Shawn Webb | 9 Jul 15:32 2014

Re: ClamAV(R): ClamAV 0.98.5 beta has been posted!

On Wed, Jul 9, 2014 at 9:01 AM, Frank Elsner <frank <at> moltke28.b.shuttle.de>
wrote:

> On Wed, 9 Jul 2014 14:48:31 +0200 Matus UHLAR - fantomas wrote:
> > >On Tue, 8 Jul 2014 23:15:12 +0000 Joel Esler (jesler) wrote:
> > >> ClamAV 0.98.5 beta has been posted!
> > >> The ClamAV team is proud to announce the availability of ClamAV
> 0.98.5 beta ready for testing!
> >
> > On 09.07.14 13:07, Frank Elsner wrote:
> > >Fedora 17, compiled ok, but
> > >
> > ># service clamav restart
> > >Stopping ClamAV                                            [  OK  ]
> > >Starting ERROR: This tool requires libclamav with functionality level
> 78 or higher (current f-level: 77)
> > >                                                           [FAILED]
> >
> > do you have older clamav (library) installation somewhere by any chance?
>
> No. Same call to configure as for clamav-0.98.4.
>
>
> --Frank Elsner

Hey Frank,

Where is ClamAV installed to? Can you show me the output of: ls
[installbase]/lib/libclamav*

(Continue reading)

Joel Esler (jesler | 9 Jul 01:15 2014
Picon

ClamAV®: ClamAV 0.98.5 beta has been posted!


ClamAV 0.98.5 beta has been posted!
The ClamAV team is proud to announce the availability of ClamAV 0.98.5 beta ready for testing!

http://blog.clamav.net/2014/07/clamav-0985-beta-has-been-posted.html

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

alex | 8 Jul 16:41 2014
Picon

Custom signature question

Hello,

I'm trying to create signatures for clamav, to detect exe and mp3
files. Seems to work for exe, but strangely not for mp3, despite
the fact I did excatly the same in both cases:

Getting signatures for both files:

alex:~$ dd if=exefile.exe count=1 | sigtool --hex-dum 
1+0 Datensätze ein
1+0 Datensätze aus
512 Bytes (512 B) kopiert, 2.9117e-05 s, 17.6 MB/s
4d5a90000300000004000000ffff0000b8000000000000004000000000[...]

alex:~$ dd if=mp3file.mp3 count=1 | sigtool --hex-dump
1+0 Datensätze ein
1+0 Datensätze aus
512 Bytes (512 B) kopiert, 2.9032e-05 s, 17.6 MB/s
49443303000000000e4c5452434b00000005000000322d303954454e43[...]

Creating custom ndb:

alex:~$ cat /var/lib/clamav/notallowed.ndb 
filetype.not.allowed.mp3:0:*:4944??
filetype.not.allowed.exe:0:*:4d5a??

Testing:

alex:~$ clamscan exefile.exe 
exefile.exe: filetype.not.allowed.exe.UNOFFICIAL FOUND
(Continue reading)

DUCARROZ Birgit | 7 Jul 12:04 2014
Picon
Picon

Win.Trojan.Zwangi-432 / Osx.Exploit.CVE_2006_0848 / PHP.Shell-29

Hello list,

I beleave those are false positives.
Please would you check the md5 hashes?
Thank you a lot!
Regards,
Birgit

Win.Trojan.Zwangi-432 FOUND --> md5 --> 9052a26074751a4a3668764ddfac0b55
Osx.Exploit.CVE_2006_0848 FOUND --> md5 --> 92fdafd02acc4f968d897dc861decb7c
PHP.Shell-29 FOUND --> md5 --> b4a09911a5b23e00b55abe546ded691c
Osx.Exploit.CVE_2006_0848 FOUND --> md5 --> 6434722cffeb95b95e32efd6f5523636
Osx.Exploit.CVE_2006_0848 FOUND --> md5 --> f3ce0e00c7277c60903156c7b349e92d

----------- SCAN SUMMARY -----------
Known viruses: 3493754
Engine version: 0.97.8
Infected files: 5

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

G.W. Haywood | 5 Jul 19:15 2014
Picon

Re: clamav 0.98.4 on Centos4

Hi there,

On Sat, 5 Jul 2014, Ren? Bellora wrote:

> this is a server that I don't control ...

Use a different server.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Chris | 3 Jul 20:51 2014

daily.cvd vs daily.cld

It's been awhile since I used ClamAv wasn't there something one time
about using either one or the other of the two databases listed above? I
had restarted awhile ago and got this warning:

Starting Clam AntiVirus Daemon: LibClamAV Warning:
**************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************

I downloaded the daily.cvd and the error went away.

Chris

--

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
13:49:29 up 7 days, 20:18, 2 users, load average: 0.54, 0.68, 0.81
Mandriva Linux 2010.2, kernel 2.6.33.7-desktop586-2mnb

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
Chris | 3 Jul 15:08 2014

[Heuristics.Structured.SSN]

I've been getting several hits on good mail with the above sig. I have
this setting in my clamd.conf:

# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5

# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
StructuredSSNFormatNormal no

# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
StructuredSSNFormatStripped no

Below are the headers of the most recent mail that was hit the email
itself was all html. Since this is just a home system with mine and my
wifes email what's the best way to keep this from happening?

http://pastebin.com/5PFCmz4C

Thanks
Chris

--

-- 
Chris
KeyID 0xE372A7DA98E6705C
(Continue reading)

Patrick DOURET | 2 Jul 01:26 2014
Picon

Are vbs virus dected by clamav?

Dear

I would like to know if clamav is able to detect vbs (i mean viruses based on vb script)?

What about if those kind of viruse are included in Microsoft office documents as objets? 

We have the latest version 0.98

Thanks for your reply

Patrick DOURET
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
Michael Graham | 27 Jun 19:30 2014

Reporting false positives fails

Hi all,

I'm trying to report a bunch of suspected false positives to
HTML.Exploit.CVE_2014_0322 which are being detected but the website just
rejects it because it's already detected as a Virus (which is kind of
the point Mr buggy website!).

Examples can be found of sites like www.superdrug.com (a UK pharmacist).
I'm not sending the direct link in case it causes problems with people's
mail filter.

How can I report these?

Cheers,
--

-- 
Michael Graham <mgraham <at> bloxx.com>

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Sergey | 26 Jun 08:37 2014
Picon

freshclam and various formats of base

Hello.

Several years ago database format changed sometimes when
upgrading ClamAV. This does caused problems when restart
clamd after upgrade. This could be solved by means of
the package manager, RPM for example:

%post
for FNAME in `ls --ignore=*.socket /var/lib/clamav`; do
    [ -h /var/lib/clamav/$FNAME ] && continue
    [ -d /var/lib/clamav/$FNAME ] && rm -rf /var/lib/clamav/$FNAME
    [ -f /var/lib/clamav/$FNAME ] && rm -f /var/lib/clamav/$FNAME
done

Can it be not used it now ? The virus database is 
large now and download continues for a long time. Can
clamd ignore wrong format now ? Can freshclam to clear
/var/lib/clamav independently ?

--

-- 
Regards,
Sergey
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Scott Kitterman | 26 Jun 06:47 2014

List-Archive header field update needed

The mails from the list currently include:

List-Archive: <http://lists.clamav.net/pipermail/clamav-users>

It should point to:

http://lurker.clamav.net/list/clamav-users.html

Scott K
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml


Gmane