Scott Snow | 3 Mar 04:55 2014

Keeping the ClamAV process open?

I'm working on a MapReduce project using Amazon's EC2. The only bottleneck
I have is that it takes ~35-40 seconds to scan each file, which seems very
high. I'm using a c program as a wrapper for ClamAV, which takes a single
file and the mode. Does anyone know approximately how long it takes to
initialize ClamAV and load the virus db? Would it be possible to just keep
the ClamAV process loaded/running? I've been searching quite a bit, but
haven't found anything so far. If anyone has any other suggestions for
optimization, that would be appreciated as well. I'm not very familiar with
ClamAV.

Thanks.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
J. W. Andersen | 1 Mar 17:01 2014
Picon

No filenames listed by clamscan.

After upgrading from 0.97.6  to 0.98.1 I get the following messages on 
the console:

LibClamAV: Warning: SWF: Invalid tag length.
LibClamAV: Warning: SWF: Invalid tag length.
LibClamAV: Warning: SWF: Invalid tag length.
LibClamAV: Warning: SWF: Invalid tag length.
LibClamAV: Warning: fmap:  map allocation failed.
LibClamAV: Error: CRITICAL: fmap () failed.
LibClamAV: Warning: SWF: Invalid tag length.

upon scanning a large linux directory (some 60 GB) with clamscan.

The real problem is, that clamscan does not tell me which scanned files
it is actually complaining about, not in sysout and not in syserr. With some
10,000 files in the directory it is impossible for me to find out which
files to correct or get rid of. I can prevent the "Invalid tag length" by
setting the --scan-archives to no, but that is hardly a solution if I want
the archives thoroughly scanned.

Can anyone tell me, what I shall do to retrieve the name of the 
problematic files ?

Regards, Joern W. Andersen
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
(Continue reading)

Paul Kosinski | 28 Feb 00:43 2014

Re: clamav-users Digest, Vol 113, Issue 18

The blog post concerning OpenSSL being required for ClamAV only has
one reason as to why it might *benefit* ClamAV, the other reasons are
why OpenSSL *itself* in good.

That single reason is:

  "We will be able to provide a better freshclam experience in a
  future release."

What exactly does this mean? (The phrase "freshclam experience" is
marketing speak, not a technical explanation.)

Since adding complexity to a system tends to increase bugs and
decrease security, I am leery of seeing ClamAV become even more
complicated than it already has become.

Paul

On Wed, 26 Feb 2014 12:00:00 -0500
clamav-users-request <at> lists.clamav.net wrote:
> 
> Message: 1
> Date: Wed, 26 Feb 2014 16:08:03 +0000
> From: "Joel Esler (jesler)" <jesler <at> cisco.com>
> To: ClamAV users ML <clamav-users <at> lists.clamav.net>,
> 	"clamav-devel <at> lists.clamav.net"
> <clamav-devel <at> lists.clamav.net> Subject: [clamav-users] Introducing
> OpenSSL as a dependency to ClamAV Message-ID:
> <78E5F452-24F0-4E9D-91AA-5918E42419AC <at> cisco.com> Content-Type:
> text/plain; charset="us-ascii"
(Continue reading)

Joel Esler (jesler | 26 Feb 17:08 2014
Picon

Introducing OpenSSL as a dependency to ClamAV

On Friday last week I put a blog post up about introducing OpenSSL into the ClamAV ecosystem.  I wanted to make
sure everyone saw it, so please have a look at the blog post here:

http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html

--
Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Jobst Schmalenbach | 20 Feb 03:27 2014
Picon

Error message "outdated version" although "yum list installed" reports correct version of clamav


Hi.

Strange problem indeed:

[root /tmp] #>yum list installed "clamav*"
Loaded plugins: fastestmirror
Installed Packages
clamav.x86_64             0.98-2.el5.rf                         installed
clamav-db.x86_64          0.98-2.el5.rf                         installed
clamav-milter.x86_64      0.98-2.el5.rf                         installed
[root /tmp] #>

[root /tmp] #>su clamav -c /usr/bin/freshclam
ClamAV update process started at Thu Feb 20 12:37:52 2014
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.98 Recommended version: 0.98.1
DON'T PANIC! Read http://www.clamav.net/support/faq

I have checked the following:

 - all configuration files point to the same database directory
 - there is only one binary for each of the clamav things on the system
 - freshclam updates with no problems
 - clamconf report correct databases but also:
   Software settings
   -----------------
   Version: 0.98

Any ideas?
(Continue reading)

Torge Husfeldt | 18 Feb 16:42 2014
Picon

Avoit Short-Circuiting on (untrusted) Pattern match

Hi,

We are scanning webhosing-files from a relatively large user-base (~5M) 
using the clamd-engine and signature databases tweaked for the least 
possible false-positives.

In this context we have 2 use-cases which apparently aren't met by the 
current implemetation.
In both cases the remedy would boil down to stop clamd from 
short-circuiting.
The current logic AFAICT is "on pattern match report and stop looking" 
indistinctly of which pattern matched.
This means in practice that an "untrusted" pattern could mask a 
"trusted" pattern and prevent the more severe action associated with the 
trusted pattern from being triggered.
What we would need is to change this behavior (at least for a 
configurable subset of patterns) so that the "trusted" pattern-match is 
always reported regardless of any prior "untrusted" match.

Questions:
Am I the only one having this issue?
Am I missing some configuration-switch?
Would anyone be interested in implementing this?
Can anyone point me to where I would look first if I wanted to implement 
this?

Use Case 1:
"evaluate patterns from third parties"
Our current db only contains a fraction of clamav's official signatures 
and incorporating more of them under the above "0 FP" policy is a pain 
(Continue reading)

Tsutomu Oyamada | 18 Feb 11:41 2014

about MaxQueue

Hi,

We like to know when a MaxQueue value of configuration file gives any influence while clamd is scanning.
We are investigating matters of sessions with the following setteings.
Can we confirm MaxThreads by ptree command?
Could you teach us how to confirm behavior of configured value of MaxQueue?
  MaxThreads 40
  MaxQueue 80
Please find the current clamd.conf as attached file.

We confirm clamd by calling via socket and with using file scanner program.
Version of clamd is  0.98.1, and platform is System z (s390x).

Thanks,
T.Oyamada
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
Steve Basford | 17 Feb 22:21 2014

TheMask aka Careto

In case this is useful for system scanning for TheMask aka Careto...

---------------------------- Original Message ----------------------------
Subject: [sanesecurity] new database: malwarehash.hsb
From:    "Steve Basford" <steveb_clamav <at> sanesecurity.com>
Date:    Mon, February 17, 2014 4:00 pm
To:      sanesecurity_announce <at> freelists.org
Cc:      sanesecurity <at> freelists.org
--------------------------------------------------------------------------

New database: malwarehash.hsb
False Positive Risk: low

Description:

Normally hashes, such as rogue.hdb have to contain the size and md5 of a
malware sample, in order to match it.

The .hsb database allows the ClamAV engine to match, without knowing what
the size of the sample is (with a small hit on speed compared to a .hdb)

Currently contains known md5's of TheMask aka Careto
(Sanesecurity.MalwareHash.TheMask.xxx)

More info:
http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-Uncovers-The-Mask-One-of-the-Most-Advanced-Global-Cyber-espionage-Operations-to-Date-Due-to-the-Complexity-of-the-Toolset-Used-by-the-Attackers

Cheers,

Steve
(Continue reading)

pauriem@gmail.com | 14 Feb 03:36 2014
Picon

fireclam log

does anyone please know where is any documentation on fireclam plugin
that is supposed to scan all files downloaded through Firefox browser
using clamav? specifically I am trying to find out if it can be
configured to produce a log or summary report of scan results
including positive confirmation list of files determined to be virus
free ... thanks in advance for any help
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Sim | 13 Feb 10:48 2014
Picon

Block all "EXE/SRC" or MS-EXE/DLL file

Hello!
In the last weeks/months the unrecognized virus are increasingly exponentially
(not only for Clamav but for all antivirus).
My idea is "block" all EXE/SRC (also into ZIP/RAR).
Executing "clamscan --debug filename" I can see:

- LibClamAV debug: Recognized MS-EXE/DLL file
- Section contains executable code

Which is the best solution/way to block all EXE/executable files?

Thanks!

---
Sim
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Anthony Magrone | 12 Feb 19:38 2014

LibhClamAV Warning

How can I address the following warning?

/etc/cron.daily/autoclam:

LibClamAV Warning: SWF: Invalid tag length.
LibClamAV info: scancws: Error decompressing SWF file

Regards,
Anthony

Hamlin & Burton
LIABILITY MANAGEMENT

Anthony Magrone
IT Administrator

321.972.0121
hamlinandburton.com<http://www.hamlinandburton.com/>

Corporate Offices: Orlando, Florida
615 Crescent Executive Court, Suite 212, Lake Mary, FL 32746
________________________________
Confidentiality and HIPAA Compliance Notice: This e-mail message, including any attachments, is
intended for the named recipient(s) and may contain information that is (i) proprietary to the sender,
and/or, (ii) privileged, confidential and/or otherwise exempt from disclosure under applicable state
and federal law, including, but not limited to, privacy and security standards imposed pursuant to the
federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  Receipt by anyone other
than the named recipient(s) is not a waiver of any applicable privilege. If you are not the intended
recipient, you are hereby notified that any review, dissemination, distribution or duplication of this
communication is strictly prohibited. If you are not the intended recipient, please conta
(Continue reading)


Gmane