Hello, I have been running ClamAV (clamd) for some time. I decided to upgrade
to 95.2. The configure, make, make install executed without incident. As a test
I tried to execute freshclam and clamscan from the root command-line with the
following error condition:
freshclam: error while loading s
Hello Steve, thanks for the reply. I have read the docs but these are now
sorely missed points. Assuming it is too late to issue the prescribed command
set what is the next course of action to restore clamd? Please advise, David.
Steve Holdoway wrote ..
> On Sun, 2009-09-13 at 13:06 -0500,
cious browser hijack trojan. The
source of this trojan was in all-likelihood not from email but from a link
embedded in a normal html page. BTW: what is the EICAR test I will try this
myself. Regards, :-), David.
Alex Davidson wrote ..
> Interesting...if I create a plain text email with the ei
.Vfd00I270080M968444.davidwbrown.name:2,S:
Eicar-Test-Signature FOUND
And, the gadgetry set-up to automatically send email to users with FOUND
signatures did not trigger.
I suppose I need to run ClamAV as daemon and ditch the CRON job.
Thanks, David.
Noel Jones wrote ..
> Alex Davidson wrote:
> > In
Hello, this was just discussed: http://tools.declude.com. Apparently only the
first two on the pull-down menu are of any value. HTH, David.
Madhuri Somavarapu wrote ..
> Hi,
>
> I installed clamav on my machine. I am using it for scanning files not for my
> mail
> server I wa
ig at: www.menandmice.com. They have
their own resolver. The results follow. I then ran dig again afterwards:
dig @ns1.clamav.net db.us.clamav.net soa
And I then got a good reply
Thanks in advance and please advise,
. Please advise,
David.
aCaB wrote ..
> da...@davidwbrown.name wrote:
> > Hello clam list, recently I have noticed unusual name server warnings
> > (included
> below). The warnings started on the 7th. I ran dig a few times and the queries
> only return the root servers (fa
Hello aCaB, since several folks have noticed the same issue including the
incorrect TXT record noted FWIW my 9:17 record displays no dns errors. I will
recheck after 11:17. David.
aCaB wrote ..
> da...@davidwbrown.name wrote:
> > Hello clam list, recently I have noticed unusual na
the freschclam daemon.
Please reply with a more viable solution as I would not want to bound
freshclamd at any kind of regularity.
Thanks, David.
Dennis Peterson wrote ..
> da...@davidwbrown.name wrote:
> > Hello aCaB, thanks for the informative and speedy reply. The command
> &
Hello Dennis, in any case I have it backwards: the freshclam is running as a
daemon and the clamscan is running as a script (cron). Howto reverse this?
Thanks, David.
Dennis Peterson wrote ..
> da...@davidwbrown.name wrote:
> > Hello Dennis, thanks for the reply. Though I am far fro
Hello Steve, I found a .PDF @visolve.com that discusses Squid-cache performance
tuning guidelines. I don't have the link :-(. Regards, David.
Steve Holdoway wrote ..
> As per title, it works, but it's just so slow... I've got a quad core xeon,
> 2GB
> and loads of d
ndows install. So far,
I have deleted everything found or viewed as suspicious without incident.
Kurt: thanks for the link.
Regards, David.
Oliver Schwabedissen wrote ..
> Am Montag 09 Februar 2009 schrieb Kurt Buff:
>
> > If it were me, I'd submit the file(s) to http://www.virustota
d and HAVP on the
same box. Thanks, David.
Jason Haar wrote ..
> John Horne wrote:
> > On Wed, 2009-02-11 at 09:17 +1300, Jason Haar wrote:
> >
> >> We use the open source HAVP proxy. It supports clamav, sophie, trophie,
> >> and several other commercial AV
Hello, I'm following this thread. I am also considering HAVP. HTH, David.
cas...@gmail.com wrote ..
> On Wed, Feb 11, 2009 at 4:24 PM, Jason Haar wrote:
> > cas...@gmail.com wrote:
> >> Sorry if I was impolite or inconvenient. My english is not good. :-)
> >&g
e correct library setting for the libclamav.
I have clamavd running OK and so I must have the libraries to make all
copacetic. The configure is fairly straightforward but a .configure with-clamav
makes no difference. Please advise, David.
___
Help u
FWIF: I received all 3 a little before 6:00 AM (0600) CDT U.S.
Randal, Phil wrote ..
> No 8996, 8997, 0r 8998
>
> clamav tweeted "Daily CVD 8998 (sigs: 13223; new: 15) on 16 Feb 2009
> 22-40 -0500" but no sign.
>
> No message on web page, no tweet explaining difficulties, or anything.
>
> Arrrg
that are manageable by a sufficiently capable user.
It is my hope that ClamAV integrated with Squid-cache and ICAP may help me
attain the lofty goal of intrusion detection via: smtp, http, ftp and whatever
other protocol that has been compromised for the purposes of evil.
Regards, David.
Hello Nigel, now I feel bad about that email (actually a rant) I sent you: a
reply to the clam-av.blogspot.com/freshclam virus data acquisition project. If
it makes you feel better someone has already flamed me about the rant email.
Regards, David.
Nigel Horne wrote ..
> Folks,
>
Seems reasonable...
Jose-Marcio Martins da Cruz wrote ..
>
> Hello,
>
> I have two suggestions :
>
> * It could be interesting to add tcp_wrapper (or equivalent - not so
> difficult to code it) support to clamd.
>
> * When running configure, it could be interesting to display a summary
> whe
-running (see
included below). I am running two DNS instances on two different boxes. Any and
all ideas howto debug please advise, David.
**
10964 0.0 % Mar04 /etc/rc.d/init.d/.libs/lt-clamd start
13993 0.0 % Mar06 /usr/local/bin/freshclam -d
.
What diagnostic can I use on freshclam other than: /var/log/messages? I have
already confirmed my DNS is not broken. If my DNS was broken I probably would
not be able to send this email message. I have re-stated the freshclam.log
error message below. Please advise, David.
ERROR: Can'
Hello Török, clamconf -n was correct but HTTPProxyServer in freschclam.conf
suffered from a case of stuttering fingers. Thanks! David.
Török Edwin wrote ..
> On 2009-03-08 07:12, da...@davidwbrown.name wrote:
> > Hello, freshclam is right: there is no such zone as: daviddwbrown.name. Ho
Hello Erik, the previous replier with the HAVP suggestion is in all-likelihood
your best if not easier choice. FWIF: there is also a so-called ICAP solution
which has built in support in squid 3.x. So far I and only one other ML member
has got it to compile and work. In fact I have it deployed a
Hi
I am a new user of clam.
I installed version clamav-0.67-1 as an rpm.
However upon trying to update I get this...
ClamAV update process started at Tue Mar 16 18:42:49 2004
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
Reading CVD header (main.cvd): OK
ERROR: Can't open new file ./e456f
Hi
Thanks for your help.
However, last night I uninstalled clam, and installed as source.
The real problem is that the first time round I had not read the
instructions properly..doh!
Anyway the problem is now sorted.
Again thanks for your kind help.
David
Krištof Petr wrote:
david wrote
Is it possibly to configure clam to filter email via mozilla?
David
---
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical exp
]: Leaving directory `/usr/src/clamav-0.74/libclamav'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/src/clamav-0.74'
make: *** [all] Error 2
Any assistance will be greatly appreciated.
Thanks.
-David.
---
This SF.Ne
Thank's for that Fajar,
I found Dag's 64 bit rpms and they worked fine.
Interestingly I still couldn't compile from source even using your
suggestion?
Regards,
David.
Fajar A. Nugraha wrote:
David wrote:
Hi,
I'm having problems installing clamav
r/run/clamav/clmilter.sock
echo "Starting sendmail MTA daemon: /usr/sbin/sendmail -L sm-mta -bd
-q25m"
/usr/sbin/sendmail -L sm-mta -bd -q25m
echo "Starting sendmail MSP queue runner: /usr/sbin/sendmail -L
sm-msp-queue -Ac -q25m"
/usr/sbin/sendmail -L sm-ms
o 0.84) the mc file before
building it to a .cf file. I re-inserted
>>define(`confINPUT_MAIL_FILTERS', `clmilter')
I will take this back out, and see what happens.
david
On Sunday 01 May 2005 14:08, Stephen Gran wrote:
> On Sun, May 01, 2005 at 10:17:03AM +0100, [EMAIL PROTECTE
e.
Thank you,
Please, excuse my poor english.
David R.
___
http://lurker.clamav.net/list/clamav-users.html
+SIMSCAN+RAR V3 SUPPORT
On Tue, May 03, 2005 at 06:18:13PM +0100, Brian Morrison wrote:
> On Tue, 3 May 2005 18:58:48 +0200 in
> [EMAIL PROTECTED] "David" <[EMAIL PROTECTED]>
> wrote:
>
> > I have a problem with .RAR files version 3.
> >
> > "RA
Hello,
I have a problem with an extension .FM6.
Really, this file is an encrypted zip and the clamd says
ASBHCI83.FM6: Input/Output error ERROR
How I can exclude this extension from the clamd?
Thank you.
David.
___
http://lurker.clamav.net
addressed. I searched the archives, but couldn't find anything relating to this.
Thanks.
David Gottschalk
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
I thought the qmail softlimit could potentially be the problem, but I dont understand
why I recreate the
viruses.db2 file it fixes it? I also tried deleting the viruses.db2 file and
recreating it with freshclam
, but that didn't work. Thanks!
David
6/30/03 2:53:43 PM, "Nicholas Chu
shell# clamscan -V
clamscan / ClamAV version 0.54
It happened last Tuesday (6/24).
Thanks!
David
6/30/03 2:50:50 PM, Tomasz Kojm <[EMAIL PROTECTED]> wrote:
>> updating I have in crontab which runs the command "/usr/local/bin/freshclam --quiet
>> -l /var/log/clam-
Hello,
I have a problem with an extension .FM6.
Really, this file is an encrypted zip and the clamd says
ASBHCI83.FM6: Input/Output error ERROR
How I can exclude this extension from the clamd?
Thank you.
David.
___
http://lurker.clamav.net
On Wed, 18 May 2005 12:44:21 +0200
"David" <[EMAIL PROTECTED]> wrote:
>
>
>
> Hello,
>
> I have a problem with an extension .FM6.
> Really, this file is an encrypted zip and the clamd says
>
> ASBHCI83.FM6: Input/Output error ERROR
Upgrade to 0.85
original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de Trog
Enviado el: dimecres, 18 / maig / 2005 13:32
Para: ClamAV users ML
Asunto: RE: [Clamav-users] Exclude extension from scanning
On Wed, 2005-05-18 at 13:28 +0200, David wrote:
>
>
> But, if i need to exclude an
extension from scanning
On Wed, 2005-05-18 at 13:28 +0200, David wrote:
>
>
> But, if i need to exclude an extension. How i do it?
Use --exclude, easy when you read the manual.
-trog
___
http://lurker.clamav.net/list/clamav-users.html
>
>
> Hello,
>
> I upgraded my clamv
>
> ClamAV 0.85.1/886/Wed May 18 12:32:36 2005
>
>
> But the problem is not resolved
>
> qmail/simscan/1116416733.717518.2973/AKQLCI35.zip: Input/Output error
> ERROR qmail/simscan/1116416781.176909.3110/AKQLCI35.FM6: Input/Output
> error ERROR
>
On Wed, 2005-05-18 at 19:03 +0200, David wrote:
>
> Excuse, but i read the manual and the --exclude option is not present in
the
> clamd.
>
You didn't specify you were using clamd. The short answer is to not ask
clamd to scan files you don't want it to.
But, from yo
Hi all,
I notice that in my /usr/sbin folder there are 3 clam related files.
1..clamav-milter
2..clamd
3..clamsmtpd
I am trying to create a filter for evolution to scan for viruses. I was
able to create a filter for spam by pointing to spamc. I presume it is
either one or two above. But which
Thanks for your help. I thought that maybe the message had been lost
amongst the auto reply complaints.
I have used what you supplied.
Again thanks for the help.
On Sat, 2005-06-18 at 04:15 +0200, guenther wrote:
> > I notice that in my /usr/sbin folder there are 3 clam related files.
> >
> >
ime.h"
>
>
> Note: I opened it as case 9054 in ClamAV bugzilla, but now I do not know
> how to delete or close it there as solved.
>
> Best regards,
>
> Zvi
>
> On 01/10/13 21:37, David Raynor wrote:
>
> On Tue, Oct 1, 2013 at 2:31 PM, David Raynor
> wro
-54) (4.1.2)
> CPPFLAGS:
> CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
> -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
> CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-pro
On Mon, Sep 30, 2013 at 2:43 PM, Eric Shubert wrote:
> The data files were omitted from the source tarball beginning with version
> 0.97.5. I thought that made sense. Now with 0.98 they appear to be back.
>
> Is there any easy/preferred way to "make install" (or "configure") without
> having the
Sebastian,
Al's answer is on the right track. The Heuristic.Broken.Executable alert is
only appearing because your scan has the "detect-broken" flag enabled, and
the scan is detecting what appears to be a broken executable inside that
jar file. Scans of the file without that flag enabled must be r
without having the data files included? I'm packaging clamav-toaster,
>>>> and am obtaining the data files in the %post processing, and I don't
>>>> want them encumbering the rpm.
>>>>
>>>> I poked around the makefiles a bit, but I'
On Fri, Nov 8, 2013 at 8:42 AM, Константин Белозеров
wrote:
> ***
> *** clamd did not detect all testfiles correctly!
> ***
>
> SKIP: check5_clamd_vg.sh (exit: 77)
> ===
>
> *** valgrind not found, skipping test
>
> SKIP: check6_clamd_vg.sh (exit: 77)
>
On Fri, Nov 8, 2013 at 10:57 AM, xxdiskoxx2011 . wrote:
> /etc/cron.daily/freshclam:
>
> ERROR: Parse error at line 17: Unknown option UpdateLogFile
> ERROR: NotifyClamd: Can't find or parse configuration file /etc/clamd.conf
> ___
> Help us build a comp
On Fri, Nov 8, 2013 at 1:07 PM, xxdiskoxx2011 . wrote:
> I had installed clamav from repo centos 6. I have not found the file
> clamav.conf. this file does not exist. I found freshclam.conf. explain to
> me how I have to make those changes
> Il 08/nov/2013 17:58 "David Ra
On Tue, Nov 12, 2013 at 7:14 AM, Andreas Schulze
wrote:
> Am 12.11.2013 12:59 schrieb Andreas Schulze:
> > I found a fantastic fact!
> +1
>
> other samplemessage:
> $ clamdscan falsepositive falsepositive.ok
> /tmp/falsepositive: Worm.Bagle.H-zippwd-1 FOUND
> /tmp/falsepositive.ok: OK
>
>
This warning is related to file map handling. This message will appear when
ClamAV tried to unlock the wrong locked page of the file map. It is a
temporary issue, since the page will be unlocked when the file is closed
and map is unmapped anyway. There is one known issue that can lead to this
warni
On Wed, Dec 11, 2013 at 10:30 AM, Anthony Magrone <
anthonymagr...@hamlinandburton.com> wrote:
> I am running the latest release of ClamAV on CentOS 6.4.
>
> The script /opt/server-config/nfs-server/scripts/autoclam-hourly is
> sending an email with the message "LibClamAV Warning: cli_tnef: file
>
I can barely understand the home page. I don't know if I use Unix (I'm using an
iMac).
I was told that ClamAV was the best virus protection, so I signed up … or did I
download?
In any case, every day at the same time my work is interrupted by a report from
Console.
I think the upshot is that
want to unsubscribe.
went to the http listed, no 'unsubscribed' there…
On 20Dec, 2013, at 6:00 AM, clamav-users-requ...@lists.clamav.net wrote:
> Send clamav-users mailing list submissions to
> clamav-users@lists.clamav.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
On Mon, Dec 23, 2013 at 9:08 AM, gin(e) wrote:
> Hi, i am new here. I refer my email to this thread:
> http://lurker.clamav.net/message/20130929.101600.e8530842.en.html
>
> I got a similar warning message of Jamen McGranahan on every scan that
> cron run. And i like to understand what's happen.
>
On Mon, Dec 23, 2013 at 11:23 AM, gin(e) wrote:
> On 12/23/2013 04:55 PM, David Raynor wrote:
> > ClamAV is scanning the Flash file and is finding a tag that has a length
> > that is too long for the file. This would most commonly occur if file is
> > truncated.
>
>
On Mon, Dec 30, 2013 at 9:47 AM, 黄海涛 wrote:
> Is it rigth that the signature whose offset is farther is newer in
> main.mdb (mian.cvd) or daily.mdb(daily.cvd)?
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav
On Thu, Jan 2, 2014 at 4:24 AM, wrote:
>
>
> Actually, it is right inside the clamav-0.97.4.tar.gz source file, which I
> had downloaded from clamav.net. Path is:
>
> \clamav-0.97.4\clamd\dazukoio.c
>
> - Message from alvarn...@mac.com -
> Date: Thu, 02 Jan 2014 00:11:20 -0800
>
On Mon, Jan 20, 2014 at 4:59 PM, Charles Swiger wrote:
> Hi--
>
> On Jan 20, 2014, at 1:14 PM, Anthony Magrone <
> anthonymagr...@hamlinandburton.com> wrote:
> > ClamAV is tagging a legitimate email stored on a file server as
> containing a phishing address. Can this file be excluded from scans,
On Wed, Jan 22, 2014 at 10:25 AM, Alex wrote:
> Hi,
>
> On Tue, Jan 21, 2014 at 2:15 PM, Charles Swiger wrote:
> > On Jan 21, 2014, at 10:40 AM, Alex wrote:
> >> I received a number of messages on the 17th that were tagged
> incorrectly with:
> >>
> >> X-Amavis-Alert: INFECTED, message contains
On Mon, Jan 27, 2014 at 10:14 AM, Gene Heskett wrote:
> On Monday 27 January 2014 09:54:13 Gene Heskett did opine:
>
> > On Monday 27 January 2014 08:29:48 Greg Folkert did opine:
> > > On Mon, 2014-01-27 at 07:16 -0500, Gene Heskett wrote:
> > > > Greetings all;
> > > >
> > > > Been on this list
On Tue, Jan 28, 2014 at 7:22 PM, Gene Heskett wrote:
> Greetings all;
>
> Can I use more than 1 --exclude= directive in the crontab entry that runs
> clamdscan?
>
> I am getting quite verbose emails that start out with identifying all the
> reference files it uses. Must be nearly 70 lines of tha
On Sat, Mar 1, 2014 at 11:01 AM, J. W. Andersen wrote:
> After upgrading from 0.97.6 to 0.98.1 I get the following messages on the
> console:
>
> LibClamAV: Warning: SWF: Invalid tag length.
> LibClamAV: Warning: SWF: Invalid tag length.
> LibClamAV: Warning: SWF: Invalid tag length.
> LibClamAV
On Thu, Apr 17, 2014 at 12:22 AM, Dennis Peterson wrote:
> On 4/15/14, 7:36 AM, Steven Morgan wrote:
>
>> Good news, it works. We are considering a --warn-on-limit-exceeded option
>> to cover messaging in these types of cases.
>>
>> Steve
>>
>>
>>
>> I've found an interesting inconsistency when s
Alexander,
For libxml2, the configure script is finding and running the xml2-config
script that is part of a typical xml2 install to get the appropriate CFLAGS
and LIBS values to get to libxml2. Your fallback option, if this gets too
complicated, is to simply run configure with --disable-xml and a
with option "--cflags" directly or by calling the
> wrapper script "xml2-config". But this still resulted in the same error as
> described above. Could this mean that the reason for the compilation error
> might not (only) lie in "xml2-config"?
>
>
> Wh
Hi all,
I'm running ClamAV work amavisd-new on a Debian Wheezy server. I update the
serve with security and s/w updates weekly, so it's on the latest now for the
distro.
Every Sunday at exactly 9PM EDT (0100 UTC), cron sends me an email that
freshclam.log is locked. Thing is, I'm not running f
ERROR: Problem with internal logger (UpdateLogFile =
/var/log/clamav/freshclam.log).
ERROR: /var/log/clamav/freshclam.log is locked by another process
DC
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.
Just did a wget http://database.clamav.net/daily.cvd and am getting a
daily.cvd dated Aug 28 is there something going on with the servers???
[root@SOMESERVER freshclam]# ls -la
total 90288
drwxr-xr-x 2 root root 4096 Feb 26 10:43 .
drwxr-xr-x 4 root root 4096 Feb 23 15:01 ..
-rw-r--r--
date?
I just did the same operation and pulled this mornings. Can you try again?
> On Feb 26, 2015, at 10:50 AM, Smith, David wrote:
>
> Just did a wget http://database.clamav.net/daily.cvd and am getting a
> daily.cvd dated Aug 28 is there something going on with the servers??
its-unixadm...@fsu.edu (850)644-2591
Information Technology Services Florida State University
-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of
Smith, David
Sent: Thursday, February
out of date?
Which mirror(s) do you suspect to be out of sync?
> On Feb 26, 2015, at 11:14 AM, Smith, David wrote:
>
> Interestingly I just ran it on one more server and got the correct date...
>
> Could it be that the Mirrors at Clamav.net are out of sync?
>
> Th
x27;s worth, works fine here.
26.2.2015, 18.14, Smith, David kirjoitti:
> Interestingly I just ran it on one more server and got the correct date...
>
> Could it be that the Mirrors at Clamav.net are out of sync?
>
> Thanks!
>
> Dave Smith
Thank you for pointing it out.
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Security Intelligence and Research Group
On Feb 26, 2015, at 12:23 PM, Smith, David
mailto:drsm...@fsu.edu>> wrote:
Looks to be database.clamav.net<http://database.clamav.net>|150.214.142.
...@lists.clamav.net] On Behalf Of
Jason Haar
Sent: Sunday, March 1, 2015 6:29 PM
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] daily.cvd out of date?
On 27/02/15 08:49, Smith, David wrote:
> Nope .. not yet! :)
Try
wget --header="Pragma: no-cache" http://databas
some troubleshooting, we’ve removed this one from
the mirror pool.
Thanks David.
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group
On Mar 16, 2015, at 9:14 AM, Joel Esler (jesler)
mailto:jes...@cisco.com>> wrote:
David,
I forwarded this on to the ops team for
unsubscribe
The information contained in this e-mail and in any attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance u
unsubscribe
The information contained in this e-mail and in any attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in relia
Henrik's right. The simple answer is that ClamAV does not do any "status
for each segment". It scans files, including support for some filetypes
that have to be read back-to-front and using some virus signatures that are
full-file hashes. For that and more, it has to know where EOF is. So even
thou
Thanks for letting us know. We think we see where it's going wrong, so
we'll get that fixed for a future release.
Dave R.
On Thu, Aug 13, 2015 at 10:08 AM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:
>
> On Thu, August 13, 2015 2:20 pm, Paul wrote:
> >
>
> > If I use DatabaseCustomURL
Try using a higher value for MaxAttempts in your freshclam.conf.
Dave R.
On Wed, Sep 2, 2015 at 6:54 AM, VILLARD, Pierre <
pierre.vill...@capgemini.com> wrote:
> Hello,
>
> Because of some security requirements I am not authorized to use DNS for
> resolving hostnames. Consequently, in my freshcl
false positive.
If it can't be fixed then ome clearer explanation of the OLE2 scanning would be
helpful as its misleading at present.
--
David Shrimpton
Information Technology Services | The University of Queensland
___
Help us build a c
from badmacro are detected
--
David Shrimpton
Information Technology Services | The University of Queensland
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
or not.
I note the same md5sum:size in winnow_malware.hdb
924d8e14ccb2604effc455e1a584cb80:93184:winnow.malware.135963
Seems like some sort of weird bug exercised by the signature set
in my local databases when scan-ole2=yes .
I'll keep trying to narrow it down.
--
David Shrimpto
es however have a --heuristic-scan-precedence equivalent
to HeuristicScanPrecedence from clamd.conf which controls behaviour
of OLE2BlockMacros if file is detected by both Heuristic and real signatures.
Is there a way to turn on the OLE2BlockMacros behaviour with clamscan ?
--
David Shrimpton
I
On Tue, 9 Feb 2016, Steven Morgan wrote:
> David,
>
> I've opened https://bugzilla.clamav.net/show_bug.cgi?id=11498 to
> investigate and track the issue. Plz sign up for an account at
> https://bugzilla.clamav.net and send me the user id and I will CC you on
> the bug. On
encrypted zip or ole2 with macros, differently to files that matched
a real sig. eg do logging only instead of discarding.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net
a hit on Heuristics.OLE2.ContainsMacros.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
726]: ^
clamd[7726]: fd[14]: Can't parse data ERROR
Any suggestions where to go from here? The error itself seems fairly
straightforward, but these are standard MS Office files, generated by MS
Office, so it's not clear what, if anything, I can change on that
Using #match as a condition in a yara rule to
count the occurences of $match doesn't appear to
work where $match is a regex.
#match only appears to work if $match is a string literal
eg "abc123"
Is #match intended to work with a regex ?
--
If you run clamscan with "--debug" it will tell you which files it is
loading, even the files inside a cvd or cld file. It will also remark about
which signatures is skips when loading.
You should see these lines within your debug output:
...
LibClamAV debug: daily.ign2 loaded
...
LibClamAV debug
ot sigtool.
clamav appears to still extract the macros and signatures
written against the macro code still work.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
The same problem occurs with .docx which are zip but not with .doc
which are 'CDF V2 Document' which are the OLE2 file itself.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
iscard if a 'real' virus
or just add a warning if only Heuristics.OLE2.ContainsMacros
was returned. Or you could treat unofficial hits with more caution
eg add warning only and official hits more aggressively eg discard.
But -z is broken with OLE2 ,so you must decide to use OLE2BlockMacros
/var/
> drwxr-xr-x 26 root root 4096 Jun 5 02:36 /var/
>
> //
>
> Thanks, David
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
ening the same pdf.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
1 - 100 of 663 matches
Mail list logo
