David Shrimpton | 14 Apr 01:27 2016
Picon
Picon

yara #match does not work with regex

Using #match as a condition in a yara rule to
count the occurences of $match doesn't appear to
work where $match is a regex.
#match only appears to work if $match is a string literal
eg "abc123"

Is #match  intended to work with a regex ?

--

-- 
David Shrimpton
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Krishnakumar Nair | 13 Apr 20:39 2016
Picon

Re: Error in Make - How to get patch 59d05bf.patch

We have found a mailer  <at> 
http://www.gossamer-threads.com/lists/clamav/users/59376

Please share how we can get the patch (#59d05bf.patch)

Regards,
kk

On Wed, Apr 13, 2016 at 11:59 PM, Krishnakumar Nair <krnair.kk <at> gmail.com>
wrote:

> Thanks for the update Steve. But its error again with gcc in make.
>
> Please share your valuable inputs.
>
> clam build 0.98/Aix6.1/gcc4.8.3
> Error --
> mbox.c: In function 'rfc1341':
> mbox.c:2816: error: called object '1' is not a function
> make: The error code from the last command is 1.
>
>
> Regards,
> kk
>
> On Wed, Apr 13, 2016 at 7:57 PM, Steven Morgan <smorgan <at> sourcefire.com>
> wrote:
>
>> Hi,
>>
(Continue reading)

Alex | 13 Apr 17:20 2016
Picon

winnow FP

Hi,

I don't understand why themastersbaker.com would be tagged?

# sigtool --find-sigs winnow.spam.ts.untyped.966134 | sigtool --decode-sigs
VIRUS NAME: winnow.spam.ts.untyped.966134
TARGET TYPE: MAIL
OFFSET: *
DECODED SIGNATURE:
http://themastersbaker.com/

This isn't currently on any other blacklist. Is this the proper
address to request a winnow removal?

I've already whitelisted it.
Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

kionez | 13 Apr 15:07 2016
Picon
Gravatar

Strange problem with custom Yara rule

Hi,

I'm going mad with a strange behaviour of clamav with custom yara rules.

I'm trying to match some nasty spam email, I decided to use yara for my
custom rules but i noticed a problem: if I use only string detect clamav
(either via clamscan or clamdscan) matches all the email (text +
headers) but if I use regex detect it only matches email's text.

For example:

	$mail_header = /X-Mailer: PHPMailer 5\.2\./

doesn't match, but:

	$mail_header = "X-Mailer: PHPMailer 5.2."

matches.. I tryed to "reduce" the match to only "ailer", but the
situation doesn't change, even appending a "nocase" flag.

Am I wrong or there's something strange? :)

k.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

(Continue reading)

kk nair | 13 Apr 14:13 2016
Picon

ClamAV/AIX6.1/gcc4.8.3 - openssl error -X509_VERIFY_PARAM_new missing

Hi team,
Please suggest workarounds for this issue.
We are unable to proceed with installation.

checking check.h usability... no
checking check.h presence... no
checking for check.h... no
configure: unable to compile/link with check
checking for libxml2 installation... not found
configure: ****** libxml2 support unavailable
checking for OpenSSL installation... /usr
checking for SSL_library_init in -lssl... yes
checking for EVP_EncryptInit in -lcrypto... yes
checking for X509_VERIFY_PARAM_new in -lssl... no
configure: error: Your OpenSSL installation is missing the X509_VERIFY_PARAM function. Please upgrade
to a more recent version of OpenSSL.

Regards,
Kk
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Krishnakumar Nair | 13 Apr 08:59 2016
Picon

Error in Make -

Please share inputs on this issue while we run make after configure.

CCLD libclamunrar_iface.la
CC libclamav_la-matcher-ac.lo
"clamav.h", line 170.3: 1506-191 (E) The character # is not a valid C
source character.
"/usr/include/sys/atomic_op.h", line 123.1: 1506-1419 (W) Pragma mc_func
must appear in global scope.
"/usr/include/sys/atomic_op.h", line 123.1: 1506-224 (W) Incorrect pragma
ignored.
"/usr/include/sys/atomic_op.h", line 126.1: 1506-1419 (W) Pragma mc_func
must appear in global scope.
"/usr/include/sys/atomic_op.h", line 126.1: 1506-224 (W) Incorrect pragma
ignored.
"/usr/include/sys/atomic_op.h", line 129.1: 1506-1419 (W) Pragma mc_func
must appear in global scope.
"/usr/include/sys/atomic_op.h", line 129.1: 1506-224 (W) Incorrect pragma
ignored.
"/usr/include/sys/atomic_op.h", line 132.1: 1506-1419 (W) Pragma mc_func
must appear in global scope.
"/usr/include/sys/atomic_op.h", line 132.1: 1506-224 (W) Incorrect pragma
ignored.
"/usr/include/sys/atomic_op.h", line 137.23: 1506-045 (W) Undeclared
identifier _safe_fetch.
"clamav.h", line 170.1: 1506-046 (S) Syntax error.
make: The error code from the last command is 1.

Stop.
make: The error code from the last command is 1.

(Continue reading)

Thibault HARTEEL | 12 Apr 16:31 2016

Nagios script

Hello,

I would like to know if the nagios plugin "ClamAV check plugin" i currently available.

And/or how can i check if my product is up to date with a Nagios/Centreon server.

Thanks,
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Krishnakumar Nair | 12 Apr 09:49 2016
Picon

ClamAV installation - Unable to Compile - AIX/xlC - Blocker issue

Hi Team,
Please put some lights into this issue in clamav installation.

Please find the config trace for your reference.

Platform :  AIX6.1

xlC version : xlC 12.1.0.5

Config script : ./configure CC=<path to xlC>/exe/xlCcpp

checking for gcc... <path to xlC>/exe/xlCcpp
checking whether the C compiler works... *no*
configure: error: in `<PATH TO CLAM>/clamav-0.99':
configure: error: C compiler cannot create executables
See `config.log' for more details

Regards,
kk
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Dan C | 8 Apr 15:35 2016
Picon

Freshclam vs the new Main

On Mar 16, 2016, at 11:24 PM, Joel Esler (jesler) <jesler <at> cisco.com> wrote:
> ClamAV Signature Interface maintenance is now complete! New Main.cvd!
> [snip]
> This new main is 109Mb in size, and contains 4 million signatures

I’ve got a flakey connection to the ‘net right now, so Freshclam has totally failed to do any updates
since you rolled out the new main.

eg:
ClamAV update process started at Fri Apr  8 06:15:09 2016
Empty script main-56.cdiff, need to download entire database
nonblock_recv: recv timing out (30 secs)
Trying again in 5 secs...
ClamAV update process started at Fri Apr  8 06:20:47 2016
Empty script main-56.cdiff, need to download entire database
Downloading main.cvd [100%]
ERROR: Verification: Can't verify database integrity
Trying again in 5 secs...
ClamAV update process started at Fri Apr  8 06:21:47 2016
Reading CVD header (main.cvd): OK
Empty script main-56.cdiff, need to download entire database
Downloading main.cvd [100%]
ERROR: Verification: Can't verify database integrity
Giving up on database.clamav.net...
Update failed. Your network may be down or none of the mirrors listed in
/usr/local/clamXav/etc/freshclam.conf is working. Check
http://www.clamav.net/doc/mirrors-faq.html for possible reasons.

Since Freshclam is hurting, I’ve tried to download the main myself with
curl -LOC - http://database.clamav.net/main.cvd <http://database.clamav.net/main.cvd>
(Continue reading)

Alex | 7 Apr 21:06 2016
Picon

Phishing FPs (chase.com, americanexpress.com)

Hi,

This HTML is resulting in an FP with hyatt.com and chase.com:
<a href=3D"http://e.hyatt.com/a/hBXBU6kB8hHSgB9KBuvAATyM-YE/gpgchfaq?MARKET=
ING_CODE=3DHycardSolo16GE1T&RECIPIENT_ID=3DG-G96179703L"
target=3D"_blank" = style=3D"color:#1564a4;
text-decoration:underline;">www.Chase.com/RewardsFA=
Qs</a>.

LibClamAV debug: Phishcheck:Checking url
http://e.hyatt.com/a/hBXBU6kB8hHSgB9KBuvAATyM-YE/gpgchfaq?MARKETING_CODE=HycardSolo16GE1T&recipient_id=G-G96179703L->www.Chase.com/RewardsFAQs
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted:
Heuristics.Phishing.Email.SpoofedDomain

This HTML is resulting in an FP with hilton.com and americanexpress.com:
<a href=3D"http://h1.hilton.com/a/hBXBouxAJZxlvB9L9=
L5ArLZiuwY/hhon28" style=3D"color: #7c7c7c;">AmericanExpress.com/PPterms</a>

LibClamAV debug: Phishcheck:Checking url
http://h1.hilton.com/a/hBXBouxAJZxlvB9L9L5ArLZiuwY/hhon28->AmericanExpress.com/PPt
erms
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted:
Heuristics.Phishing.Email.SpoofedDomain

I've added two entries to my whitelist.wdb file:
X:.+hilton\.com:americanexpress\.com:17-
X:.+hyatt.com:www.chase.com:17-

(Continue reading)

Rick | 7 Apr 19:25 2016
Picon

update

The GUI version will not update. It says there is an update.

What do I do ?

Also the clamav is one version below what is current. What do I need to 
do to update it ?

Rick Nilson
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Gmane