pdate URLs for the urlhaus filter. Does ClamAV
deem urlhaus a bad actor?
Thanks,
Orion
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO
RE:
> aboveandbelow.com.au/cgi-bin/http:/sites/b4q7eajmmm2moxgkq/
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
> -----Original Message-
> From: clamav-users On Behalf Of
> Orion Poplawski
> Sent: Wednesday, December 23, 2020 1
gt; Best regards,
>
> Lilia Gonzalez
> Malware Research Team
> Cisco Talos
>
> On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <mailto:or...@nwra.com>> wrote:
>
> Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
> signature?
if the issue
> persists.
>
> Best regards,
>
> Lilia Gonzalez
> Malware Research Team
> Cisco Talos
>
>
> On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski <mailto:or...@nwra.com>> wrote:
>
> Lilia -
>
> Thanks for the respo
alert on legitimate files anymore.
Please update your ClamAV database and if you still have some issues
please let me know.
Best regards,
Lilia Gonzalez
Malware Research Team
Cisco Talos
On Tue, Jan 12, 2021 at 12:54 PM Orion Poplawski <mailto:or...@nwra.com>> wrote:
Lilia -
/main_site/528/8923/en_US/stylesheets/screen.css
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https://www.nwra.com
How can I determine what exactly is triggering a match?
$ clamscan IguanaTex_v1_55.ppam
IguanaTex_v1_55.ppam: Doc.Dropper.Agent-6384732-0 FOUND
I'd like to know what exactly was matched, but I'm not being able to find
where the source for the virus definitions are.
--
Orion Poplaws
:772096:Doc.Dropper.Agent-6384732-0:73
>
> -Al-
> ClamXAV User
>
> On Tue, Jan 30, 2018 at 08:50 AM, Orion Poplawski wrote:
>> How can I determine what exactly is triggering a match?
>>
>> $ clamscan IguanaTex_v1_55.ppam
>> IguanaTex_v1_55.ppam: Doc.Dropper.
T, LLVM is not compiled or
>>> not
>>> linked
>>>
>>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us bui
It seems like in the last month or so I'm seeing more timeouts connecting to
the clamav DB mirrors. Is anyone else seeing this? I have a bit of a strange
mirror setup so it might just be my configuration.
Thanks.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
ormation or
> also create a ticket and specifically state it is a mirror YOU maintain and
> what seems to be the issue-
>
>
> Thank you,
>
>
>
> Tom McCourt | Talos: Open Source Team| tmcco...@cisco.com
>
>
>
>
> On 3/23/18, 11:47 AM, "
On 03/27/2018 03:13 PM, Orion Poplawski wrote:
> Thanks for the response.
>
> I ended up switching freshclam to use our proxy servers and increasing the
> ConnectTimeout to 60 seconds. This has helped a bit, but I still get the
> occasional issue. Latest was trying to get daily-2
-Al-
I don't think mirrors.dat comes into play here as the proxy is doing the dns
lookup, not freshclam.
>
> On Tue, Mar 27, 2018 at 03:40 PM, Orion Poplawski wrote:
>> On 03/27/2018 03:13 PM, Orion Poplawski wrote:
>>> Thanks for the response.
>>>
>>
alt for you. All the mirrors are in round-robin dns pools.
>
> dp
>
> On 3/27/18 4:32 PM, Orion Poplawski wrote:
>> On 03/27/2018 05:21 PM, Al Varnell wrote:
>>> Using the same IP each time with failure will also cause mirrors.dat to
>>> temporarily block that
On 03/30/2018 09:48 AM, Orion Poplawski wrote:
>
> And still having persistent problems with 72.21.91.8 as reported here:
> https://bugzilla.clamav.net/show_bug.cgi?id=12068
>
And it is still not there:
# curl --resolve db.us.clamav.net:80:72.21.91.8
http://db.us.clamav.net/daily
gt; http://db.us.big.clamav.net/bytecode.cvd 2>&1 >/dev/null
>
> dp
>
>
> On 4/5/18 2:56 PM, Orion Poplawski wrote:
>> On 03/30/2018 09:48 AM, Orion Poplawski wrote:
>>> And still having persistent problems with 72.21.91.8 as reported here:
>>> ht
Fedora EPEL. Not sure when
it will be updated to 0.100.
As for definition updates, it would just be a matter of transferring the
definitions in /var/lib/clamav from an updated system to the standalone one.
--
Orion Poplawski
Manager of NWRA Technical Syste
can I get this updated?
yum --enablerepo=epel-testing upgrade clam\*
I believe we're waiting for a bugfix to prevent crashed on some third-party
rules before pushing to stable.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX:
one other report of such a crash after updating to 0.101.0 -
but the user hadn't seen it since. If you can get a backtrace with
debug info that might be helpful.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-97
)
* Win.Trojan.Generic-6840770-0 :
http://2.au.download.windowsupdate.com/c/msdownload/update/software/defu/2019/02/am_delta_680ce842d92a7839abe55fd13955eb08f21c9aaa.exe:
4 Time(s)
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415
systems almost always what it started
immediately so that it can respond quickly when needed. I would
recommend just dropping it.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane
ailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
338
hould the same as before:
systemctl start clamd@scan
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https://www.nwr
havior
of an antivirus engine, that is, remove threats automatically. If he
doesn't do this by default what should I do to make him do it?
Consult "man clamd.conf" and the comments in /etc/clamd.d/scan.conf for
your options.
--
Orion Poplawski
Manager of NWRA Technical Systems
rdo.lu...@lightbase.com.br>
*+55-61-3347-1949 - http://brlight.org <http://brlight.org/> - Brasil-DF*
**
/*Software livre! Abrace essa idéia!*/**
*/"Aqueles que negam liberdade aos outros não a merecem para si mesmos."/*
*/Abraham Lincoln
/*
--
Orion Poplawski
Manager of NWRA
github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https://ww
iteral and no format
arguments [-Werror=format-security]
250 | ck_assert_msg("failed to open output file: %s", filename);
| ^~~~
In this case it appears that the ck_assert_msg() call is missing the
condition check.
ught about dropping it, but I think the Fedora and EPEL users
are pretty used to it at this point.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 8
I've been seeing some viruses come in due to clamd timing out. What
concerns me is that these emails arrive with the:
X-Virus-Scanned: ClamAV version 'clamd / ClamAV version 0.65', clamav-milter version '0.60p'
header in place, but in fact it *hasn't* been scann
t max-children limit (27 >=
20): waiting for some to exit
Jan 29 04:49:37 earth sendmail[17144]: i0TBnbQU017144: Milter
(clmilter): error connecting to filter: Connection refused by
/var/run/clamav/clamav-milter.sock
--
Orion Poplawski
System Administrator 303-415-9701 x22
[EMAIL PROTECTED] wrote:
That is due to hi traffic of SCO virus. Increase max-children
in CLAMAV_FLAGS of clamav-milter . Try with 40
I understand why it hit the limit, and I'm happy to increase it. But, I
posit that clamav-milter shouldn't *crash* because of it.
--
Orion Poplaw
at might be a help,
let me know.
--
Orion Poplawski
System Administrator 303-415-9701 x222
Colorado Research Associates/NWRA FAX: 303-415-9702
3380 Mitchell Lane, Boulder CO 80301 http://www.co-ra.com
---
This SF.Net email is s
!
- Orion
--
Orion Poplawski
System Administrator 303-415-9701 x222
Colorado Research Associates/NWRA FAX: 303-415-9702
3380 Mitchell Lane, Boulder CO 80301 http://www.co-ra.com
---
This SF.Net email is sponsored by:
Todd Lyons wrote:
On Fri, 2004-04-02 at 09:40, Orion Poplawski wrote:
Mar 28 07:55:53 earth clamav-milter[953]: write failure to clamd
Mar 28 07:55:53 earth sendmail[18248]: i2SEqA0C018248: Milter: data,
reject=451 4.7.1 Please try again later
I had the same problem, regardless of message size
OTECTED]> >n_children = 1
clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom:
until I commented out the following from syslogd.conf:
#*.emerg*
This happens with versions 0.67 and above. I think it may have started
with 0.67, though I'm not su
ldren == 0) && ((cpt = cfgopt(copt, "MaxThreads")) !=
NULL))
- max_children = atoi(cpt->strarg);
+ max_children = cpt->numarg;
/*
* Get the outgoing socket details - the way to talk to clamd
--
Orion Poplawski
System Administra
I've put the contents of a src.rpm that I've been using to build rpms of
the latest snapshots to ftp://ftp.cora.nwra.com/software/linux/clamav.
Hope people find it useful. Note that it uses /var/lib/clamav for the
databases and /var/run/clamav for socket and pid file.
--
Orion
clamav is reporting BC.Gif.Exploit.Agent-1425366.Agent for a gif inside of the
gdk-pixbuf2 tarball. I've tried adding it do our local whitelist.ign2 file,
but that doesn't appear to take effect. Any way to ignore this definition?
Thanks,
Orion
--
Orion Poplawski
IT Syste
>
> I scanned the tar balls at gnome.org and didn't find anything though, but
> maybe you got it from somewhere else.
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
> -----Original Message-
> From: clamav-users On Behalf Of
1340:1:90:49192:333"
--
Orion Poplawski
he/him/his - surely the least important thing about me
IT Systems Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301
m running cvdupdate at the recommended 4 hour interval. Can I run it
more often? Although I suppose there always may be an interval between
when a client might see the new version and the mirror downloads it, so
I may just have to exclude these types of warnings from logwatch.
--
Orion
.
--
Orion Poplawski
he/him/his - surely the least important thing about me
IT Systems Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https://www.nwra.com
file, it reports OK. But
if I scan on a truncated version (say just the first 16MB) it reports as
infected. Although I guess this is a result of it being larger than the
maximum file scan size.
I've reported the FP to the clamav.net website.
clamav-0.103.7-1.el7.x86_64
--
Orion Poplaws
haps are the same failures you are seeing? A patch would be appreciated.
--
Orion Poplawski
he/him/his - surely the least important thing about me
IT Systems Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane
], as COPR does not have the restrictions on internet downloads.
However, it won't have the "EPEL" appellation.
I am hopeful that we will be able to provide clamav 1.X in EPEL9.
[1] - https://bugzilla.redhat.com/show_bug.cgi?id=2170297#c3
[2] - https://copr.fedorainfracloud.org/
-
CS support enabled.
Feb 18 17:40:51 f37 clamd[741]: HWP3 support enabled.
Feb 18 17:40:51 f37 clamd[741]: Self checking every 600 seconds.
Feb 18 17:40:51 f37 systemd[1]: Started clamd@scan.service - clamd
scanner (scan) daemon.
--
Orion Poplawski
he/him/his - surely the least important thing a
1.0.X once 0.103.X goes EOL. We're basically
just waiting on one issue to get resolved at the moment:
https://github.com/Cisco-Talos/clamav/issues/842
We will probably provide a COPR repo for early adopters once that issue
is resolved.
--
Orion Poplawski
he/him/his - surely the least
this to EPEL proper just after RHEL 8.10 is
released, presumably in May. But testing and feedback of the COPR
builds before that would be welcome.
Orion
--
Orion Poplawski
he/him/his - surely the least important thing about me
IT Systems Manager 720-772-5637
NWRA
ers On Behalf Of Orion
> Poplawski via clamav-users
> Sent: 27 April 2024 01:06
> To: ClamAV users ML
> Cc: Orion Poplawski
> Subject: [clamav-users] ClamAV 1.0.X for EPEL 7 & 8
>
> With the help of John Sullivan and Sérgio M. Basto we have gotten the
> Fedora Cla
t;
> Hi Orion, I wrote Sergio a few months ago about implementing ip/port lookups
> dynamically. Did some of this find its way into these updates?
I'm not exactly sure what you are referring to. Have you filed an issue at
bugzilla.redhat.com? That's the best way to track things.
comments?
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https
51 matches
Mail list logo
