Volcy, Georges | 27 Jul 20:11 2015

rpm packages for zlinux

Does clamav provide an rpm package for zlinux.

Georges Volcy
SCADA Engineer - EMS
PSEG Long Island
CNI - EMS Provisioning  & Support
(516) 949-7417(Desk)
(516) 949-7400 (Office)
(516) 492-9773 (Cell)

The information contained in this e-mail, including any attachment(s), is intended solely for use by the
named addressee(s).  If you are not the intended recipient, or a person designated as responsible for
delivering such messages to the intended recipient, you are not authorized to disclose, copy,
distribute or retain this message, in whole or in part, without written authorization from PSEG.  This
e-mail may contain proprietary, confidential or privileged information. If you have received this
message in error, please notify the sender immediately. This notice is included in all e-mail messages
leaving PSEG.  Thank you for your cooperation.
Help us build a comprehensive ClamAV guide:


phoenixcomm | 24 Jul 02:28 2015

just a little help please

I am new to clamAV so be gentle.
the Tk interface is very nice but I have a problem
you have only 2 choices to scan home or everything.
you need to add other dir as well..
as I have a "public drive" mounted
mnt/MyData/public  so how do I scan this dir
and my media is
mnt/MyMedia/media (lots of movies and music

I have to do this as I use NFS for file sharing and these are my exports

Help us build a comprehensive ClamAV guide:


Michael Peter | 24 Jul 00:07 2015

clamd conf questions


I have the following questions for clamd.conf configuration

#LogRotate yes

how many logs clamd will keep ? because there is no option in the conf
file on how many logs files clamd should keep after rotations ?

#LogFileMaxSize 2M
also incase i set  (#LogFileMaxSize 2M) will this enforce the logrotate
yes? and is it possible to  set log rotate off in this case? or not
possible because #LogFileMaxSize is specified in my conf ?

#TCPSocket 3310

what if i donot want clamd to listen on tcp and only to listen on unix
socket? should i leave TCPsocket empty ?? or how to achieve this ?
and is it wrong to try to disable TCP for clamd ?

Inside clamsmtpd.conf
                 [ Default: /var/run/clamav/clamd ]

so should i configure unix socket in clamdc.onf to be
/var/run/clamav/clamd ? so clamsmtp can connect to clamd ? and how to
achieve this ? what to add to clamd.conf to achieve this ?

(Continue reading)

G.W. Haywood | 23 Jul 20:08 2015

Re: offline updates

Hi there,

On Thu, 23 Jul 2015, Phil Dumont wrote:

> I'm considering using clamav on a machine that is not (can not be) on the
> network (any network, not even a local one).

Unless you can give more detail amounting to some sort of a case for
doing this, my immediate reaction would be a little less circumspect
than Mr. Swiger's.  I'd say forget the idea, it's a waste of time,
and it might even be counterproductive.

Firstly, the detection rate that you'll get is likely to be poor for
very recent threats (not least) because your out-of-band updates will
probably be tardy.

Secondly, without any network connection you'll have trouble keeping
the software on this mysterious machine up-to-date, which will mean
that it's rather more vulnerable to attack than it otherwise would be.

Taken together these things lead me to postulate that your non-networked
computer will be more likely to be compromised by things like malicious
files on removable media (precisely the sort of thing you'll be using to
tardily transfer the database updates I suppose), than it would be if it
were networked after all.

But as Chuck says, it's all really up to you.

Out of interest, what operating system will the unsociable computer run?

(Continue reading)

P K | 23 Jul 16:51 2015

Unable to detect pdf virus

Hi Guys,

I am testing clamav in my local system to detect POST data's from network.
I am newbie in ClamAv and want to test with real time signatures.

I tested with Eicher Test Signature and it works fine.

*But ClamAv is unable to detect CVE-2009-4324 with pdf.*

I see signature is present in daily.cld and if extracted its present in
Gmail able to detect same pdf as virus.

Any help on what wrong in my ClamAv system and to fix it.

$ clamscan ~/anti/eicar.com.txt
*/home/pk/anti/eicar.com.txt: Eicar-Test-Signature FOUND*

----------- SCAN SUMMARY -----------
Known viruses: 3898123
Engine version: 0.98.6
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.480 sec (0 m 6 s)    <--------------- took 6sec to detect normal

$ clamscan ~/anti_new/virus/exploit.pdf
(Continue reading)

G.W. Haywood | 22 Jul 18:45 2015

Re: How to clean infection by Docx.Exploit.CVE_2015_1770

Hi there,

On Wed, 22 Jul 2015, JD Ackle wrote:

> I would like to know how can I remove Docx.Exploit.CVE_2015_1770
> from Windows/System32/config/SOFTWARE

As others have said, you might have found a false positive.  You need to
find out if that is the case or not before you do anything else.

If it is not a false positive but a real infection, then the ClamAV
users' mailing list cannot really help you with your question.

ClamAV tells you if it thinks that it has found something.  It is up to
you to decide what to do about it.  You *can* choose to delete files if
they are flagged by ClamAV, but in general that is not recommended; and
as /Windows/System32/config/SOFTWARE is one of Windows' registry files,
it will certainly damage your Windows installation if you delete it.

There are many Internet help sites and similar which can help you with
your question.

Reading the rest of your message tells me that you need something. :)
For self-help I personally recommend MalwareBytes Anti-Malware (MBAM).
If you download it, be careful where you get it from.  Some Websites
have been seen to include malicious software with the download.



(Continue reading)

Phil Dumont | 22 Jul 18:04 2015

offline updates

I'm considering using clamav on a machine that is not (can not be) on the
network (any network, not even a local one).

I have a few ideas for how to get virus definition updates onto the
machine, but none of them is quite perfect.

All of them start with getting on an online computer and pulling the .cvd
files (main, daily, bytecode) off the net and onto on optical disk, then
sticking that disk into the offline machine.

Then what?

I'd like to use freshclam, just because that's the "official" way to do it.

I get that I can add some DatabaseCustomURL directives to my
freshclam.conf, with file URLs that just point directly to wherever the
optical disk will be mounted.  That works.

The part I haven't figured out yet is if there is any way to get freshclam
*not* to go out on the web to verify the databases.

As far as I can tell, there is no way to tell it to just skip that step,
which is what I would prefer.

Alternatively, is there any way to make it do it locally?

There's PrivateMirror, which would be fine if it's value could be a file
URL,  but it seems to want a host name to build an http URL out of.  Which
means, for my offline computer, I have to have at least loopback networking
runnng, and an HTTP server, which I'd rather not do.
(Continue reading)

JD Ackle | 22 Jul 14:23 2015

How to clean infection by Docx.Exploit.CVE_2015_1770


Currently, ClamAV run from Linux reports Docx.Exploit.CVE_2015_1770 in my Windows 8.1 install, in files:
- pageFile.sys
- Windows/System32/config/SOFTWARE (a piece of the Windows registry)

If I understand it correctly, pageFile.sys works much like a Linux swap, hence basically containing RAM
dumps. After removing the file from the Windows system and booting to it I noticed Windows just made a new
one when needed, as I expected. Thus I am actually using that file as a checkpoint to track whether the
system is clean or not - whether the virus appears in the volatile memory when Windows is run.
When I first noticed the infection, pageFile.sys did not get infected upon a Windows startup without
logging on a user (it would however otherwise, regardless of whether the user was and administrator or a
regular one).

I noticed the infection on Windows/System32/config/SOFTWARE later and moved it to Linux to try and fix it -
even though I was not really sure how to do it. Upon giving up on the later plan I simply tried booting onto
Windows which failed. Since copying the SOFTWARE file back in, pageFile.sys now becomes infected even if
I don't logon any user.
I presume the reason for this may be that the file lost its Windows permission upon being copied to my Linux
install and is now world-accessible, thus being run by the system even before an allowed user is logged on...?

On another hand, I am hesitant to consider this a false positive as ClamAV did detect another virus in my
Windows system:
- Program Files (x86)/Hewlett-Packard/Shared/WizLink.exe: Win.Worm.Tenga-113 FOUND
I don't need that file at all, so I simply deleted and no further infections of that virus have been detected
since. My Windows install was running considerably slow (specially network-related tasks) before
removing that file and seems to have picked back up on its speed, so I am assuming the said virus was indeed,
at least for the most common use of that system, been removed.
However, I'm not sure whether this worm and the Docx.Exploit.CVE_2015_1770 are not related...?

(Continue reading)

Paul Kosinski | 21 Jul 19:58 2015

Re: Streaming support in ClamD

I'm still using HAVP for HTTP scanning, and it seems to still work OK
with the latest ClamAV (i.e., libclamav etc.).

I hope that ClamAV doesn't become incompatible in a way that can't be
accommodated. (I had to change HAVP's init temporarily during to the
openssl hiccup).

Paul Kosinski

On Tue, 21 Jul 2015 12:00:01 -0400
clamav-users-request <at> lists.clamav.net wrote:

> > ------------------------------
> >
> > Message: 2
> > Date: Thu, 2 Jul 2015 12:55:54 +0300
> > From: Henrik K <hege <at> hege.li>
> > To: clamav-users <at> lists.clamav.net
> > Subject: Re: [clamav-users] Streaming support in ClamD
> > Message-ID: <20150702095554.GA32277 <at> hege.li>
> > Content-Type: text/plain; charset=us-ascii
> >
> >
> > Let's say you have a zip file. How do you expect ClamAV to scan it
> > packet by
> > packet?  Or any other data really.  I think there are very few wild
> > signatures in database that are allowed to match any position
> > anywhere in a "file".  Only reliable way is to scan a complete
> > file, so it knows the length and can decode it properly etc.
> >
(Continue reading)

Schubling | 21 Jul 17:39 2015

Clamdscan on centos 7 and Apache


We're trying to use clamav on a centos 7 server in order to scan
directly uploaded files on our web apps (Moodle for example). When
trying to execute a clamdscan from apache, we got this error (the file
belong to apache:apache and has correct rights 755)

exec('/usr/bin/clamdscan --stdout --fdpass
/var/www/html/test/filetoscan', $output, $return);
print "<pre>";

And the return is :

[0] => Failed to parse reply: "No file descriptor received. ERROR"
[1] =>
[2] => ----------- SCAN SUMMARY -----------
[3] => Infected files: 0
[4] => Total errors: 1
[5] => Time: 0.000 sec (0 m 0 s)

Of course, if we try to do it directly through command lines, we have
same error..
(Continue reading)

Jörg Stephan | 21 Jul 16:55 2015

HackingTeam hashes

Hi there,

I guess you know that a team has released a tool to check for HackingTeam
files. The provided a test tool including the file hashes of the files.

As I am seem to be "under"-skilled to create a database for this, I will
hand this over to you... maybe you can do better than I am.



Joerg Stephan
IDSBlog: http://sendmespamids.blogspot.nl/
Help us build a comprehensive ClamAV guide: