Mark Price | 4 Sep 17:23 2014

clamscan and PUA

In the past day we have had clamscan on several servers detect infected
files due to:  PUA.Windows.DoubleExtension-zippwd-3

I've read the clamscan manpage but have not had any luck with getting the
"--detect-pua" option to work.  Example:

# clamscan --detect-pua=no ./sample-msg1.txt
./sample-msg1.txt: PUA.Windows.DoubleExtension-zippwd-3 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3515268
Engine version: 0.98
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.05 MB (ratio 0.00:1)
Time: 9.402 sec (0 m 9 s)

In this case, is the infected file being detected by a PUA that I should be
able to disable with command line option?  Or is "PUA" simply part of the
virus signature name?

Thanks,

Mark
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

(Continue reading)

MAYER Hans | 3 Sep 17:46 2014
Picon

clamd crashed


Dear ClamAv Users,

In my environment I have 2 external  mail gateway in the DMZ, forwarding all e-mails to an internal mail server.
All of them are running Solaris 11 with sendmail and mimedefang as milter.
I am running this constellation since about more than a year very successfully without any downtime till 2 weeks.

Around 2 weeks ago all 3 servers stopped working for mail forwarding because the process clamd core dumped.
At that time I had in use a beta version of 0.98.4 it was clamav-0.98.4-rc1
I traced back the problem due to the fact I didn't use the latest version.
So I upgraded to clamav-0.98.4 and in the same step also mimedefang to the latest version 2.75
This is how mimedefang involves clamd in /usr/local/bin/mimedefang.pl
$Features{'Virus:CLAMD'}    = ('/usr/local/sbin/clamd' ne '/bin/false' ? '/usr/local/sbin/clamd' : 0);
The system worked stable for 2 weeks.

Yesterday evening I noticed the same problem. A restart didn't help. After short time clamed crashed again.
As short solution I disabled the virus scanning overnight.
Today I have a stable situation without changing anything. Of course pattern updates are running.
I assume an ugly attachment did crash the virus scanning process. Now this mail is passed and it's running fine.

I am worried about the fact that the ClamAV solution becomes more and more instable.

How can I support the ClamAV team with additional information to reach a stable system again ?
What I have is a 305 MB core dump from clamd for Sparc platform. But I think, this will not help.
In the meantime I started clamd with the option --debug
Till now I didn't find any entries in the syslog.

Kind regards
Hans

(Continue reading)

Gene Heskett | 3 Sep 12:40 2014

False positive for sure

Greetings;

This report from last nights clamscan is absolutely a false positive:
/home/gene/Downloads/Download/DriveWire4_linux_i386.tar.gz: 
PUA.Misc.DoubleExtension-zippwd-3 FOUND

Cheers, Gene Heskett
--

-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

YSPSC IT | 3 Sep 01:22 2014

PLEASE REMOVE

From this mailing list...

-----Original Message-----
From: clamav-users [mailto:clamav-users-bounces <at> lists.clamav.net] On Behalf
Of Steven Morgan
Sent: Wednesday, September 3, 2014 8:43 AM
To: ClamAV users ML
Subject: Re: [clamav-users] Conflicting structured data detections

Hi Frank,

I've looked at the code. --structured-ssn-format alone does nothing. What is
your result using both --structured-ssn-format and --detect-structured=yes?

Also, I hear you about your regex scan. If you want to open a ticket at
bugzilla.clamav.net and post your file, we can take a look at it.

Thanks,
Steve

On Fri, Aug 29, 2014 at 11:38 AM, Frank Sfalanga Jr. <
Frank <at> csiglobalvcard.com> wrote:

> Hello,
>
> I'm getting conflicting reports of SSN found within log files.  If I 
> use the '--detect-structured=yes' switch I get this result
>
>
> root <at> CSI-app1:/var/log# clamscan -v -i -r --detect-structured=yes
(Continue reading)

Frank Sfalanga Jr. | 29 Aug 17:38 2014

Conflicting structured data detections

Hello,

I'm getting conflicting reports of SSN found within log files.  If I use
the '--detect-structured=yes' switch I get this result

root <at> CSI-app1:/var/log# clamscan -v -i -r --detect-structured=yes
auth.log.3
Scanning auth.log.3
auth.log.3: Heuristics.Structured.SSN FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3513235
Engine version: 0.98.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 1.03 MB (ratio 0.00:1)
Time: 8.369 sec (0 m 8 s)

If I scan using the '--structured-ssn-format=2' switch I get no
detection of the SSN.  Like this:

root <at> CSI-app1:/var/log# clamscan -v -i -r  --structured-ssn-format=2
auth.log.3
Scanning auth.log.3

----------- SCAN SUMMARY -----------
Known viruses: 3513235
Engine version: 0.98.1
(Continue reading)

Shawn Webb | 27 Aug 18:22 2014

Re: clamav 98.4 for SuSE 10

On Wed, Aug 27, 2014 at 11:57 AM, Mario O. Sgattoni <
mario.sgattoni <at> ensi.com.ar> wrote:

> My Clamav update process had notified me that the versión 98.4 is the last
> stable versión, but I couldn’t finde it yet at the SuSE repositories. The
> last versión there is 98.1.
>
>
>
> How long would it takes for versión 98.4 to be available for SuSE 10?
>
>
>
> Thanks and regards.
>
>
>
> Mario O. Sgattoni
>
> E.N.S.I. S.E.
>
> Responsable Red Informática (Int. 2343)
>
> Ruta 237 - Km. 1278
>
> Arroyito - Pcia. de Neuquén
>
> Argentina
>
> +54-299-4494123
(Continue reading)

Mario O. Sgattoni | 27 Aug 17:57 2014
Picon

clamav 98.4 for SuSE 10

My Clamav update process had notified me that the versión 98.4 is the last
stable versión, but I couldn’t finde it yet at the SuSE repositories. The
last versión there is 98.1.

How long would it takes for versión 98.4 to be available for SuSE 10?

Thanks and regards.

Mario O. Sgattoni

E.N.S.I. S.E.

Responsable Red Informática (Int. 2343)

Ruta 237 - Km. 1278

Arroyito - Pcia. de Neuquén

Argentina

+54-299-4494123

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Rajesh M. | 27 Aug 13:25 2014
Picon

sanesecurity file size limit

hi

we are using clamav with qmailtoaster with sane security. we use foxhole to block any exe file that is zipped
/ rar.

however noted that if such files are over 1 mb then they are not detected

in my clamd.conf file the size upto which the files will be scanned is 30 mb ie max email size in my smtp session.

how do we solve this issue.

rajesh

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Joel Esler (jesler | 26 Aug 20:56 2014
Picon

ClamAV®: The new ClamAV.net is here!


http://blog.clamav.net/2014/08/the-new-clamavnet-is-here.html

For the past several months we've been working diligently on a complete refresh of several Open Source
websites, designs and logos.  The first website we rolled out a refresh of was
Snort.org<http://Snort.org> back in June.

At the same time, we've been working hard on ClamAV.net<http://www.clamav.net/>.  When the ClamAV
project was acquired in 2003 by Sourcefire (now a part of Cisco), we retained the original website and
hosting provider the website was built on, but we took this opportunity to start from scratch.

As with Snort.org<http://Snort.org>, this wasn't just a facelift for the website, this was a complete
rewrite.  Much of the content you are looking for is the same, for instance the virus submission forms are
still on the site, but we've build some improvements:

  *   Simple Navigation
     *   Much like we tried to do with Snort.org<http://Snort.org>, almost all content on
ClamAV.net<http://ClamAV.net> is one or two clicks away.
  *   Faster
     *   Not only is the site faster to load on the browser, but it is less load on the server side too.
  *   Documentation
     *   We now dynamically load the ClamAV FAQ from Github onto the site.  If someone would like to contribute to the
FAQ, they may do so by submitting a pull request (at https://github.com/vrtadmin/clamav-faq.  Which,
once accepted, will be rendered on the main clamav.net<http://clamav.net> site for all to see.
  *   Elimination of dead links and pages

We really hope that you enjoy on the new ClamAV.net<http://ClamAV.net>, and are looking forward to
hearing your feedback at vrtweb <at> cisco.com<mailto:vrtweb <at> cisco.com>!

Please take a look at the new website over at: http://www.clamav.net
(Continue reading)

G.W. Haywood | 25 Aug 18:56 2014
Picon

Re: false positive sample

Hi there,

On Mon, 25 Aug 2014, it was difficult to figure out who wrote:

> Good thing I only use Linux now, where the effectiveness of
> antivirus software isn't too important. I just wish ClamAV
> developers were more attentive to their product, which they haven't
> been since Cisco bought Sourcefire.
> 
> I?d disagree here.  In fact, we?ve only added to the team since the
> Cisco purchase.  ...

There's a distinction between adding to the team and improving it.

Seems to me I've been reading the same old complaints here on the
ClamAV mailing list for years now.

Good job I only use ClamAV because of the third party databases like
Sanesecurity.

And it would *really* help if the people who use this list learn how
to write to mailing lists.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
(Continue reading)

Dan McDaniel | 23 Aug 00:26 2014
Picon

false positive sample

I submitted a false positive awhile ago -- probably back in May. It
hasn't been fixed yet. Should I submit it again?

Also, on the web form when submitting false positives there is a
check-box that says "notify me". It would seem to imply that you 
might get some kind of notification when your sample had been processed,
but I have never received any notification for any of the samples I've
submitted. What is that check-box for?

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml


Gmane