Chris | 26 Jun 02:17 2014

[Heuristics.Structured.SSN]

I received a message earlier that was in fact a FP. I have the following
settings in my /etc/clamd.conf. With the first commented out, the 2nd
set to no and the third set to no should this even gotten a hit? This is
ClamAV 0.98.4/19125/Mon Jun 23 16:50:52 2014

# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5

# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
StructuredSSNFormatNormal no

# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
StructuredSSNFormatStripped no

Here is the content preview from SA:

Content preview:
( http://if.inboxfirst.com/ga/click/2-20619679-120-15601-31227-422010-3ea50cbb5c-b272103213
   )
( http://if.inboxfirst.com/ga/click/2-20619679-120-15601-31227-422011-3a6d9c5a87-b272103213
   )
( http://if.inboxfirst.com/ga/click/2-20619679-120-15601-31227-422012-0a7ac1c41a-b272103213
   ) [...] 

(Continue reading)

Paul Smith | 25 Jun 10:57 2014
Picon

Malformed database?

Using ClamAV 0.97.2, since yesterday's update Freshclam gives this when 
trying to download a fresh database:

Max retries == 3
ClamAV update process started at Wed Jun 25 09:27:38 2014
Using IPv6 aware code
TTL: 807
Software version from DNS: 0.98.4
Retrieving http://database.clamav.net/main.cvd
Trying to download http://database.clamav.net/main.cvd (IP: 81.91.100.173)
Downloading main.cvd [100%]
Loading signatures from main.cvd
Properly loaded 2424222 signatures from new main.cvd
main.cvd updated (version: 55, sigs: 2424225, f-level: 60, builder: neo)
Retrieving http://database.clamav.net/daily.cvd
Trying to download http://database.clamav.net/daily.cvd (IP: 81.91.100.173)
Downloading daily.cvd [100%]
Loading signatures from daily.cvd
Properly loaded 1000939 signatures from new daily.cvd
daily.cvd updated (version: 19125, sigs: 1000939, f-level: 63, builder: mcd)
Retrieving http://database.clamav.net/bytecode.cvd
Trying to download http://database.clamav.net/bytecode.cvd (IP: 
81.91.100.173)
Downloading bytecode.cvd [100%]
Loading signatures from bytecode.cvd
WARNING: [LibClamAV] Bytecode logical signature skipped, but bytecode 
itself not?WARNING: [LibClamAV] Can't load 0005534921.cbc: Malformed dat
abase
WARNING: [LibClamAV] cli_tgzload: Can't load 0005534921.cbc
WARNING: [LibClamAV] Can't load 
(Continue reading)

Daniel Quintiliani | 24 Jun 22:36 2014

Does Clamsubmit work?

Hi,

There was a recent thread about ClamAV's low detection rates when compared to other AVs on VirusTotal.

When Clamsubmit came out I started using it to submit "false negatives", following the "two per day" rules
of the Web site. (No such rule exists in the clamsubmit manpage.)

I am wondering if there are lots of files in these queues, or the files submitted via the software are being
ignored. 
I'd imagine ClamAV is shooting themselves in the foot for releasing this tool.

Anyone know?

--

-Dan Q
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Walter Bürger | 23 Jun 17:47 2014
Picon

Bad detection rate


Hi dear ClamAV team,

ClamAV is a good software and it runs very stable
on my servers for years!

Many thanks for ClamAV and for your efforts making it
such a stable software!

Nevertheless, the detection rate of viruses, trojans, etc.
is not very good.

Almost every time I submit a sample file on virustotal.com
ClamAV can not detect the virus or malware.

This morning I submitted the file 
Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
(MD5 ad690be247dda635781e20887fcac0e7)
on virustotal.com.

4 out of 54 scanners detected a virus
(NOD32 named it Win32/Kryptik.CFAE)
but ClamAV did not detect it.

About 4 hours later I checked again and
12 out of 54 scanners detected a virus in this file
but ClamAV did not detect it.

Of course I submitted this sample file on
http://www.clamav.net/lang/en/sendvirus/submit-malware/
(Continue reading)

Alex | 21 Jun 15:00 2014
Picon

FN with unknown virus attachment

Hi,
I'm using clamav-0.98.4 on fedora20 with the sanesecurity and safebrowsing
sigs and still seeing an unknown virus pass through our systems. I've
submitted it to the clamav false-negative upload, but haven't received a
response, and 24hrs later it's still not being tagged. I was hoping someone
could help me identify it and determine the risk.

I'm in the process of building a win7 test vm, but haven't been able to
otherwise safely open the Word doc attachment yet. It appears to contain a
Word macro and an embedded link. Any ideas greatly appreciated. Please let
me know if you want me to forward this to you directly or need more
information.

http://pastebin.com/5UuGrbXt

Thanks,
Alex
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Steve Basford | 19 Jun 15:23 2014

DatabaseCustomURL question

Hi,

Does anyone have DatabaseCustomURL in their freshclam.conf:

I've just tried this format...

DatabaseCustomURL http://blahblahblah.com:8888/test.cud

And I get an "Unknown error" :)

ClamAV update process started at Thu Jun 19 14:14:24 2014
WARNING: Can't get information about blahblahblah.com:8888 Unknown erro
r
WARNING: Can't download test.cud from fblahblahblah.com:8888
main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder:
neo)
daily.cld is up to date (version: 19112, sigs: 997192, f-level: 63,
builder: neo
)
bytecode.cld is up to date (version: 241, sigs: 46, f-level: 63, builder:
dgodda
rd)

I'm wondering if it's the :8888 that's throwing it?

If anyone can confirm, I'll raise a bugzilla....

Cheers,

Steve
(Continue reading)

Steve Basford | 18 Jun 15:52 2014

building a cud file

Hi All,

I'm playing with .cud file creation from a couple of files...

testdb folder

COPYING
testdb.hdb
testdb.ndb

set SIGNDUSER=me
sigtool --datadir=testdb --build=testdb.cud --unsigned --cvd-version 1

WARNING: build: Signatures in testdb db files: 2674, loaded by libclamav:
5348
Total sigs: 5348
New sigs: 5271
Created testdb.cud

I can see testdb.cud and testdb.info...

but...

clamscan --database=testdb.cud
LibClamAV Error: cli_cvdload: Corrupted CVD header
LibClamAV Error: Can't load testdb.cud: Malformed database
LibClamAV Error: cli_loaddbdir(): error loading database testdb.cud
ERROR: Malformed database

Has anyone who has got this working do a quick how-to?
(Continue reading)

Steve Basford | 19 Jun 15:49 2014

DatabaseCustomURL question

Hi,

Does anyone have DatabaseCustomURL in their freshclam.conf:

I've just tried this format...

DatabaseCustomURL http://blahblahblah.com:8888/test.cud

And I get an "Unknown error" ? :)

ie...

ClamAV update process started at Thu Jun 19 14:14:24 2014
WARNING: Can't get information about blahblahblah.com:8888 Unknown erro
r
WARNING: Can't download test.cud from blahblahblah.com:8888
main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder:
neo)
daily.cld is up to date (version: 19112, sigs: 997192, f-level: 63,
builder: neo
)
bytecode.cld is up to date (version: 241, sigs: 46, f-level: 63, builder:
dgodda
rd)

I'm wondering if it's the :8888 that's throwing it?

I get wget from blahblahblah.com:8888/test.cud ok...

If anyone can confirm, it's a port thing... I'll raise a bugzilla....
(Continue reading)

Steve Basford | 18 Jun 20:51 2014

building a cud file

Hi All,

I'm playing with .cud file creation from a couple of files...

testdb folder

COPYING
testdb.hdb
testdb.ndb

set SIGNDUSER=me
sigtool --datadir=testdb --build=testdb.cud --unsigned --cvd-version 1

WARNING: build: Signatures in testdb db files: 2674, loaded by libclamav:
5348
Total sigs: 5348
New sigs: 5271
Created testdb.cud

I can see testdb.cud and testdb.info...

but...

clamscan --database=testdb.cud
LibClamAV Error: cli_cvdload: Corrupted CVD header
LibClamAV Error: Can't load testdb.cud: Malformed database
LibClamAV Error: cli_loaddbdir(): error loading database testdb.cud
ERROR: Malformed database

Has anyone who has got this working, do a quick how-to?
(Continue reading)

Matt Olney | 17 Jun 16:51 2014

Thank You

Hello all,

My name is Matthew Olney and I’m the manager of the VRT Research
Development team.  Among other things, my group is responsible for ClamAV
engine development.  I just wanted to take a moment to express my
appreciation for those in the community who have worked with us to ensure
a quality release of ClamAV 0.98.4.  In particular those of you who have
submitted bugs and worked with us to test patches, and those of you who
downloaded and tested 0.98.4RC1.

Due to the success of this release candidate, we would like to use the
beta/RC model going forward.  Development is what it is, so we may not
always be able to do this, but my strong preference would be to use this
model.  Provided nothing serious comes up in the meantime, you should
expect a beta for 0.98.5 in the near future.

Thank you all again, it’s a pleasure working with you,

Matthew Olney
Manager, VRT Research Development
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
Joel Esler (jesler | 17 Jun 02:12 2014
Picon

ClamAV®: ClamAV 0.98.4 has been released!


http://blog.clamav.net/2014/06/clamav-0984-has-been-released.html

ClamAV 0.98.4 has been released!

The ClamAV team is pleased to announce the release of ClamAV 0.98.4!  Below are the release notes for 0.98.4:

0.98.4
------

ClamAV 0.98.4 is a bug fix release. The following issues are now resolved:

- Various build problems on Solaris, OpenBSD, AIX.
- Crashes of clamd on Windows and Mac OS X platforms when reloading the virus signature database.
- Infinite loop in clamdscan when clamd is not running.
- Freshclam failure on Solaris 10.
- Buffer underruns when handling multi-part MIME email attachments.
- Configuration of OpenSSL on various platforms.
- Name collisions on Ubuntu 14.04, Debian sid, and Slackware 14.1.
- Linking issues with libclamunrar
Thanks to the following individuals for testing, writing patches, and
initiating quality improvements in this release:

Tuomo Soini
Scott Kitterman
Jim Klimov
Curtis Smith
Steve Basford
Martin Preen
Lars Hecking
(Continue reading)


Gmane