* Vladislav Kurz via clamav-users :
> How about just making the file empty?
I think this causes an error in clamav/clamd
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm
mav.so.9
/usr/local/lib/libclammspack.so
/usr/local/lib/libclammspack.so.0
/usr/local/lib/libclamunrar.so
/usr/local/lib/libclamunrar.so.5
/usr/local/lib/libclamunrar_iface.so
/usr/local/lib/libclamunrar_iface.so.9
/usr/local/lib/libfreshclam.so
/usr/local/lib/libfreshclam.so.2
Ralf Hildeb
main.cld
ERROR: listdb: Error listing database /var/lib/clamav/main.cld
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.
dir: error loading database
/var/lib/clamav/rezeptfrei.hdb
ERROR: Malformed database
So what IS the correct syntax?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 B
* Ralf Hildebrandt via clamav-users :
> Today I installed 0.105.0 to test the new fuzzy image signatures.
I'm a moron: "Added image fuzzy hash sub-signatures for logical
signatures" -- thus it must be an LDB file :/
> Alas, I started up my trusty editor an genera
it finds an email containing a BASE64 encoded "readme.exe"
using the content type "audio/x-wav"... Maybe this helps:
VIRUS NAME: Win.Trojan.N-68
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
REMOVED A MIME BOUNDARY HERE
Content-Type: audio/x-wav;
name="readme.exe&
clamdscan -V /tmp/LPBB0010-10.pdf
ClamAV 0.105.1/26663/Mon Sep 19 09:56:35 2022
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel.
gt; bytecode.cvd database is up-to-date (version: 333,
sigs: 92, f-level: 63, builder: awillia2)
Fri Oct 28 09:07:10 2022 -> --
Still failing.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin
0:19 2022 -> main.cld database is up-to-date (version: 62, sigs:
6647427, f-level: 90, builder: sigmgr)
Thu Oct 27 11:00:19 2022 -> bytecode.cld database is up-to-date (version: 333,
sigs: 92, f-level: 63, builder: awillia2)
Thu Oct 27 11:00:19 2022 -> ------
>
> https://github.com/Cisco-Talos/clamav/issues/736
Ah, interesting. I'm using the *.deb from
http://www.clamav.net/downloads/production/clamav-1.0.0-rc.linux.x86_64.deb
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benj
interesting. I'm using the *.deb from
> > http://www.clamav.net/downloads/production/clamav-1.0.0-rc.linux.x86_64.deb
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgd
ailing:
strace --failed-only $program
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@char
* JOHN URBAN :
> Not quite as easy to set up as I made it sound, as lots of pieces and people
> involved but that is exactly one of the tests we hope to run today; thanks!
Yes, ths sounds like hours of fun :/
But the insight gained will be rewarding :)
--
Ralf Hildebrandt
C
tc/clamav/clamd.conf /usr/local/etc/clamd.conf
service clamav-freshclam restart
service clamav-daemon restart
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Be
]: LibClamAV Warning: cli_ac_addsig: cannot use
filter for trie
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450
een this, too?
I've seen this with 1.1.0-1 as well. Maybe they're related to the
"pattern issue" I posted a while ago
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hinde
How are the updates done?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://ww
ot;Non-LTS feature releases will be allowed access to download
signatures until at least four (4) months after the next-next feature
release is published."
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1.
sue (since amavis does the unpacking)
More logging is needed for the message in question.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 45
opline.malware.redirect.ecpms.net.720".
What does this have to do with CVE-2023-20032?
# sigtool
--find-sigs=sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720 |
sigtool --decode-sig
VIRUS NAME: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720
DECODED SIGNATURE:
kages from clamav.net:
# dpkg -l |fgrep clam
ii clamav 1.2.0-1 amd64 ClamAV open source email, web, and end-point
anti-virus toolkit.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin
* Al Varnell via clamav-users :
> Sent from my iPad
>
> On Sep 12, 2023, at 01:29, Ralf Hildebrandt via clamav-users
> wrote:
> > should sigtool --decode-sigs really throw an error in that case?
>
> Perhaps not, but it's been the case for as long as I've
strotate
if [ -d /run/systemd/system ]; then
systemctl -q is-active clamav-freshclam && systemctl kill
--signal=SIGHUP clamav-freshclam || true
else
invoke-rc.d clamav-freshclam reload-log > /dev/null ||true
fi
endscript
}
--
Ralf Hildebra
gt; page<https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.2.0-rc>.
https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.2.0-rc2
returns a 404.
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalid
way as to be usable
from withn clamav (1.3.0)?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
ht
> - Sanesecurity (https://sanesecurity.com) provider default
> configuration overhaul. Switch to a less congested mirror site,
> add/remove several signature URLs.
Thanks for that!
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz |
led to run: Exceeded
time limit
is this a bad Bytecode rule?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.
one should reasonably still be affected
> by the vulnerabilities.
>
> I am curious though - what are your MaxFileSize / MaxScanSize
> settings? I wonder if you're seeing timeouts with the default settings
> or if you increased them.
MaxFileSize 100M
MaxScanSize 200M
M
should I worry if it's not present?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@c
; Would you, and others here, be interested in installing a ClamAV
> snap in the future?
That definitely sounds interesting!
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de
* Cliff Hayes via clamav-users :
> I have a daily cron job that runs around 3am that:
> - shuts down clamd
> - runs freshclam
> - starts clamd
Why?
freshclam usually runs all the time, updating and signalling clamd on
demand.
But you do have a point...
Ralf Hildebr
ED SUBSIGNATURE:
words(85
So, as you can see the signature consists of 6 subsignatures numbered
0-5, ll of which must match. It sort-of looks highly specific to me.
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin
63, builder: raynman)
Tue Jul 28 18:00:53 2020 -> daily.cld updated (version: 25887, sigs: 3681654,
f-level: 63, builder: raynman)
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburg
quot;
Remove autotools generated files, add autogen.sh
26 days ago
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@
Sanesecurity and to lesser extent SecuriteInfo).
The only offical "hit" in the top 25 is "Win.Downloader.WannaMine-6442440-2"
I see the extensibility as a major advantage. Just the other day I
created a set of patterns to detect EPOCH3 EMOTET files.
But to some extent I agre
00020819---C000-0046}" anywhere
1: contain "CallByName" anywhere
2: contain "ThisWorkbook" anywhere
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburg
arser while extracting
objects.
Sep 18 11:47:55 proxy-cbf-1 clamd[791]: LibClamAV Error:
pdf_find_and_extract_objs: Timeout reached in the PDF parser while extracting
objects.
What is the timeout value?
Can it be configured?
Is there any way of preserving the files for further analysis?
t; Do you want to take care of it since now (forever)?
>
> It is possible, but it should be easier to backport clamav e.g. version
> 0.103 from hirsute. That way, when newer version appears in ubuntu
> repository, it may get upgraded so you won't have to care.
I usually rebu
> > I usually rebuild from a recent debian source (hah!)
>
> that's what I recommend.
>
> with changing version to something lower than 0.103 e.g. 0.103~backport
> - it gets upgraded to ubuntu-provided version when it's available.
Same here.
Ralf Hildebrand
pting to access malicious files.
> If it does, is there a way to ask clamav to scan just memory mapped files?
I'm not sure if this can easily be detected.
I guess one could monitor mmap() calls via dtrace, but I'm just guessing!
--
Ralf Hildebrandt
Charité - Universitätsmedizin
> kubernetes that run and add log files to /tmp. /tmp is being actively
> monitored and must be monitored by clamav. The log file shows these
> error messages
Where does clamav drop it's tempfiles (check the config option
"TemporaryDirectory")?
I hope it's not /tmp
1
DECODED SIGNATURE:
2a_birsuhidw.php
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
htt
topline.db from
> http://sigs.interserver.net/interservertopline.db
> ^Download failed (28) ^ Message: Timeout was reached
> Trying again in 5 secs...
Are you downloading the signatures for clamv through the filtering
proxy itself?
Mabye it's basically blocking it's own signature fil
es after updating to 1.4.3
As stable as 1.4.2 (running on two MX hosts and 4 proxyservers)
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin
Tel. +49 30 450 570 155
ralf.hildebra
101 - 144 of 144 matches
Mail list logo
