Re: [clamav-users] [ext] Re: ClamAV® blog: Are you still attempting to download safebrowsing.cvd?

* Vladislav Kurz via clamav-users : > How about just making the file empty? I think this causes an error in clamav/clamd Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D

Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!

* Joel Esler (jesler) via clamav-users : > [cid:7F6A7E38-0C10-460C-A542-B8AD5C969E5E-L0-001] Indeed; I installed clamav-0.104.0-rc2.linux.x86_64.deb, and then checked - it seems to be missing: $ dpkg -L clamav |fgrep -i milter /usr/local/share/man/man5/clamav-milter.conf.5 /usr/local/share/man/m

Re: [clamav-users] [ext] ERROR: listdb: Error listing database /var/lib/clamav/daily.cvd

* Arnaud Jacques via clamav-users : > Is it just me, or? Same here: # clamdscan -V ClamAV 0.103.4/26363/Wed Nov 24 10:19:30 2021 # sigtool -l|tail Doc.Malware.Valyria-6923115-0 Xls.Malware.Generic-6923116-0 Doc.Malware.00536d-6923117-0 Doc.Malware.Valyria-6923118-0 Xls.Malware.Sload-6923119-0 Xl

[clamav-users] Fuzzy image signatures, Y U no work?

Today I installed 0.105.0 to test the new fuzzy image signatures. I was able to determine the fuzzy hash for a set of given pictures of questionable content using: sigtool --fuzzy-img pr0npic.jpg Alas, I started up my trusty editor an generated an rezeptfrei.hdb signature file containing: pr0n1

Re: [clamav-users] Fuzzy image signatures, Y U no work?

* Ralf Hildebrandt via clamav-users : > Today I installed 0.105.0 to test the new fuzzy image signatures. I'm a moron: "Added image fuzzy hash sub-signatures for logical signatures" -- thus it must be an LDB file :/ > Alas, I started up my trusty editor an genera

Re: [clamav-users] [ext] More info about detected virus

* Zvi Kave via clamav-users : >Hi, > >Where can I find more information about ClamAV detected virus like >Win.Trojan.N-68 > >or another name ? You can decode the signature using this command: # sigtool -fWin.Trojan.N-68 | sigtool --decode-sigs Basically it finds an email conta

Re: [clamav-users] [ext] PDF scan

* Tsutomu Oyamada : > Hi, all. > > I hava a question about ClamAV 0.104.2 on IBM AIX7.3 system. > It takes time to scan PDF files by clamdscan. > it takes about 8 seconds to scan PDF file(total 645 page). All files or just THIS file? 645 pages is quite long. > (sample file is here: https://www.u

Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available

* Micah Snyder (micasnyd) via clamav-users : > We are excited to announce the ClamAV 1.0.0 release candidate! I'm seeing log entries like this for the machines with 1.0.0-rc indicating the daily.cld update failed: Oct 28 00:06:46 de freshclam[1878609]: Fri Oct 28 00:06:46 2022 -> daily database

Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available

> Fri Oct 28 09:07:10 2022 -> -- > Fri Oct 28 09:07:10 2022 -> freshclam daemon 1.0.0-rc (OS: Linux, ARCH: > x86_64, CPU: x86_64) > Fri Oct 28 09:07:10 2022 -> ClamAV update process started at Fri Oct 28 > 09:07:10 2022 > Fri Oct 28 09:07:10 2022 -> daily datab

Re: [clamav-users] ClamAV 1.0.0 release candidate now available

* Yasuhiro Kimura : > I experienced same problem while I'm working to update FreeBSD ClamAV > port to 1.0.0-rc. It happens if ClamAV is built with external > TomsFastMath library (that is, ENABLE_EXTERNAL_TOMSFASTMATH option is > ON). > > See issue #736 for more detail. > > https://github.com/Ci

Re: [clamav-users] [ext] Re: ClamAV 1.0.0 release candidate now available

* Joel Esler : > You wouldn’t download the cld from the server. Or am I reading this thread > wrong. No, but the debian package (*.deb), instead of building it myself (like Yasuhiro did). What I'm trying to say: The prebuilt package suffers from the same issue :) > > Ah, interesting. I'm usi

Re: [clamav-users] [ext] Re: parallel processes fail at startup when clamd is running

* JOHN URBAN via clamav-users : > Doing a scan of the entire locally attached storage on Linux nodes, > including /tmp and /var; and the problem is basically that MPI > programs trying to launch while that full scan is running fail to > start up. Once the programs start they do not commonly fail;

Re: [clamav-users] [ext] Re: parallel processes fail at startup when clamd is running

* JOHN URBAN : > Not quite as easy to set up as I made it sound, as lots of pieces and people > involved but that is exactly one of the tests we hope to run today; thanks! Yes, ths sounds like hours of fun :/ But the insight gained will be rewarding :) -- Ralf Hildebrandt Charité - Universitätsm

Re: [clamav-users] [ext] ppa for ClamAV for Ubuntu 22.04.1

* newcomer01 via clamav-users : > does everyone know, if exists an ppa to install always the current stable > version of ClamAV for Ubuntu 22.04.1? > The Ubuntu releases are so slow ... I use the official releases (installing them over the Ubunt clamav) and then use this script to map the binari

[clamav-users] LibClamAV Warning: Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0

clamav-1.1.0-1: === May 16 10:00:23 de freshclam[864]: Tue May 16 10:00:23 2023 -> daily database available for update (local version: 26907, remote version: 26908) May 16 10:00:23 de freshclam[864]: WARNING: Tue May 16 10:00:23 2023 -> *** RESULT 200, SIZE: 7213 *** Why do

Re: [clamav-users] [ext] Segfaults with database version 26908

* Matthias Rieber : > Hello List, > > since the update to version 26908 we observe a high amount of segfaults. Same here. > As far as I can tell this happens in > > 0x7fdfd44c377d > > We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye. > > Has anyone seen this, too? I've seen this wit

Re: [clamav-users] [ext] ClamAV and Cohesity

> We use Cohesity a lot here in Belgium and inform our customers about the > app usage of ClamAV. > This has worked fine in the past but recently we experience at multiple > customers that the app does no longer renew the signature database. Which version of clamav is being used? And: How are the

Re: [clamav-users] [ext] ClamAV and Cohesity

* steven aldenkamp : > In Cohesity I see: > > Version > ClamAV 0.102.2 > Antivirus Signature Database Bytecode: 333, Daily: 26439, Main: 62 > Last updated: 2/1/22, 12:30 PM https://endoflife.date/clamav I guess 0.102.x is EOLsince Jan 2022 (thus the "Last updated") https://docs.clamav.net/faq/f

Re: [clamav-users] [ext] Clamav 1.0.1 and email scan failed

* Fiorenza Meini via clamav-users : > > Hi there, > I have a Debian 12 VM, clamav installed at version 1.0.1. > I configured it to work with Postfix. > When email is received and it's passed to ClamaV, this is the error > received: > Sun Jul 30 23:37:29 2023 -> WARNING: File path check failure for

Re: [clamav-users] [ext] CVE-2023-20032 how to identify and solve

* Jorge Bastos : > I think i got hit by CVE-2023-20032 [1], anyone knows how to indentify if > yes, and how to remove it? How did you find out your were hit by CVE-2023-20032? To summarize what CVE-2023-20032 is: "An attacker could exploit this vulnerability

[clamav-users] Cannot "decode" a SHA256 signature

I found a rejection based on vhxtdQ.sigs.InterServer.net.SHA256.21881 in my mail.log and wanted to check what the signature searches for. So I took out ye olde sigtool - and failed: # /usr/local/bin/sigtool --find-sigs vhxtdQ.sigs.InterServer.net.SHA256.21881 | /usr/local/bin/sigtool --decode-si

Re: [clamav-users] [ext] Re: Cannot "decode" a SHA256 signature

* Al Varnell via clamav-users : > Sent from my iPad > > On Sep 12, 2023, at 01:29, Ralf Hildebrandt via clamav-users > wrote: > > should sigtool --decode-sigs really throw an error in that case? > > Perhaps not, but it's been the case for as long as I've

Re: [clamav-users] [ext] Compressing log files with clamav

* Vu, Hong-Duc V. via clamav-users : > Hello everyone, > > I'm running clamav 103.9 on RHEL8 and RHEL7 from the EPEL repository. I > notice the configuration file has a feature that rotates logs when it reaches > a size I can configure: LogFileMaxSize. Is there an option in the > configuration

Re: [clamav-users] [ext] ClamAV 1.3.0 second release candidate published!

> You can find the source code and installers for this release on > the > clamav.net/downloads page or the ClamAV GitHub > release > page

[clamav-users] Yara rule for Anydesk files...

Hi! I found this YARA ruleset https://raw.githubusercontent.com/mmorgens/yara/main/gen_anydesk_compromised_cert_additional_rules_feb23.yar unfortunately it uses "import "pe"" which is not supported by the yara parser in clamav. But can those two rules be rewritten in such a way as to be usable fr

Re: [clamav-users] [ext] Announcing Fangfrisch release 1.8.0

> - Sanesecurity (https://sanesecurity.com) provider default > configuration overhaul. Switch to a less congested mirror site, > add/remove several signature URLs. Thanks for that! -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-

[clamav-users] Bytecode run timed out in interpreter after 5000 opcodes

In yesterdays logs I found this: Feb 19 12:18:35 mail-cbf-int clamd[4147902]: LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes Feb 19 12:18:35 mail-cbf-int clamd[4147902]: LibClamAV Warning: Bytecode 'BC.Img.Exploit.CVE-2017-16386-6404655-1.{}' (id: 77) failed to run:

Re: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes

* Micah Snyder (micasnyd) : > There are 3 bytecode rules for detecting CVE's that seem to take a > rather long time to run, particularly as the file grows in size. I'm > discussing with our threat research team if we can remove them as > CVE's are old enough that no one should reasonably still be

Re: [clamav-users] ClamAV 1.4.0 release candidate now available!

* Micah Snyder (micasnyd) via clamav-users : > The ClamAV 1.4.0 release candidate is now available. I upgraded today and got a log message I've never seen before: Mon May 13 17:18:37 2024 -> WARNING: Last cf-ray not present in freshclam.dat. Mon May 13 17:18:37 2024 -> freshclam daemon 1.4.0-rc

Re: [clamav-users] rpm files question [was: ClamAV 0.101.2 announcement?]

* Micah Snyder (micasnyd) via clamav-users : > This won't help you right now, but our team has been discussing > publishing ClamAV on Linux using Snapcraft at the time of each > release. Snapcraft sounds like it may be a good option to make ClamAV > accessible faster. > > Would you, and others h

Re: [clamav-users] [ext] SelfCheck: Database modification detected. Forcing reload.

* Cliff Hayes via clamav-users : > I have a daily cron job that runs around 3am that: > - shuts down clamd > - runs freshclam > - starts clamd Why? freshclam usually runs all the time, updating and signalling clamd on demand. But you do have a point... Ralf Hildebrandt Charité - Universitäts

Re: [clamav-users] [ext] About Madeba-8019734

* Michel GALLE : > Hi Everyone, > > it's my first post here. > > I try to get information about "Xls.Malware.Madeba-8019734-0". > > Clamav informed me a previously clean (or supposedly to be clean) xls file > is in fact infected by Xls.Malware.Madeba-8019734-0. > > The file was not modified or

Re: [clamav-users] [ext] Re: ClamAV® blog: Freshclam, cdiffs and bandwidth are your friends

* Paul Kosinski via clamav-users : > "...we also only release updates once a day." > > Are there *never* any urgent virus updates released in between? In > other words, is it always useless to check the TXT record more often? I was wondering about this wording as well! But then I checked: Mon J

Re: [clamav-users] [ext] ClamAV Development Release: Cannot compile, no configure-script available...

* Heino Backhaus : > Hi Foulks, > > i'm using a script on multiple Email-AV-Gateways to keep the > ClamAV-Dev-Release uptodate. This seamlessly worked for decades...but > somehow the configure-Script seems to be gone since 17. July 2020... > Do i have to generate it? So it seems: https://github.c

Re: [clamav-users] Becoming disillusioned

* Kurt Fitzner : > ClamAV has, I'm afraid, become worse than nothing. Nothing doesn't take > up memory, storage space, and execution resources but nets the same > result. Nothing, by definition, doesn't come with that implied "it's > better than nothing" which ClamAV does and clearly isn't. >

Re: [clamav-users] [ext] Xls.Malware.Sagent-7132944-0

* Matt Campbell via clamav-users : > Hello, > > I have an XLSM spreadsheet that ClamAV is detecting malware in. Its popping > up as Xls.Malware.Sagent-7132944-0 and I have not been able to find any > information related to this definition. Can anyone shed some light on what > this relates to? # s

[clamav-users] pdf_find_and_extract_objs: Timeout reached in the PDF parser while extracting objects

In my log I'm seeing a lot of: Sep 18 11:27:34 proxy-cbf-1 clamd[791]: LibClamAV Error: pdf_find_and_extract_objs: Timeout reached in the PDF parser while extracting objects. Sep 18 11:46:45 proxy-cbf-1 clamd[791]: LibClamAV Error: pdf_find_and_extract_objs: Timeout reached in the PDF parser wh

Re: [clamav-users] [ext] Re: Regarding ClamAV code coverage metrics with help of existing unit-test cases

* Matus UHLAR - fantomas : > On 26.11.20 02:55, Satish Kumar via clamav-users wrote: > > I would like to build the ClamAV software from source code on an ubuntu > > machine > > why? > ubuntu provides clamav itself, integrated. But an old version (last time I looked) > Do you want to take care of

Re: [clamav-users] [ext] Re: Regarding ClamAV code coverage metrics with help of existing unit-test cases

> > I usually rebuild from a recent debian source (hah!) > > that's what I recommend. > > with changing version to something lower than 0.103 e.g. 0.103~backport > - it gets upgraded to ubuntu-provided version when it's available. Same here. Ralf Hildebrandt Charité - Universitätsmedizin Berlin

Re: [clamav-users] [ext] Re: Scanning memory mapped files

> I am not using clamonacc. I run my own program that uses fanotify, just like > clamonacc does, and gets list of files that are modifed\added. > I send that list to clamscan or clamdscan. A bit like incrond (which uses inotify() ) > The problem is limitation of fanotify which is that "The fano

Re: [clamav-users] [ext] (no subject)

> kubernetes that run and add log files to /tmp. /tmp is being actively > monitored and must be monitored by clamav. The log file shows these > error messages Where does clamav drop it's tempfiles (check the config option "TemporaryDirectory")? I hope it's not /tmp -- Ralf Hildebrandt Charité

Re: [clamav-users] [ext] instream bug

* Jonathan Lee via clamav-users : > instream(local): vhxtdQ.sigs.InterServer.net.SHA256.21881.UNOFFICIAL FOUND # sigtool --find-sig=vhxtdQ.sigs.InterServer.net.SHA256.21881 [interserver256.hdb] 90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21:17174:vhxtdQ.sigs.InterServer.net.SHA2

Re: [clamav-users] [ext] interserver issues Question

* Jonathan Lee via clamav-users : > Hello fellow Squid Users can you please help? > > Is anyone else seeing issues with this link right now? Clam AV sees it as a > virus and it is the signatures ... I keep getting this error on the browser.. > > SquidClamav 7.2 : Virus detected! > __

Re: [clamav-users] [ext] survey: is clamav-1.4.3 stable?

* A. Schulze via clamav-users : > today I updated my clamav instances from 1.4.2 to 1.4.3 > In the last hours 4 machines died unecpetedly and required a reboot. > > I can't say for sure that clamav was the reason and would like to ask others > about operational expieriences after updating to 1.4.