What are the permissions on the clamd socket file? You might also try
setting up clamd to listen on an IP/port and connect to it that way if the
unix socket doesn't work.
--Maarten
On 12/3/13, 10:23 AM, "mcmurchy1917-cla...@yahoo.co.uk"
wrote:
>Hello Henri
>
>Results below -
>
>ls -la nw1700.
s build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
--
Maarten Broekman
Endurance International Group
vDeck Senior Linux Systems Administrator / PCI ISA
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
If you don't want to wait, you can also whitelist the files in your own
database files.
Run either of the following:
sigtool --sha256
sigtool --md5
Put the output into a '.fp' file in your db directory and that should
whitelist that specific file so it's not reported.
--Maarten
On Mon, F
You would probably want to set up a private mirror on your laptop and then
use that to sync your desktop. That way you can update your laptop
whenever you want and when you're connected to you home network, you can
update your desktop.
https://www.clamav.net/documents/private-local-mirrors
--Maa
I am seeing these mostly on files that comprise the OpenLayers library in
phpMyAdmin 4.
On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler)
wrote:
> Mark,
>
> Thanks for the feedback, you are right, I am experiencing some high counts
> in the Txt.Malware.Agent family.
>
> I’ve disabled this eng
Is anyone able to speak to whether allowing 'allmatch' to work with streams
is on the map? 'allmatch' was one of the features that I was really
looking forward to, but the fact that it doesn't work when you are scanning
streams is a major letdown.
--Maarten
___
Your understanding of scanning techniques is flawed at best (I believe this
has been pointed out multiple times). Both techniques have issues with
false positive and false negative matches. The only significant difference
is how they perform against unknown threats. In that regard, heuristic
scanni
Crazy,
the 'users' mailing list is what you are sending this questions to. You
keep addressing this list as 'developers'. There is a separate mailing list
where developers who write the internals of ClamAV talk. That is the
appropriate forum for ALL of your questions. You really haven't had a
s
The functionality to do it on OS X is OS X related, not ClamAV related.
Your best option would be to ask around on Mac OS X developer forums.
On Mon, Jul 10, 2017 at 6:07 AM, crazy thinker
wrote:
> I want to do it on teriminal. Could you explain core logic that would
> be used in this featur
If the tarball doesn't match the MD5 hash then it's likely that a file
within the tarball matches the malicious MD5. ClamAV looks at all the files
within tarballs and zip files individually as well as the tarball as a
whole.
--Maarten
On Wed, Jul 12, 2017 at 8:44 AM, Srinivasreddy R <
srinivasred
Sorry for the double reply...
You can also use sigtool --find-sigs to find the signature that it's
reporting and isolate it.
On Wed, Jul 12, 2017 at 8:59 AM, Maarten Broekman <
maarten.broek...@gmail.com> wrote:
> If the tarball doesn't match the MD5 hash then it's lik
For me, 3 of the 5 db.local.clamav.net addresses have 100% packet loss:
$ host db.local.clamav.net
db.local.clamav.net is an alias for db.us.rr.clamav.net.
db.us.rr.clamav.net has address 200.236.31.1
db.us.rr.clamav.net has address 208.72.56.53
db.us.rr.clamav.net has address 69.12.162.28
db.us.r
204.130.133.50 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
*--- 207.57.106.31 ping statistics ---*
*1 packets transmitted, 0 received, 100% packet loss, time 0ms*
On Wed, Aug 23, 2017 at 1:26 PM, Maarten Broekman <
maarten.broek...@gmail.com> wrote:
>
I'm having some issues creating a hex signature to match some PHP code
I've run across. I've pulled the snippet of the PHP code that I want to
match on and created the signature using sigtool --hex-dump, but when I
try testing against it, there are no matches. However, if I convert the
entire PHP
> -Original Message-
> Could be a whitespace character issue. Try to see if ClamAV normalizes
> your php script:
>
> clamscan --debug --leave-temps --tempdir=yourtempdir yourphpscript.php
>
> Go to yourtempdir and see if there is a file(s) there. Look for any
> differences between it and
Is there any way to get a list of all the signatures that match a file
with multiple infections? For example, I have a file that's been
infected with both PHP and JavaScript code (or even multiple, different,
PHP code blocks), how would I be able to get all the signatures that
match? My primary i
F89a???!?,???D?;?
Any help with this would be much appreciated...
--Maarten Broekman
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
All,
I've been struggling with this particular issue for some
time and I took a look at the recent git commits, but I'm not sure if
this issue is covered by the fix for BB#5409 (I don't have access to
look at BB#5409 so I'm not sure of the details on it).
I have
> -Original Message-
> From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-
> boun...@lists.clamav.net] On Behalf Of David Raynor
>
> On Mon, Aug 13, 2012 at 4:28 PM, Maarten Broekman
> wrote:
>
> > All,
> > I have a PHP.
> -Original Message-
> From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-
> boun...@lists.clamav.net] On Behalf Of Henri Salo
> Subject: [clamav-users] Problems detecting PHP bots
>
> Hello,
>
> Is there a way to configure ClamAV to scan also files with starting
> GIF87a/GI
Does anyone know of a tool that would take strings in a hex signature
and turn them into appropriate wildcards? For instance, I want to strip
out all the "http://"; and "https://"; and replace them with {7-8} to
reduce the size of the signature and get more 'useful' strings in the
signature? Ther
> -Original Message-
> Despite the statement of your objective it isn't clear to me what you
> think you're going to achieve. My expectation would be a very large
> increase in the false positive rates if you attempt to use signatures
> modified in the way you describe. Can you be more sp
> -Original Message-
> > > The rate of false positives is wholly dependent on the strings
that
> > > you are replacing with wildcards.
> > >
> > > As an example, when generating signatures to identify phishing
> > > content (say, content targeting bank customers), I wanted to be
> able
> >
> -Original Message-
> > Some of the phishing content that I'm finding is resulting in hex
> > dumps in the 10k+ character range and I think it's more dangerous to
> > replace sections with '*' than to replace certain substrings with
> > specific length wildcards.
>
> Please would someone
0.97.6 is available from the SourceForge download page.
> -Original Message-
> From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-
> boun...@lists.clamav.net] On Behalf Of Frank Chan
> Sent: Monday, September 17, 2012 2:41 PM
> To: clamav-users@lists.clamav.net >> ClamAV use
One thing I'm seeing more and more of is malware code (be it PHP or ASP)
embedded after GIF headers. ClamAV sees the GIF header and treats it
like an image (properly), but then ClamAV sees an HTML signature later
in the file. However, it doesn't do any normalization on that HTML
data. Would it b
t; Maarten, can you help us track this by adding a bug at
> https://bugzilla.clamav.net/?
>
> Thanks,
>
> Matt
Done. Bug 5978.
Thanks,
Maarten
>
> On Tue, Oct 23, 2012 at 2:18 PM, Maarten Broekman
> wrote:
> > One thing I'm seeing more and more of is mal
> -Original Message-
> LibClamAV Warning: Bytecode run timed out in interpreter after 765000
> opcodes LibClamAV Warning: Bytcode 16 failed to run: Unknown error
code
> LibClamAV Warning: Bytecode runtime error at line 95, col 13 LibClamAV
> Error: Opcode 45 of type 0 is not implemented yet
do you have a sample that triggers
> this behavior?
>
> Matt
>
> On Fri, Nov 16, 2012 at 11:04 AM, Maarten Broekman
> wrote:
> >> -Original Message-
> >> LibClamAV Warning: Bytecode run timed out in interpreter after
> 765000
> >> opcodes
bugzilla account, you can zip it
> up, password protect it and then send it to me.
>
> Matt
>
> On Fri, Nov 16, 2012 at 11:30 AM, Maarten Broekman
> wrote:
> > Yep. I have a .js file that triggers the Bytecode 37 error. I've
> > filed a bug against th
gt; Try now?
>
> On Fri, Nov 16, 2012 at 11:41 AM, Maarten Broekman
> wrote:
> > I have a bugzilla account but I don't have the right permissions to
> > see that bug.
> > You are not authorized to access bug #6139.
> >
> > --Maar
VIRUS NAME: Html.Trojan.Iframe-6390207-0
TDB: Engine:51-255,FileSize:16384-65536,Target:3
LOGICAL EXPRESSION: 0
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
>http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
h
There are far more than 31 signatures that have the potential to impact
Linux systems. There are, in truth, over 23,000 signatures that are able to
detect malware on Linux and Unix systems. Most "Linux" signatures only
contain the word Unix, however. Additionally, keep in mind that these are
only f
Some considerations:
- the longest “delay” will occur when reloading signature databases. If
reducing the delay is important, run multiple instances with smaller signatures
in each. ESPECIALLY, if you’re going to writing your own story signatures or
using databases that change often.
- scanning
fter the swap, the memory for the old signatures
> would be released by the loader thread. This would take more memory
> during signature update, but it might be a worthwhile option.
>
>
> On Sat, 17 Mar 2018 17:17:17 -0400
> Maarten Broekman wrote:
>
>> Some considerati
You might be able to open the socket that clamd is listening on and attempt
to ping it. I forget if it replies with PONG while it's in the middle of
reloading. It's been a while since I tried to do that.
On Thu, Mar 22, 2018 at 6:40 AM, Ralf Hildebrandt <
ralf.hildebra...@charite.de> wrote:
> O
Hi Peter,
Given the name of that virus, I would guess that your hosting provider is
using some extra virus definitions that aren’t part of the standard ClamAV
distribution. It doesn’t have to do with the engine in this case.
You should get in touch with them about that.
Maarten Broekman
Régis,
This is a feature of DNS where a name can resolve to multiple IPs for load
balancing and resiliency. Depending on what serves ‘database.clamav.net’ it may
just be a round-robin response or it may resolve to an IP based on which one is
responding faster to requests or simply which one ha
only found the standard signature set.
>
> Also - in case I do get a hold of extra signatures - would I have to merge
> them into the existing definition set or simply run these in a separate
> scan ?
>
> Thanks.
>
> Peter
>
>
> On Thu, Mar 29, 2018 at 4:04 AM, Maa
29, 2018 at 8:10 AM, Régis Houssin
wrote:
> yes but for this IP this not a clamav website !
>
> dev.lepartidegauche.fr (178.33.105.132)
>
>
> thank you
>
>
> Le 29/03/2018 à 13:11, Maarten Broekman a écrit :
> > Régis,
> > This is a feature of DNS wh
ClamAV can scan any type of file. That said, it can unpack certain kinds of
archives and scan the files inside. Also, ClamAV signatures can be written for
specific kinds of files (PE files, text, etc) and they will only be used for
those types.
I haven’t tried increasing the size beyond that so
Answered
TL;Dr
Use sigtool to find and decode the signature.
Sent from a tiny keyboard
> On Jun 28, 2018, at 06:57, Nikita Yerenkov-Scott
> wrote:
>
> Hello,
>
> A question on this matter exists on this Linux site:
> https://askubuntu.com/questions/571342/clamav-virus-detections-documentat
hat signature is defined, ie. what content
> it considers malicious.
>
> In order to decide on an appropriate course of action I'd like to know
> what the perceived threat is, ie. *why* someone thought that a file
> matching that particular signature would be malicious.
> Th
JAR files can be unpacked like tarballs so it is likely that there is a common
file in each that matches those hashes.
Maarten
Sent from a tiny keyboard
> On Aug 7, 2018, at 04:54, Albrecht, Peter wrote:
>
> Hi,
>
>> I don't see how that is even remotely possibly. They are three completely
>
Check the logs and config files.
Clamscan loads the databases itself before running. It does not need clamd to
be running in order to work.
Clamdscan attempts to use a socket to talk with clamd for the scanning of
files. If there is an error, one of two things is happening:
Either the permission
For clamdscan to work you need to enable LocalSocket at the very least.
On Mon, Aug 20, 2018 at 5:32 PM Michael Newman wrote:
>
> On Aug 20, 2018, at 23:00, Al Varnell wrote:
>
>
> Please post the results of the following Terminal Command:
>
> sudo clamconf
>
>
> MrMuscle:~ mnewman$ sudo clamc
Yep. That's fine. /tmp or /var/tmp (or /run) is usually where it goes
anyway. Welcome to the ClamAV club :)
On Mon, Aug 20, 2018 at 7:45 PM Michael Newman wrote:
>
> On Aug 20, 2018, at 23:00, *Maarten Broekman* wrote:
>
>
> For clamdscan to work you need to enable Loc
> On Aug 28, 2018, at 06:17, Jon Roberts wrote:
>
> From the troubled server:
>
> wget http://database.clamav.net/main-55.cdiff
> --2018-08-28 11:14:43-- http://database.clamav.net/main-55.cdiff
> Resolving database.clamav.net... 104.16.189.138, 104.16.187.138,
> 104.16.188.138, ...
> Connect
nt error/response as I'm, having to use the normal update method
> to ensure it uses the correct IP)
>
>
>
> ------
> *From:* clamav-users on behalf of
> Maarten Broekman
> *Sent:* 28 August 2018 11:24
> *To:* ClamAV users ML
> *Subject:*
Forbidden
> 2018-08-28 13:37:49 ERROR 403: Forbidden.
>
>
> ------
> *From:* clamav-users on behalf of
> Maarten Broekman
> *Sent:* 28 August 2018 13:16
> *To:* ClamAV users ML
> *Subject:* Re: [clamav-users] ERROR 403: Forbidden
>
> Gotcha. Yeah, the error is
Or, I don't know, recipients that are enforcing DMARC could simply follow
the steps from the previous section. The mailing list doesn't own the
messages sent to it (we don't see "From: clamav-users").
Recipients should whitelist the mailing list per:
https://dmarc.org/wiki/FAQ#Is_there_special_han
Chances are you are using a version of ClamAV older than 0.100 and/or using
wget/curl to get the updates rather than using the approved methods
(freshclam / cvdupdate).
https://www.clamav.net/documents/end-of-life-policy-eol
https://www.clamav.net/documents/freshclam-faq
Additionally, there are m
While verbose (-v) is helpful in some cases, you probably want to use the debug
option to get the large volume of LibClamAV messages. I find debug is far more
useful than verbose most times.
Maarten
Sent from a tiny keyboard
> On Apr 5, 2021, at 04:17, Vivek Patil via clamav-users
> wrote:
>
In all likelihood, it means that a GET or POST payload contained the
signature. Whether or not the request containing the signature was
successful in injecting it into your site is a question that only you will
be able to answer.
You can use sigtool to find the signature and again to decode the si
Use homebrew unless you absolutely need the release candidate version.
I installed ClamAV 0.103.3 via homebrew on my M1 Mac and it runs pretty
well.
On Wed, Sep 1, 2021 at 3:33 PM Vaughn A. Hart wrote:
> Hi Folks,
>
> So I figured out the issue. It looks like during the install/upgrade that
> n
It depends on the OS, but if you have something like AppArmor or
GrSecurity, you may need to grant the appropriate permissions there to
allow access even for root.
--Maarten
On Thu, Sep 9, 2021 at 2:34 PM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi!
>
>
To further Ged's point, these signatures that are hitting are extended
logical signatures. Phishing signatures have a very specific format that
are either solely looking at hostnames, host prefixes, link destinations
and alternate text, and displayed hostnames (
https://docs.clamav.net/manual/Signa
Hi Jeff,
You would want to add those .snapshot paths to "ExcludePath" directives
in your clamd.conf file for clamd / clamdscan or use the "--exclude-dir"
option for clamscan.
You'll probably want to write a wrapper script for clamscan to build up
the list of .snapshot directories to ignore at t
All versions of ClamAV prior to 0.103 are essentially EOL at this point.
The only options for Solaris 10 are likely to build from source, along with
all the prerequisites.
--Maarten
On Sat, Nov 6, 2021 at 7:54 AM Sunhux G via clamav-users <
clamav-users@lists.clamav.net> wrote:
>
> We're still o
Cody, it looks like you’re running ClamAV 0.101.2. That version is too old. If
you upgrade to 0.103.4, you should be able to start downloading the db files
again.
What kind of system are you on? Is ClamAV prepackaged for you or did you build
from source?
-Maarten
Sent from a tiny keyboard
>
"If you provided a description that suggests otherwise..." is a past tense
conditional referring to the form submission. That phrase is the equivalent
to this longer "If you put information in the description that suggests the
sample is not clean..."
On Thu, Nov 18, 2021 at 2:27 PM G.W. Haywood v
On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users <
clamav-users@lists.clamav.net> wrote:
> * Arnaud Jacques via clamav-users :
> > Is it just me, or?
>
> Same here:
>
> # clamdscan -V
> ClamAV 0.103.4/26363/Wed Nov 24 10:19:30 2021
>
> # sigtool -l|tail
> Doc.Malware.Valyria-6923
On Wed, Nov 24, 2021 at 10:42 AM Maarten Broekman <
maarten.broek...@gmail.com> wrote:
>
>
> On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> * Arnaud Jacques via clamav-users :
>&g
I've opened https://github.com/Cisco-Talos/clamav/issues/389 for this
issue. The issue *shouldn't* be causing problems with scanning (it wasn't
causing a problem for me), but if it is please add a comment to the issue
to that effect.
--Maarten
On Wed, Nov 24, 2021 at 11:19 AM M
Running freshclam after the package is installed should pull any/all of the
files that are missing. That is probably the best way to do it.
--Maarten
On Mon, Jan 17, 2022 at 8:32 AM Nick Howitt via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi,
> I am trying to package ClamAV 0.103.5
On Mon, Jan 17, 2022 at 9:53 AM Andrew C Aitchison via clamav-users <
clamav-users@lists.clamav.net> wrote:
> On Mon, 17 Jan 2022, Nick Howitt via clamav-users wrote:
>
> > - not
> > have to install some uncommon download package and then download them.
> That
> > is making people jump through unn
Looks like the signature was dropped already because sigtool doesn't find
it anymore after I updated the databases through freshclam.
--Maarten
On Mon, Jan 31, 2022 at 7:58 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Well yes, the fact that it was the only scanner wo
There's not a lot that you can do in Yara rules that you can't do in LDB
sigs... for what it's worth, here's a logical sig that detects the same
thing as the Yara rules...
mbroekman@lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb|
sigtool --decode-sigs
VIRUS NAME: MJB.JS.SendEmailFu
I would double-check to make sure python3 is using the correct CA bundle.
On recent python3 versions, that should be the certifi bundle.
$ which python3
/opt/homebrew/bin/python3
$ /opt/homebrew/bin/python3 --version
Python 3.9.10
$ python3 -m certifi
/opt/homebrew/lib/python3.9/site-packages/certi
What version of ClamAV are you using? July of last year sounds about when
EOL versions of ClamAV were blocked wholesale and the 'acceptable version'
was moved up and all prior versions were blocked. EOL has moved several
times since then as well. Currently, the current stable version 0.104 and I
do
1. You’re excluding root in the config so you won’t be able to prevent from
accessing malicious files.
1A. You shouldn’t run clamd as root. run it as another user (like “clamav” or
“clamd”)
2. You are limiting it to only scan files in /home on-access
2A. You would likely want it to scan the enti
On Tue, Mar 15, 2022 at 1:53 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi there,
>
> On Tue, 15 Mar 2022, Laurent S. via clamav-users wrote:
> >> using Yara's engine in clamav directly is something that has been
> >> brought up time and again. It is possible. My un
That's indicating that there is a link in the email that's displaying "
www.americanexpress.com" but is actually going to "www.amazonbusiness.com".
It's hard to help without seeing the original email code.
On Thu, Mar 17, 2022 at 12:55 PM Alex via clamav-users <
clamav-users@lists.clamav.net> wrot
The accepted way would be to supply a link to the VirusTotal scan that
didn't detect it.
--Maarten
On Mon, Mar 21, 2022 at 4:36 PM Jorge Bastos wrote:
> It's just the link :P
> How would you be able to test then? ;)
>
> ok won't send again.. but the default virus db doesn't seems to be
> enough
As Ged pointed out, the fact that /home is mounted as a separate
mount-point (even though it's the same device), leads the system to see
them as different filesystems (you can umount /home without umount'ing /)
As a result, your use of cross-fs=no tells clamscan to not cross filesystem
boundaries
rting at / and recursing so it should get to /home, see it is still
> on the same filesystem and scan it.
>
> No ?
>
>
> On Friday, 8 April 2022, 19:02:42 BST, Maarten Broekman <
> maarten.broek...@gmail.com> wrote:
>
>
> As Ged pointed out, the fact that /hom
I'm not sure if this IS the answer, but my guess would be that ClamAV needs
to access files in /usr/lib64... And it has to scan (and come back with an
OK result) before access is allowed... resulting in scans being blocked
which, in turn, results in ALL processes being blocked while waiting on the
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
There are examples of the wdb format a bit lower on the page. Essentially,
you would create a file "good_urls.wdb" in the same directory as the
existing ClamAV database files and put in an appropriate line to handle the
domains t
What version of ClamAV are you using?
What do the logs show?
If you are before 0.103, then your version is too old.
https://docs.clamav.net/faq/faq-eol.html
Maarten
Sent from a tiny keyboard
> On Jun 22, 2022, at 05:08, Kachare, Ganesh, Vodafone (External) via
> clamav-users wrote:
>
>
>
This is a new signature that was added today. It's rather complicated and,
with the "Test" in the name, I'm not sure it's meant to be published. We'll
have to wait to hear from the ClamAV folks on that matter, but you can
submit it as a false positive (for those Wordpress zips) using the False
posi
It's 100% a bad signature and should get removed.
I just checked the current version of the akismet plugin (
https://wordpress.org/plugins/akismet/) from WordPress and it is detected
by this signature but by nothing else:
https://virusscan.jotti.org/en-US/filescanjob/00ecsxf7es
https://www.virusto
Downloading the entire databases unnecessarily (using web browsers, etc) is
banned because it results in higher volumes of data transfer which, in turn,
costs more money. As such, using things other than freshclam or cvdupdate were
explicitly banned.
There’s not much else to say.
Maarten
A "PUA" is a "potentially unwanted application", not necessarily malicious.
You can disable PUA checks by ensuring that your clamd configuration has
"DetectPUA" set to no.
For reference, the signature is looking for bitwise math on CharCodeAt()
operations in HTML files.
VIRUS NAME: PUA.Win.Trojan
is sender, while keeping PUA
> checks still enabled for other cases.
>
> In the past I've not had great success searching entirely on my own.
>
> joe a.
>
> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
> > A "PUA" is a "potentially
That's the only thing I can think of. I had node 18.6.0 and I'm running
ClamAV 0.105.0. That detected the node binary as having the same virus.
However, when I upload and scan the binary with VirusTotal, their install
of ClamAV does not detect it.
Similarly, after I upgraded to node 18.7.0, my loc
gt;
> 6b8627f0b1327ffee606314125862e27 node-v18.7.0-darwin-arm64/bin/node
>
> so I wonder what's up there. As it isn't the same file that you have
> I didn't bother to scan it, but see below for 'strings' etc.
>
> On Tue, 2 Aug 2022, Maarten Broekm
> So how does Kaiji-10003917-0 to Kaiji-10003916-0 ? Does
> Kaiji-10003916-0 get thrown out, or does it get updated to
> Kaiji-10003917-0 ?
The way it was explained to me (years ago) is that they are separate
signatures, unrelated expect in that they are related to Kaiji. If 10003916-0
was upd
Your best bet would be to have freshclam running on one machine and have the
rest use the Ansible playbook to pull from that “freshclam machine”.
Or, if you want to keep it all Ansible, have the playbook pull the definitions
vis freshclam on one machine and then copy to all the others.
-Maart
I'm not sure if the safebrowsing.cld is included in the daily cdiff, but
the current safebrowsing.cld takes between 50 and 70 seconds to *load* into
clamscan, where a copy from February loads in <5 seconds.
safebrowsing data:
Old (fast): ClamAV-VDB:13 Feb 2019 13-16
-0500:48472:3041760:63:X:X:goo
te:
> Maarten,
>
> Thanks for reporting that. There is an ordering difference of the content
> in the latest GDB file which is affecting the load time, and we will be
> fixing that in the next safebrowsing CVD version.
>
> Dave R.
>
> On Wed, Mar 6, 2019 at 10:42 AM Maa
The new safebrowsing cvd (starting with version 48473) seems to be sorted
in a way that increases the load time of that file by several orders of
magnitude.
I have a previous version from February where the entries in the gdb
section are sorted like this:
S2:F:917787cff7b0993917209809ff3d94be
google
> MD5: 70c61f41e52b5a2134ff7e272f5a6df1
>
> SHA256 (safebrowsing.gdb) =
> 7f6645b8d865de3992be1ad5de215afd848acee4c021eed4818fdb760f76b57e
>
> Something must be different.
>
> Dave R.
>
> On Wed, Mar 6, 2019 at 5:39 PM Maarten Broekman via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> The
ime) is unclear.
--Maarten Broekman
Full scans without the daily cvd/cld: Scan time ~60seconds
Full scans with the daily from March 11th: Scan time: 84seconds
Full scans with the daily from March 17th: Scan time: 109seconds
~/clamav# ls -larth /tmp/clamdtest*/daily.cld
-rw-r--r-- 1 clamav clamav
Given that the PhishTank signatures, specifically, have been causing the
performance issues, no. It's not unreasonable to want to pull them, and
only them, out. Having them in a separate db file would be highly
beneficial to those of us that don't want or need them at all. Barring
that, having a co
Having the Phishtank sigs as an additional optional database would be great
and, from my perspective, well worth the effort since we don't use them.
On Sun, Apr 7, 2019 at 9:44 AM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Tim,
>
>
>
> There are a couple of
Clearly the latest daily.cvd is performing better, but the remaining
"Phishtank" sigs are *not* a majority of the slowness.
I unpacked the current (?) cvd (ClamAV-VDB:09 Apr 2019 03-53
-0400:25414:1548262:63:X:X:raynman:1554796413) and then ran a test scan
with each part to see what the load times
et type 0,
> whereas we’d split the Phishtank.Phishing signatures up by target type to
> reduce scan times of files where the signatures won’t apply. It should
> also speed things up quite a bit for other file types to split those up by
> Target types.
>
>
>
> Further research
Are the "Phish" REPHISH signatures still in the daily or were they removed
as well? Those were causing part of the issue.
--Maarten
On Wed, Apr 17, 2019 at 5:24 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> An additional 3968 Phishtank.Phishing.PHISH_ID_??? signat
7:03 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> There are still 2515 "Phish.Phishing.REPHISH_ID_" signatures in
> daily.ldb
>
> -Al-
>
> On Apr 17, 2019, at 03:36, Maarten Broekman
> wrote:
>
> Are the "Phish&quo
One problem that we're running into is that we encounter web pages and cgi
scripts that are "inconsistently" normalized. I put "inconsistently" in
quotes because without fully knowing the way ClamAV normalizes files, it is
sometimes difficult to understand why two similar files might be normalized
1 - 100 of 107 matches
Mail list logo
