Re: [clamav-users] ClamAV SegFault on Reload - 0.99.3-beta1

Michael, Since this is intermittent, adding a custom diagnostic patch may be the best way to proceed. If you can work with this, I'll write something and send it to you. It would be great to get to the bottom of this before releasing 0.99.3. Thanks, Steve On Mon, Sep 25, 2017 at 8:11 PM, Michael

Re: [clamav-users] ClamAV SegFault on Reload - 0.99.3-beta1

Michael, Sorry for not replying sooner. I reviewed the segfault, gdb output, and code on Friday. Are you able to reproduce the problem with 'clamdscan --reload'? Thanks, Steve On Sun, Sep 24, 2017 at 8:10 AM, Michael D. wrote: > Hi, > > I twice tried to reach out to the ClamAV Developers regar

Re: [clamav-users] ArchiveBlockEncrypted and PDF

OK, thanks. Steve On Thu, Sep 14, 2017 at 5:40 AM, Gandalf Corvotempesta < gandalf.corvotempe...@gmail.com> wrote: > Opened https://bugzilla.clamav.net/show_bug.cgi?id=11911 > > 2017-09-13 19:01 GMT+02:00 Steven Morgan : > > OK, open a ticket and we can look at it. > &g

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

ClamAV contains an iso9660 parser. The clamscan --debug option may give a clue as to why it is not being scanned. Steven Morgan On Wed, Sep 13, 2017 at 10:52 PM, Al Varnell wrote: > On Wed, Sep 13, 2017 at 06:13 PM, Paul Kosinski wrote: > > On Tue, 12 Sep 2017 21:49:17 -0800 kriste

Re: [clamav-users] ArchiveBlockEncrypted and PDF

OK, open a ticket and we can look at it. On Wed, Sep 13, 2017 at 12:57 PM, Gandalf Corvotempesta < gandalf.corvotempe...@gmail.com> wrote: > Ok, but why clam is treating encrypted pdf as encrypted archive ? > I've set ArchiveBlockEncrypted to yes, but, as wrote in the setting > name, I would like

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Paul, in addition to max-filesize, try max-scansize. Steve On Tue, Sep 12, 2017 at 11:50 PM, Paul Kosinski wrote: > Clamscan read the entire ISO, but didn't scan any of it! > I thought 21st century software was finally in the 64-bit era. > >

Re: [clamav-users] ArchiveBlockEncrypted and PDF

Please open a ticket for this at bugzilla.clamav.net. Steve On Wed, Sep 13, 2017 at 10:09 AM, Reindl Harald wrote: > > > Am 13.09.2017 um 15:57 schrieb Gandalf Corvotempesta: > >> So, the only way to block encrypted ZIP is also to block any encrypted or >> password protected PDF? >> > > with on

Re: [clamav-users] ClamAV not picking up Eicar file...

Colin, Is it possible that icap has changed the file in some way? Is it possible to set up a test to verify what is sent to ClamAV? You could also try using the clamd.conf parameters LeaveTemporaryFiles and TemporaryDirectory. Then run your file through your squidclamav configuration and inspect

Re: [clamav-users] ClamAV not picking up Eicar file...

Colin, Please open a bug report @ bugzilla.clamav.net. In the report, please attach the exact eicar files that you are using. Steve On Wed, Aug 30, 2017 at 1:01 PM, Colin Rogers wrote: > Hello everyone, > > I am having some trouble getting my clamav setup to detect infected files > suddenly. I

Re: [clamav-users] freshclam

Hi! Did you install from the ClamAV source code or from packages? Steve On Wed, Aug 16, 2017 at 4:02 PM, Walter Neumann < wal...@buerostudio-neumann.at> wrote: > Hello, > > I installed version 0.99.2 on my webserver. But there is not installed > freshclam. Where can I find it or is there an oth

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.3 beta has been released!

Mark, Thanks for the report. I've opened https://bugzilla.clamav.net/show_bug.cgi?id=11896 for tracking. Please attach your "TooManyFilters" file there as well. Steve On Sat, Aug 12, 2017 at 4:29 PM, Mark Allan wrote: > Hi all > > This email is two-part: an FP report and a bug report - both on

Re: [clamav-users] Another bug with ClamAV 0.99.3 beta 1

Mark, We are in the process of reworking that strndup/strnlen test. The rework will use feature tests during ./configure to test for the presence of the system implementations of strndup and strnlen. The operating system test that is currently in place for when to use the local implementations of

Re: [clamav-users] "ERROR: Malformed database" for local.ign2 with Windows Newlines

Thanks, we will look into this issue. For tracking purposes, please see https://bugzilla.clamav.net/show_bug.cgi?id=11880 . Steve On Tue, Aug 1, 2017 at 2:20 PM, Andy Schmidt wrote: > I just confirmed that the Windows builds of ClamAV 0.99.2 will fail to > start > ClamD if a "local.ign2" file e

Re: [clamav-users] Error: upgrading Clamav

You need to set up /usr/local/etc/freshclam.conf. By default, the ClamAV supplies a sample configuration file named freshclam.conf.sample. Rename or copy this file to freshclam.conf. You will need to comment out the line near the top of the file containing "Example". Hope this helps, Steve On Fri

Re: [clamav-users] Bytecode run timed out

--infected suppresses the printing of clean file names. On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley wrote: > On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan > wrote: > My parameters are: > > clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \ > --al

Re: [clamav-users] Bytecode run timed out

am running it on lots of files, 124,681 to be exact (IMAP mail files). > > What is the default for --bytecode-timeout? If I get it again I'll > increase it. > > Thanks, --Mark > > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan > wrote: > > > > When ClamA

Re: [clamav-users] Bytecode run timed out

When ClamAV runs bytecode signatures, it uses a timer to limit the amount of processing. Are you seeing it on a lot of files? If that is the case, the bytecode signature may require attention. You can try increasing the timeout limit. --bytecode-timeout for clamscan and BytecodeTimeout for clamd.

Re: [clamav-users] scanning mp3-files with clamscan

use false positives? What about all the other compressed or > encrypted file types which might do the same? > > In other words, I don't understand why they all would be ignored. > > > On Mon, 17 Jul 2017 17:22:52 -0400 > Steven Morgan wrote: > > > Rosika, > > &

Re: [clamav-users] scanning mp3-files with clamscan

Rosika, The reason the MP3 file is not scanned is because the file type signatures for MP3 direct that they are ignored. Particularly: "0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" and "0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" These definitions are in the daily.ftm file of the ClamAV virus

Re: [clamav-users] Segmentation fault (core dumped) for clamscan & clamdscan for large zip files

Hi Ravi, Thanks for reporting this. Is it possible to upload the file to dropbox (or other) for testing? Steve On Thu, Jul 13, 2017 at 5:24 AM, Ravi wrote: > Hi, > > We observed that segfaults causing clamd crash when scanning a zip > file(around 190 MB) which gets extracted by clamd in /tmp w

Re: [clamav-users] temporary directories left in /var/lib/clamav

untu of clamav and > clamav-freshclam: 0.99.2+addedllvm-0ubuntu0.14.04.1. > > Thanks! > > David > > On Tue, Jun 20, 2017 at 11:03 AM, Steven Morgan > wrote: > > > David, > > > > So freshclam runs every day at ~00:03:00, and to confirm, the temp > > di

Re: [clamav-users] temporary directories left in /var/lib/clamav

David, So freshclam runs every day at ~00:03:00, and to confirm, the temp directories/files are left for each of these runs? Which version of ClamAV are you using? Steve On Tue, Jun 20, 2017 at 7:51 AM, David Pullman wrote: > Hi Steve, > > I've gathered some logs from one of the servers that

Re: [clamav-users] temporary directories left in /var/lib/clamav

Hi, Any temporary files left by "normal" ClamAV processing is considered to be a bug. Temporary files may be left if a ClamAV component terminates ungracefully. Do you have any other logs or know of any other events from June 3 that may provide additional info about these files left in the temp di

Re: [clamav-users] Lots of "fmap_readpage" errors with ClamAV 0.99.2 on centos 7

Hello, I looked at the debug trace and reviewed the clamd.conf. Can you try setting clamd's TemporaryDirectory to somewhere that is not under your onaccess mount path? Also, can you try running clamscan rather than clamd (to test if the behavior is the same)? Steve ___

Re: [clamav-users] Clamav daemon quitting unexpectedly

Hi, Try adding "Debug true" to clamd.conf. It may provide some insight into what is going on. Steve On Wed, Jun 14, 2017 at 2:08 AM, Fabrizio Mazzoni wrote: > Good Morning too all! > > I’m having an issue whereas clamp is quitting unexpectedly and I have no > clue what is causing this. There

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

'kill -9 6776', verify the 6776 is gone, followed by starting clamd again should fix this. Steve On Mon, May 15, 2017 at 5:22 PM, Kishore Pawar wrote: > Thanks Steve. Here's the output of lsof. > > # clamd status > ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by another > pr

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

For some additional info about running YARA rules in ClamAV, please see section 3.11 in the ClamAV signatures manual: https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf On Mon, May 15, 2017 at 4:04 PM, Mark Foley wrote: > On Mon May 15 15:06:07 2017 "Eric Tykwinski" >

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

OK, try the 'lsof' command to identify what is using /var/run/clamav/clamd.socket. Steve On Mon, May 15, 2017 at 1:29 PM, Kishore Pawar wrote: > Thanks Steve. Yes, I tried removing them and kill the running clamd process > and start it again but still the clamd status doesn't show anything othe

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

There is probably another clamd running. If not, try deleting /var/run/clamav/clamd.socket. Steve On Mon, May 15, 2017 at 12:58 PM, Kishore Pawar wrote: > Hi Steve > > Thank you very much for the reply and your suggestion. I rebuild it with > the options (--enable-llvm=no) provided by you and i

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

OK, thanks. Is it possible to rebuild? If so, please try to include --enable-llvm=no on your ./configure. This will use the internal bytecode interpreter rather than the llvm jit. Steve On Fri, May 12, 2017 at 6:13 PM, Kishore Pawar wrote: > Hi Steve > > I tried to run the freshclam today too b

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

There was a bytecode signature issue a few days ago which is now fixed (not sure it is related). Did you try freshclam today? if it is still a problem, try 'fresclam --debug' to determine which signature caused the problem. Steve On Fri, May 12, 2017 at 2:25 PM, Kishore Pawar wrote: > No updat

Re: [clamav-users] Question about ClamScan

Hello, Not strictly single threaded, there is a timer thread for bytecode for example. You can search over the source code to see pthread_* function calls. You will see that the ClamAV engine also contains pthread resource serialization calls. Hope this helps, Steve On Fri, May 12, 2017 at 1:2

Re: [clamav-users] TCP FIN Packet Received Before Data

On Mon, May 8, 2017 at 5:07 PM, Cory Parrish wrote: > Please find the pcap file attached. This particular run had 19 failures and > then the 20 time I received the expected response. I'll analyze it on my > end too but don't have much experience at this so a little help is > definitely appreciate

Re: [clamav-users] TCP FIN Packet Received Before Data

... and / or CommandReadTimeout. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.cla

Re: [clamav-users] TCP FIN Packet Received Before Data

On Mon, May 8, 2017 at 4:43 PM, Cory Parrish wrote: > Thanks for the response Steven. I will get the information that you are > looking for. > > What I have done in the meantime, is setup a retry of the scan with a 50 ms > delay until I receive an expected response (i.e. non FIN packet). What I >

Re: [clamav-users] TCP FIN Packet Received Before Data

Cory, If you can capture the tcp network traffic for a successful and a failed session and send me the pcap files, I'd be glad to take a look at them. I have noticed that clamd only allows a short delay following tcp connection establishment before receiving a clamd command or else it sends a fin

Re: [clamav-users] Problems with 3rd party sigs

They can be ignored. For yara rules, ClamAV currently ignores any containing errors or unsupported features. Steve On Fri, Mar 31, 2017 at 2:30 PM, Mark Foley wrote: > On Fri, 31 Mar 2017 14:01:29 -0400 Steven Morgan > wrote: > > > > Thanks Steve. Is then there a way to di

Re: [clamav-users] MailFollowUrl alternative?

Mauro, It is not clear what MailFollowURL did. Have a look at docs/phishsigs_howto.pdf for a description of how to scan for URLs. This may have subsumed MailFollowURL. Steve On Fri, Mar 31, 2017 at 12:34 PM, Mauro Celli wrote: > Hi, > i need to scan link in email, in the past i use MailFollowU

Re: [clamav-users] Problems with 3rd party sigs

Mark, The pe import module of yara rules is not currently implemented in ClamAV. Other specifics of using yara rules in Clam may be found in docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara rule? Hope this helps, Steve On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley wrote:

Re: [clamav-users] Daily 23161 broke Clam

Hi Aaron and Leonardo, What are the versions of libpcre on your systems? Thanks, Steve ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide

Re: [clamav-users] Clamav and DLP

Hi Alex, There aren't any other external controls for DLP beside the configuration parameters. Customization of the source code (libclamav/dlp.c) is possible via C programming. There are currently no active DLP development plans. Hope this helps, Steve On Mon, Feb 20, 2017 at 7:54 PM, Alex wrot

Re: [clamav-users] freshclam exit codes

Hi, It looks like return code 1 means the virus database is up to date (#define FC_UPTODATE 1 from freshclamcodes.h). Please advise if this is incorrect or inconsistent. The man page needs to be updated. Thanks, Steve On Thu, Feb 16, 2017 at 4:27 AM, Andreas Schulze wrote: > Hello, > > conside

Re: [clamav-users] clamdscan mail file

Hi, Can you try 'clamscan --phishing-scan-urls' ? Thanks, Steve On Mon, Feb 13, 2017 at 7:05 AM, TBits.net, Mailinglists < mailingli...@tbits.net> wrote: > Hi @all, > > clamav-milter identify an email as infected by > Heuristics.Phishing.Email.SSL-Spoof. > > This is correct, but when I scan thi

Re: [clamav-users] error: 'os_generic' undeclared

Hi, The os_generic was missing from the operating system enumeration. Here is a patch to fix that: diff --git a/libclamav/bytecode_detect.h b/libclamav/bytecode_detect.h index 6f56908..b09c940 100644 --- a/libclamav/bytecode_detect.h +++ b/libclamav/bytecode_detect.h @@ -64,6 +64,7 @@ enum os_kin

Re: [clamav-users] clamd/clamdscan and IPv6

Thanks, there was a little coding error. Following the connect() failure on the local socket, the code was not checking if the TCPAddr option is enabled. Steve On Wed, Dec 14, 2016 at 3:12 AM, Christoph Pleger wrote: > Hello Steve, > > > Looking at the code, it appears that the error message oc

Re: [clamav-users] clamd/clamdscan and IPv6

Hello Christoph, Looking at the code, it appears that the error message occurs when the clamd/clamdscan parameter "LocalSocket" is disabled, or it is enabled and the socket connect() call fails, and also the TCPAddr parameter is specified. Can you inspect and/or send the output of the 'clamconf'

Re: [clamav-users] Hi I haver been using clamav for my linux system I use 12.04Ltd i have a query

On Sat, Dec 10, 2016 at 6:23 PM, Beth Macdougal wrote: > now i am not positive about this whether it is a virus or not but i ran the > > clamscan -r --bell -i / > > and when it finished it said > > LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset > [...] This warning m

Re: [clamav-users] Problems with safe browsing

Hi Tom, Is it an email file? Looks like the safebrowsing checks only occur during email file parsing. Hope this helps, Steve ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help

Re: [clamav-users] Building issues with libclamav

Hi Michael, Thanks for you report. Building ClamAV with Visual Studio 2015 will not be supported until 0.99.3. That said, this work is considered complete with the latest ClamAV sources from github.com/vrtadmin/clamav-devel. Please try it using the master and/or 0.99.3 branch(es) from github.com/v

Re: [clamav-users] ClamAV libclamunrar bug ?

Hi, Thanks for reporting this. Could you please open a bug report at bugzilla.clamav.net. Please also attach the rar file to the bugzilla ticket. Thanks, Steve Morgan On Mon, Oct 31, 2016 at 9:04 PM, Qmail wrote: > There's a new Javascript malware floating around in a RAR archive that > someh

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

The problem report for this issue is https://bugzilla.clamav.net/show_bug.cgi?id=11651. Steve On Wed, Oct 19, 2016 at 5:29 PM, Joel Esler (jesler) wrote: > Yup, that’s one of mine. Glad to see my system is working ;) > > As far as why it didn’t work, I’ll have to defer this to Steve on the dev

Re: [clamav-users] Suggestion: Need option to "Block Skipped Files" and Scan Summary to indicate "Skipped files"

Mark, No, but you can get the latest code from github.com/vrtadmin/clamav-devel. There you will find clamscan --block-max. Clamd BlockMax and documentation is coming soon. Steve ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin

Re: [clamav-users] Suggestion: Need option to "Block Skipped Files" and Scan Summary to indicate "Skipped files"

Hi, There will be an option --block-max (clamd - BlockMax) in ClamAV 0.99.3. Steve On Thu, Sep 15, 2016 at 1:44 AM, Andy Schmidt wrote: > Hi, > > > > I didn't know if I was supposed to use the "Bug Reporting" system, as this > really is reporting an issue with how the software operates "as des

Re: [clamav-users] Match on raw .wsf file?

Please try clamscan --scan-html=no to turn off normalization. Hope this helps, Steve On Tue, Aug 30, 2016 at 4:36 PM, Kris Deugau wrote: > Is there a way to force matching on the raw file, or at least control > the normalization to some degree so that formatting and details in the > original co

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

filename does not appear as a yara keyword: http://yara.readthedocs.io/en/latest/writingrules.html Is it a new keyword not yet in a released version of yara? Did you mean filesize? On Thu, Aug 11, 2016 at 5:21 AM, Axb wrote: > Guys, > > clamscan --database=test.yar blah.html > LibClamAV Error:

Re: [clamav-users] YARA: filesize condition

On Thu, Jun 30, 2016 at 2:27 PM, Paul Kosinski ize < 200KB > > Shouldn't exactly one 'and' be an 'or' in: > > "($abc and not $abc) and filesize < 200KB" > Yes, the first 'and' must be an 'or'. Thank you! Steve ___ Help us build a comprehensive ClamAV g

Re: [clamav-users] YARA: filesize condition

On Thu, Jun 30, 2016 at 10:06 AM, Axb wrote: > > When trying to use filesize conidtion in a Yara sig > > rule FileSize_200KB > { > condition: >filesize < 200KB > } > > Hi, That is correct. ClamAV uses matching of yara strings to drive the yara condition. filesize will work in a yara

Re: [clamav-users] fake mp3, real malware.

Sorry, try it now. On Mon, Jun 6, 2016 at 3:30 PM, Benny Pedersen wrote: > On 2016-06-06 18:12, Steven Morgan wrote: > >> Tracking with https://bugzilla.clamav.net/show_bug.cgi?id=11582. >> > > You are not authori

Re: [clamav-users] fake mp3, real malware.

Tracking with https://bugzilla.clamav.net/show_bug.cgi?id=11582. On Sat, Jun 4, 2016 at 10:21 AM, Arnaud Jacques / SecuriteInfo.com < webmas...@securiteinfo.com> wrote: > Hello Clamav, > > A new malware is an ascii text begining by "ID3 = ". > Clamav see it as an MP3 file : > > clamscan --debug S

Re: [clamav-users] Installing ClamAV in Amazon Linux with yum

Hi Mich, You should contact your package maintainers. You can also install ClamAV from source. ./configure will attempt to locate pcre in the usual places. You can also use ./configure --with-pcre=[pcre path] if that doesn't work. Hope this helps, Steve ___

Re: [clamav-users] sigtool reports an error

Hi Arnaud, I've opened https://bugzilla.clamav.net/show_bug.cgi?id=11553 for a fix. Thanks for your report, Steve On Thu, Apr 14, 2016 at 11:03 AM, Arnaud Jacques / SecuriteInfo.com < webmas...@securiteinfo.com> wrote: > Hello, > > Using sigtool -l always reports this error : > > ERROR: listdb:

Re: [clamav-users] Error in Make - How to get patch 59d05bf.patch

I think the patch he's talking about is here: https://bugzilla.clamav.net/attachment.cgi?id=5481&action=diff Although it is for an old version of ClamAV (0.98). Is that the version you are using? Steve ___ Help us build a comprehensive ClamAV guide: ht

Re: [clamav-users] Error in Make -

Yes, gmake is recommended (although bsd make generally works except for 'make check'). At mbox.c:2816, I have: break; Mine is in the function rfc2047(), not rfc1341(). What is your version of ClamAV? Is it possible that your mbox.c is corrupted? Steve

Re: [clamav-users] Strange problem with custom Yara rule

Hi, Thanks for the example. I've opened bug https://bugzilla.clamav.net/show_bug.cgi?id=11552 to track. Thanks again, Steve ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml

Re: [clamav-users] Strange problem with custom Yara rule

Hi, The first question is: Do you have pcre installed and was it found by ClamAV .\configure? You should see something like: pcre: /usr near the end of the ./configure output. Steve ___ Help us build a comprehensive ClamAV guide:

Re: [clamav-users] Error in Make -

Hi, gcc is needed to compile ClamAV on AIX. Web search "gcc aix" to get info on installing gcc. Steve ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV Warning: cli_tnef: file truncated, returning CLEAN

Hi, Looking in the code, the file was truncated, as the warning message states. The message is issued by the TNEF file parser. Returning CLEAN from the parser tells the caller(the TNEF scanner) to scan all of the previously extracted parts of the TNEF message for viruses. Hope this helps, Steve _

Re: [clamav-users] Curious clamd behavior

Hi Dave, I opened https://bugzilla.clamav.net/show_bug.cgi?id=11544 to track this issue. Can you attach your mail file(s) and pdb signature(s) the bugzilla ticket please? I'd also like to know the details of MTA you are using and whether it uses milter or the clamd protocol directly. Thanks, Stev

Re: [clamav-users] C++ Compiler for IBM AIX-6100

I've used gcc 4.6.3 and 4.8.4 (and others) with success, although not on AIX. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam error

This is a wild guess, but try to configure ClamAV with --enable-llvm=no. Otherwise, open a bug at bugzilla.clamav.net. Steve ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam error

I'm thinking this is the same problem as https://bugzilla.clamav.net/show_bug.cgi?id=11309 . You'll find a few other ./configure options there. Steve ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clama

Re: [clamav-users] Why does this happen?

er(/tmp): clamdscan --config-file=/apps/clamav/etc/clamd.conf > testfile.pdf > /temp/testfile.pdf: Heuristics.Encrypted.PDF FOUND > > Why? How do I stop this? > > > > On 2016-03-15 2:13 PM, Steven Morgan wrote: > >> Hi, >> >> I took a quick look at th

Re: [clamav-users] Why does this happen?

Hi, I took a quick look at the code. The "Heuristics.Encrypted.PDF" is off by default. Try clamscan --block-encrypted. If you have 'ArchiveBlockEncrypted yes' in your clamd.conf, it would explain the results you are seeing with clamdscan. Is testfile.pdf encrypted? Check these things out and if

Re: [clamav-users] Couple problems

Hi, I took a quick look at the code. The "Heuristics.Encrypted.PDF" is off by default. Try clamscan --block-encrypted. If you have 'ArchiveBlockEncrypted yes' in your clamd.conf, it would explain the results you are seeing with milter. Is testfile.pdf encrypted? Check these things out and if it

Re: [clamav-users] What does TargetType 10 for a signature mean ?

Hi, Could you please open a bug report at bugzilla.clamav.net? Please attach the sample(s) and signatures(s) that you are using. I'd like to make sure this is tracked for investigation and possible code and documentation improvements. Sounds like there are some things to sort out here... Thanks,

Re: [clamav-users] heuristic-scan-precedence is broken

David, Thanks for your report. Tracking here: https://bugzilla.clamav.net/show_bug.cgi?id=11512 Steve On Sun, Feb 28, 2016 at 6:10 AM, David Shrimpton wrote: > Hi, > > --heuristic-scan-precedence=no is broken in clamav-0.99 > > eg create a test encrypted zip /tmp/abcdef.zip > > clamscan -z

Re: [clamav-users] windows cache

Hi, Caching is supported in windows and enabled by default. Clamd local socket is not supported in windows. On Fri, Feb 26, 2016 at 6:55 AM, fdff affg wrote: > Hi! > Does the cache engine(caching scanned files to increase performance > and no scanning again) work on windows version(official w

Re: [clamav-users] Filename Regex

ample to get you going. I don't see any .cdb in the official ClamAV virus database. Steve On Thu, Feb 18, 2016 at 6:13 PM, Steven Morgan wrote: > Please see https://garyhouston.github.io/regex/. > > Looks like ClamAV uses what is called the "old library." I don't

Re: [clamav-users] Filename Regex

Feb 18, 2016, at 8:14 PM, Steven Morgan > wrote: > > > > cdb signatures use a regex library known as "Henry Spencer's regular > > expressions." Googling documentation for that should give what you want. > > Thank you for the information. I searched out for

Re: [clamav-users] Filename Regex

cdb signatures use a regex library known as "Henry Spencer's regular expressions." Googling documentation for that should give what you want. Steve On Thu, Feb 18, 2016 at 6:39 AM, Mehmet Avcioglu wrote: > > What is the format for Filename Regex pattern used in cdb signature files? > > I have n

Re: [clamav-users] ClamAV automation question

Edwin, Sounds like on-access scanning with clamd may be useful in your case. You will need ClamAV 0.99. Here is some additional info: http://blog.clamav.net/2015/09/clamav-099b2-on-access-scanning-now.html Steve On Wed, Feb 10, 2016 at 3:58 AM, Edwin Nguku wrote: > Hi, what commands can I

Re: [clamav-users] ScanOLE2 yes disables macro virus detection

our bugzilla, effective mechanisms toward that end are in place. Try it now. We do want your bug reports! Thanks, Steve On Mon, Feb 8, 2016 at 4:42 PM, Benny Pedersen wrote: > On 2016-02-08 22:26, Steven Morgan wrote: > > I've opened https://bugzilla.clamav.net/show_bug.c

Re: [clamav-users] ScanOLE2 yes disables macro virus detection

David, I've opened https://bugzilla.clamav.net/show_bug.cgi?id=11498 to investigate and track the issue. Plz sign up for an account at https://bugzilla.clamav.net and send me the user id and I will CC you on the bug. Once that is done, I will need for you to attach your signatures and sample files

Re: [clamav-users] combine ALLMATCHSCAN and INSTREAM

rough the clamd-socket? > Currently we're facing the tradeoff between giving the clamd-process > more permissons or running multiple instances of the scanning-engine > (clamd + clamscan) and parsing the output of clamscan with "tainted" > filenames. > > Thanks > &

Re: [clamav-users] combine ALLMATCHSCAN and INSTREAM

Bernhard, Clamd does not currently support ALLMATCH mode with the INSTREAM protocol. The only other suggestion I can offer is to preserve those files found to contain viruses and research them separately using ALLMATCH. Steve On Mon, Feb 1, 2016 at 5:27 AM, Bernhard Vogel wrote: > Hi, > > is t

Re: [clamav-users] Freshclam Non-repudiation

Brad, The official ClamAV virus database is digitally signed before posting to the ClamAV mirrors. The CVD signature is checked before database load time. Virus names of signatures from non-signed databases are appended with ".UNOFFICIAL". Hope this helps, Steve On Thu, Jan 28, 2016 at 5:29 PM,

Re: [clamav-users] clamav-milter crash

If this is still a problem with the most current software on github, please create a bug report at http://bugzilla.clamav.net. Please attach samples that result in the crash. Steve On Tue, Jan 26, 2016 at 9:26 AM, Benny Pedersen wrote: > i have seen it do this so many times now that i like to

  1   2   >