Re: [Clamav-users] Need help with additional setup

Jonn Taylor wrote: > I have been using clamav for several years and its been working well. > Recently a lot of emails have been getting though with virus's and > trojan's. I am using CommuniGate Pro with the CGPAV filter to send the > email to be scanned. Are there and additional databases or co

Re: [Clamav-users] false positives for

George Geller wrote: > Recently, the scan has been giving me: > > sda1/Program Files/Microsoft Office/Office12/EXCEL.EXE: > W32.Virut.Gen.D-163 FOUND > sda1/Program Files/Microsoft Office/Office12/excelcnv.exe: > W32.Virut.Gen.D-163 FOUND > sda1/WINDOWS/SoftwareDistribution/Download/754e3b95d1b56

Re: [Clamav-users] question about Clamav anti virus for old mac OS 9.2

G.W. Haywood wrote: > Third, ClamAV _can_ be used to scan files on a machine. But that's > all it really does, it scans them and tells you if it thinks any of > them might be infected. That doesn't sound to me like what you want. > I think you want something that will 'disinfect' them. ClamAV do

Re: [Clamav-users] Yet more clubbing of deceased equine.

Simon Hobson wrote: > If anyone was running an old enough 0.95 version, then their software > wouldn't have died, they would have seen update errors in their logs, > and the fix would have been to change just one or two hostnames in > their freshclam.conf. The new hostname updates would still hav

Re: [Clamav-users] No debian woody support anymore?

Nathan Gibbs wrote: > Here is what I absolutely do not like about this or agree with. > > The very possibility of there being a kill sig. One specially crafted sig > could kill the virus protection on every server & workstation in our company. > > Allowing the ClamAV Team to remotely nuke a level

Re: [Clamav-users] Reload process

Török Edwin wrote: > A simpler form of this is already implemented in 0.96 :) > > If a file is determined to be clean, its MD5 is added to an in-memory cache. > When scanning a new file, its MD5 is computed and looked up in the > cache. If found, it is considered clean. > On DB reload the entire ca

Re: [Clamav-users] Reload process

Tomasz Kojm wrote: > On Mon, 24 May 2010 22:22:46 +0200 Sarocet wrote: > >> Create two files with a colliding md5. One is innocuous, the other is >> infected. >> Send the clean one first. clamav will note it is clean and cache the md5. >> > The cache also

Re: [Clamav-users] Reload process

Tomasz Kojm wrote: > These are poor examples, which are almost identical (only 6 bytes > differ). Now, take a notepad.exe and create a malicious file with the > same file size and MD5. > > Thanks, > Read again the scenario. Both files are created by the attacker. When the AV marks as clean the

Re: [Clamav-users] Reload process

Tomasz Kojm wrote: > This scenario makes no much sense to me. First of all, as I wrote in the > previous email the files you provided as example are almost identical > (they only differ in high nibbles of six bytes) and they share the same > "payload", this means that both of them should be detecte

Re: [Clamav-users] Reload process

Tomasz Kojm wrote: > Sarocet wrote: > >> What if it's an autoextracted file? ClamAV detects the inner compressed >> virus >> but not the executable heading. >> > I don't get it.. if ClamAV detects a virus in any extracted file it > mark

Re: [Clamav-users] invalid magic number in header

Török Edwin wrote: > On 05/25/2010 10:50 PM, Blackburn, Marvin wrote: > >> I started getting this a couple of weeks ago and can't seem to find out >> what is causing it >> >> >> >> LibClamAV Warning: Incorrect magic number in optional header >> >> > Looks like a PE executable that is neit

Re: [Clamav-users] Problem with lha, lzh, uuencode and pgp files

DAVID BERTHIAU wrote: >> None of the AVs detect that (and none should, it is an encrypted file): >> http://www.virustotal.com/analisis/21c94279acf534fe49c32289dbe22cff12ec1006>b09ef2e6ac31066e2d943cfb-1276179996 >> > Sorry, but I am not agree with you because my current system (trend micro >

Re: [Clamav-users] TK53 Advisory #2: Multiple vulnerabilities in ClamAV

Chris wrote: Saw this link at SANS today, anything to it? http://seclists.org/fulldisclosure/2007/Dec/0625.html Or is this a rehash of something already known about I'm not a clam developer, but here's my view about them: It lists three "vulnerabilities" 1- cli_gentempfd is vulnerable to a r

Re: [Clamav-users] TK53 Advisory #2: Multiple vulnerabilities in ClamAV

Ed Kasky wrote: > At 06:07 AM Monday, 12/31/2007, you wrote -=> > >> Chris wrote: >> >>> Saw this link at SANS today, anything to it? >>> >>> http://seclists.org/fulldisclosure/2007/Dec/0625.html >>> >>> Or is this a rehash of something already known about >>> >> I'm attaching a patc

Re: [Clamav-users] TK53 Advisory #2: Multiple vulnerabilities in ClamAV

Steve Holdoway wrote: > IME patches always get mangled if included in an email, tabs to spaces, etc. > Putting it in an attachment keeps the internal formatting and usually works. > > Just my $0.02, > > Steve > It was sent as attach. But inline in Ed Kasky reply. Some e-mail clients will show

Re: [Clamav-users] Official kubuntu 7.10 and wubi-cdboot.exe

Davide wrote: > Hi, I am a little surprise because clamav find a virus (Adware.Fakealert-21) > in > the wubi-cdboot.exe of the official kubuntu-7.10-desktop-i386.iso > > My question is: > > A) It is a false positive ? > B) It is a sad case ? > > Does anyone obtain the same result ? With another an

Re: [Clamav-users] What's this? I can't believe it!

Dennis Peterson wrote: > Nobody has actually tested the files to see if they are Windows executables > that I've > seen. It is entirely possible they could be Linux executables. File > extensions don't > mean much on a Linux system but it seems from this thread a great way to pass > around >

Re: [Clamav-users] What's this? I can't believe it!

Dennis Peterson wrote: > > Some of us run mail equipment that sits in front of very large corporations > and it is > incumbent upon us to know what we have so we don't have to make excuses later. > > And some people, not you or I of course, are idiots and will do what ever is > possible > to he

Re: [Clamav-users] Virus in clamav-0.92.1.tar.gz detected

Svetlana V.Vyslanko wrote: > NOD32 detected virus Win32/Statik in clamav-0.92.1.tar.gz > Win32/Statik is an heuristic signature. It's probably detecting some signatures in the clamav package. ___ Help us build a comprehensive ClamAV guide: visit htt

Re: [Clamav-users] Memory usage for clamd is huge

Dennis Peterson wrote: > I think he's suggesting that he'd prefer you not mail him because of > your idiot policy on outgoing virus scanning. I agree with him. I'm sure > I'm not the only one who would blacklist you right now because of your > policy if we knew your outgoing smtp IP. > Scanni

Re: [Clamav-users] WARNING: Suspicious recipient address blocked

Michael Brown wrote: > The | character is not allowed in any e-mail address because it's a Unix > shell reserved character. > > Here's a list right off the top of my head that are usually > blocked/disabled by just about every MTA out there. > >1. Control Characters >2. Space >3. ! >

Re: [Clamav-users] No supported Database

Brian Morrison wrote: > Dennis Peterson wrote: > >>> Yes, I realise that. I run clamd under user clamav, hence it's probably >>> easier to access /var/lib/clamav/* than it would be if owned by root. >>> >> Why would that be? It is no more work to crack the root account than any >> other

Re: [Clamav-users] List

Andy Loates wrote: > Is this list still alive? > > Last post received on 7/4/08. > > No monthly email reminder today. > > Checked website, my user options for this list all seems ok. > > Hope to hear from someone! > > Andy Loates > CCing you as it seems you don't receive from the list. Yes, it's

Re: [Clamav-users] Linux Virus on Vista VM

[EMAIL PROTECTED] wrote: > Hello, > > This is the virus that is found by ClamXav on Vista VM. McAfee does not find > it. It is only found by ClamXav. When I search the web for the string > nothing turns up. So someone please tell me what is this virus? Where does > it come from? Can it do any h

Re: [Clamav-users] Freshclam not terminating correctly

Robert Blayzor wrote: > I've been noticing a problem for quite some time now on our mirror > server. (I posted this issue to the devel list, but there have been no > responses). > > I'm noticing some buggy client behavior that seems it's from freshclam > clients. Over time on our mirror we n

Re: [Clamav-users] Malformed database problem

Chambers, Phil wrote: > I have looked at the source code and there are numerous places where it > detects problems with signature, but they all generate the same failure > message: "Malformed database". > > It is going to take me a very long time to patch the code to make it > generate different er

Re: [Clamav-users] Malware Scanning and blocking

Sain, David J. wrote: > I want to setup a linux box with smoothwall, ipcop or some other > opensource internet security application (preferably linux based) at > home, but don't know how ClamAV might handle things like Antivirus 2008 > that make fraudulent claims and are considered malware. > > I

Re: [Clamav-users] ClamAV 0.94 build problem on Cygwin

René Berber wrote: > "serious problems" ? Only problem is the test I mentioned, passing a > file descriptor is not supported under Cygwin as far as I know. > I have no cygwin experience, but Windows *does* allow passing file descriptors to child process. Not in the same way as unix, but I'd fi

Re: [Clamav-users] PUAs

Tilman Schmidt wrote: >>> Sub-Type: IRC >>> Description: IRC server based programs/malware > I don't use IRC myself, but respectable people keep telling me > that it's not for bad guys only, there are legitimate uses for > it, and I should try it myself to see. So I am a bit reluctant > to declare

Re: [Clamav-users] How important are file extensions?

Tilman Schmidt schrieb: > Roberto Ullfig schrieb: > >> We'd like to rename the attachments with another suffix, >> one that will never be used for an application (present or future). Does >> anyone know if a standard suffix has been created for just this purpose? >> > > Such a suffix does

Re: [Clamav-users] Handling of unknown configuration lines (was Re: Stop it!)

Aecio F. Neto wrote: > I don't agree with that, but let me put another option: > 1) Break on unknown options > 2) Ignore obsolete options and warn OP > > If any Op (or poor user) adds an option like > PleaseClamAVCleanInfectedFilesForMe yes > and expects it to work, are you really sure that the sof

Re: [Clamav-users] ClamAV Webinar on 4th March

Nigel Horne wrote: > s...@softhome.net wrote: >>> For further details, including how to listen to the broadcast and >>> Alain's biography, please visit >>> http://www.clamav.net/2009/02/09/clamav-users?-webcast/ >>> > > >> Please check the above link. There seems to be a problem with it.

Re: [Clamav-users] Signatures for documents exploiting CVE-2009-0658?

Adam Stephens wrote: > The other day we got mailed a wave of PDF files aimed at exploiting > CVE-2009-0658. > > Does anyone have working generic signatures for documents with this > exploit in? I've made an MD5 signature* for the particular document we > got, & submitted it, but I know there are

Re: [Clamav-users] ClamAV and VirusTotal

Julio Canto wrote: > Paul Whelan escribió: > >> must be the clamwin version then which is a >> strange 'official >> channel'. >> > > Hi again, > You're wrong assuming that, therefore you should not accuse us of using > 'strange official channels'. All engines and

Re: [Clamav-users] Update to the signatures.pdf

Nathan Brink wrote: > There is an option for echo that removes the linefeed: > ohnobi...@ohnopublishing ~/html/anindex $ echo -n "How do I look in > hex?" |sigtool --hex-dump > 486f7720646f2049206c6f6f6b20696e206865783f > > There is no reason to, but I prefer echo to printf. Maybe because printf

Re: [Clamav-users] Anomaly when scanning a tar.gz file

Paul Kosinski wrote: > 09:51:08 u...@host:~/src/openssl> clamscan -ri openssl-0.9.8k/ > > --- SCAN SUMMARY --- > Known viruses: 537879 > Engine version: 0.95 > Scanned directories: 134 > Scanned files: 2003 > Infected files: 0 > Data scanned: 13.86 MB > Data read: 12.99 MB (ratio 1.