Mischa Coenen | 3 Mar 10:26 2014
Picon

Re: No more updates since march 1st

Normally I see multiple updates per day, and I agree in the weekend normally 1 or 2 per day. But I understand
that there is no policy on how often an update is released, it is more of a random thing? 

> -----Original Message-----
> From: clamav-users-bounces <at> lists.clamav.net [mailto:clamav-users-bounces <at> lists.clamav.net]
On Behalf Of Al Varnell
> Sent: maandag 3 maart 2014 8:26
> To: ClamAV users ML
> Subject: Re: [clamav-users] No more updates since march 1st
> 
> 
> On Mar 2, 2014, at 11:19 PM, Mischa Coenen <mc1977 <at> live.nl> wrote:
> 
> > I have noticed that the last update of the ClamAV database was at 01 Mar 2014 16-54 -0500, after that I
didn't see any new updates. Are there issues with releasing new updates?
> 
> Weekends are always slow, so I wouldn't get too excited unless you still haven't seen something by mid-day tomorrow.
> 
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
> 
> 
> 
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
(Continue reading)

Paul Kosinski | 3 Mar 08:38 2014

Re: Introducing OpenSSL as a dependency to ClamAV


On Fri, 28 Feb 2014 12:00:00 -0500
clamav-users-request <at> lists.clamav.net wrote:

There are only a few of reasons I can imagine that SSL (OpenSSL)
would be a *required* addition to ClamAV:

1. A "better" way of signing signature downloads than whatever is
   currently done (not sure what that is, if anything).

2. A mechanism to secure the CLAMD port to restrict LAN access
   (pretty far-fetched).

3. A mechanism to encrypt signature downloads so that you have to pay
   if you want the latest and greatest (like for Snort).

4. A mechanism to encrypt signatures to keep them pretty much secret
   from the users of ClamAV.

I would be quite disappointed if ClamAV turned its back on the spirit
of GPL software by charging for signature data (#3 above, like Snort
has done). I would find it quite unacceptable if ClamAV signatures
could no longer even be examined to see what they detect (#4 above),
as this would mean that ClamAV had effectively become Closed Source.

> Message: 5
> Date: Thu, 27 Feb 2014 15:55:55 -0800
> From: Dennis Peterson <dennispe <at> inetnw.com>
> To: clamav-users <at> lists.clamav.net
> Subject: Re: [clamav-users] clamav-users Digest, Vol 113, Issue 18
(Continue reading)

Mischa Coenen | 3 Mar 08:19 2014
Picon

No more updates since march 1st

I have noticed that the last update of the ClamAV database was at 01 Mar 2014 16-54 -0500, after that I didn't
see any new updates. Are there issues with releasing new updates?

A couple of months ago I have seen the same issue that no new updates were released, and after a post on the
maillinglist it resumed again. Updating the database seems to me a very important for a virus scanner, but
isn't it internally checked for issues?

Thanks.
 		 	   		  
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Scott Snow | 3 Mar 04:55 2014

Keeping the ClamAV process open?

I'm working on a MapReduce project using Amazon's EC2. The only bottleneck
I have is that it takes ~35-40 seconds to scan each file, which seems very
high. I'm using a c program as a wrapper for ClamAV, which takes a single
file and the mode. Does anyone know approximately how long it takes to
initialize ClamAV and load the virus db? Would it be possible to just keep
the ClamAV process loaded/running? I've been searching quite a bit, but
haven't found anything so far. If anyone has any other suggestions for
optimization, that would be appreciated as well. I'm not very familiar with
ClamAV.

Thanks.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
J. W. Andersen | 1 Mar 17:01 2014
Picon

No filenames listed by clamscan.

After upgrading from 0.97.6  to 0.98.1 I get the following messages on 
the console:

LibClamAV: Warning: SWF: Invalid tag length.
LibClamAV: Warning: SWF: Invalid tag length.
LibClamAV: Warning: SWF: Invalid tag length.
LibClamAV: Warning: SWF: Invalid tag length.
LibClamAV: Warning: fmap:  map allocation failed.
LibClamAV: Error: CRITICAL: fmap () failed.
LibClamAV: Warning: SWF: Invalid tag length.

upon scanning a large linux directory (some 60 GB) with clamscan.

The real problem is, that clamscan does not tell me which scanned files
it is actually complaining about, not in sysout and not in syserr. With some
10,000 files in the directory it is impossible for me to find out which
files to correct or get rid of. I can prevent the "Invalid tag length" by
setting the --scan-archives to no, but that is hardly a solution if I want
the archives thoroughly scanned.

Can anyone tell me, what I shall do to retrieve the name of the 
problematic files ?

Regards, Joern W. Andersen
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
(Continue reading)

Paul Kosinski | 28 Feb 00:43 2014

Re: clamav-users Digest, Vol 113, Issue 18

The blog post concerning OpenSSL being required for ClamAV only has
one reason as to why it might *benefit* ClamAV, the other reasons are
why OpenSSL *itself* in good.

That single reason is:

  "We will be able to provide a better freshclam experience in a
  future release."

What exactly does this mean? (The phrase "freshclam experience" is
marketing speak, not a technical explanation.)

Since adding complexity to a system tends to increase bugs and
decrease security, I am leery of seeing ClamAV become even more
complicated than it already has become.

Paul

On Wed, 26 Feb 2014 12:00:00 -0500
clamav-users-request <at> lists.clamav.net wrote:
> 
> Message: 1
> Date: Wed, 26 Feb 2014 16:08:03 +0000
> From: "Joel Esler (jesler)" <jesler <at> cisco.com>
> To: ClamAV users ML <clamav-users <at> lists.clamav.net>,
> 	"clamav-devel <at> lists.clamav.net"
> <clamav-devel <at> lists.clamav.net> Subject: [clamav-users] Introducing
> OpenSSL as a dependency to ClamAV Message-ID:
> <78E5F452-24F0-4E9D-91AA-5918E42419AC <at> cisco.com> Content-Type:
> text/plain; charset="us-ascii"
(Continue reading)

Joel Esler (jesler | 26 Feb 17:08 2014
Picon

Introducing OpenSSL as a dependency to ClamAV

On Friday last week I put a blog post up about introducing OpenSSL into the ClamAV ecosystem.  I wanted to make
sure everyone saw it, so please have a look at the blog post here:

http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html

--
Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Jobst Schmalenbach | 20 Feb 03:27 2014
Picon

Error message "outdated version" although "yum list installed" reports correct version of clamav


Hi.

Strange problem indeed:

[root /tmp] #>yum list installed "clamav*"
Loaded plugins: fastestmirror
Installed Packages
clamav.x86_64             0.98-2.el5.rf                         installed
clamav-db.x86_64          0.98-2.el5.rf                         installed
clamav-milter.x86_64      0.98-2.el5.rf                         installed
[root /tmp] #>

[root /tmp] #>su clamav -c /usr/bin/freshclam
ClamAV update process started at Thu Feb 20 12:37:52 2014
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.98 Recommended version: 0.98.1
DON'T PANIC! Read http://www.clamav.net/support/faq

I have checked the following:

 - all configuration files point to the same database directory
 - there is only one binary for each of the clamav things on the system
 - freshclam updates with no problems
 - clamconf report correct databases but also:
   Software settings
   -----------------
   Version: 0.98

Any ideas?
(Continue reading)

Torge Husfeldt | 18 Feb 16:42 2014
Picon

Avoit Short-Circuiting on (untrusted) Pattern match

Hi,

We are scanning webhosing-files from a relatively large user-base (~5M) 
using the clamd-engine and signature databases tweaked for the least 
possible false-positives.

In this context we have 2 use-cases which apparently aren't met by the 
current implemetation.
In both cases the remedy would boil down to stop clamd from 
short-circuiting.
The current logic AFAICT is "on pattern match report and stop looking" 
indistinctly of which pattern matched.
This means in practice that an "untrusted" pattern could mask a 
"trusted" pattern and prevent the more severe action associated with the 
trusted pattern from being triggered.
What we would need is to change this behavior (at least for a 
configurable subset of patterns) so that the "trusted" pattern-match is 
always reported regardless of any prior "untrusted" match.

Questions:
Am I the only one having this issue?
Am I missing some configuration-switch?
Would anyone be interested in implementing this?
Can anyone point me to where I would look first if I wanted to implement 
this?

Use Case 1:
"evaluate patterns from third parties"
Our current db only contains a fraction of clamav's official signatures 
and incorporating more of them under the above "0 FP" policy is a pain 
(Continue reading)

Tsutomu Oyamada | 18 Feb 11:41 2014

about MaxQueue

Hi,

We like to know when a MaxQueue value of configuration file gives any influence while clamd is scanning.
We are investigating matters of sessions with the following setteings.
Can we confirm MaxThreads by ptree command?
Could you teach us how to confirm behavior of configured value of MaxQueue?
  MaxThreads 40
  MaxQueue 80
Please find the current clamd.conf as attached file.

We confirm clamd by calling via socket and with using file scanner program.
Version of clamd is  0.98.1, and platform is System z (s390x).

Thanks,
T.Oyamada
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
Steve Basford | 17 Feb 22:21 2014

TheMask aka Careto

In case this is useful for system scanning for TheMask aka Careto...

---------------------------- Original Message ----------------------------
Subject: [sanesecurity] new database: malwarehash.hsb
From:    "Steve Basford" <steveb_clamav <at> sanesecurity.com>
Date:    Mon, February 17, 2014 4:00 pm
To:      sanesecurity_announce <at> freelists.org
Cc:      sanesecurity <at> freelists.org
--------------------------------------------------------------------------

New database: malwarehash.hsb
False Positive Risk: low

Description:

Normally hashes, such as rogue.hdb have to contain the size and md5 of a
malware sample, in order to match it.

The .hsb database allows the ClamAV engine to match, without knowing what
the size of the sample is (with a small hit on speed compared to a .hdb)

Currently contains known md5's of TheMask aka Careto
(Sanesecurity.MalwareHash.TheMask.xxx)

More info:
http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-Uncovers-The-Mask-One-of-the-Most-Advanced-Global-Cyber-espionage-Operations-to-Date-Due-to-the-Complexity-of-the-Toolset-Used-by-the-Attackers

Cheers,

Steve
(Continue reading)


Gmane