Manoj Ramakrishnan | 16 Feb 05:30 2015
Picon

Calamav cannot scan tar file and gzip files?

Hi,

I tried to scan tar files and tar.gz files using clamav(through squid, squidclamav and c-icap) but it just
pass through. Both these files contain the "eicar.com" test file.
But if it is a zip file then it works!!!

ScanArchive parameter is enabled in clamd.conf.

Do I need any special setting to scan these files? I am using a RHEL5 server and clamd/clamav version 0.98.5

Regards
Manoj Ramakrishnan
DevOps Engineer | POS | P +61 2 8918 5906  | M 0416 128 308

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Jonathan Coles | 13 Feb 19:13 2015

Unclear how to proceed after Windows install

I installed clamav-0.98.6-win32.msi on Windows. It added nothing to the 
Start menu. After searching the registry I found clamav executables in 
C:\Program Files\Sourcefire Inc\ClamAV, but they are all command-line 
programs.

Your manual clamdoc.pdf is relevant only to Linux.

I have used Clam-Tk on Linux and it works well -- easy to install, easy 
to use. I'm surprised at this baffling Windows version of the program.

Even with access to the clamd.conf man page on Linux (not provided in 
Windows) I could not figure out how to fix the "Please define server 
type (local and/or TCP)" error. The conf file options require specialist 
knowledge that few Windows end users would have.

Do I have the wrong package? Or, is the Windows version of ClamAV just a 
bare-bones toolkit for technical specialists?

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Manoj Ramakrishnan | 13 Feb 07:20 2015
Picon

Clamav doesn't seem to work when we use HTTP POST with eicar.com.png file

Hi,

I have a clamd(0.98.5) + cicap(0.3.5)  + squidclamav(6.12)  + squid(3.1.14) on a RHEL5 box. We use this as a
virus scanning for scanning the files uploaded through a web form. It doesn't seem to work if I upload a png
file Actually the png file is just the "eicar.com" file but I renamed it to "eicar.com.png" because the
form only accept the .png files.

But it works beautifully when I upload  the
"eicarcom2.zip<http://www.eicar.org/download/eicarcom2.zip>" file (renamed to .png).

We did an strace on the clamd PID and found that,

  1.  When I upload the eicar.com.png file it writes the tmp file with all HTML headers(including all the form
field values) and the multipart part. Then scans it. Returns the stream OK result.
  2.  When I upload the zip file it correctly extract the zip file from the HTML POST request and create the tmp
file using the just the multipart data only. So it works

In the case #1 I find there are two req is going to clamd, it creates two tmp file, scans both and no virus found.
In the case of #2 it only create one file and found the virus.

Am not sure about is this something to do with the other components c-icap or squidclamav or squid.

See attached files for  the relevant part in strace for both cases.

Regards
Manoj Ramakrishnan
DevOps Engineer | POS | P +61 2 8918 5906  | M 0416 128 308
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
(Continue reading)

Al Varnell | 12 Feb 10:51 2015
Picon

Mirrors 65.19.179.67

I believe this has come up a few times before, but it has never been resolved.

The mirror status page vanished when the new web site rolled out.  It wasn’t always accurate, but at least
there were some clues there.  Is there any chance of it’s returning some day?

My current issue is the 65.19.179.67 mirror which has failed 18 out of 18 times over the past several months:

> Mirror #5
> IP: 65.19.179.67
> Successes: 0
> Failures: 18
> Last access: Wed Feb 11 18:04:23 2015
> Ignore: Yes

Looks to belong to Hurricane Electric in Fremont, CA.

This mirror is clearly dead and needs to be taken out of service, yet it continues to be periodically rotated
in from this list:

> db.us.big.clamav.net.	60	IN	A	200.236.31.1
> db.us.big.clamav.net.	60	IN	A	207.57.106.31
> db.us.big.clamav.net.	60	IN	A	208.72.56.53
> db.us.big.clamav.net.	60	IN	A	209.198.147.20
> db.us.big.clamav.net.	60	IN	A	64.6.100.177
> db.us.big.clamav.net.	60	IN	A	64.22.33.90
> db.us.big.clamav.net.	60	IN	A	65.19.179.67
> db.us.big.clamav.net.	60	IN	A	66.18.18.59
> db.us.big.clamav.net.	60	IN	A	69.12.162.28
> db.us.big.clamav.net.	60	IN	A	69.163.100.14
> db.us.big.clamav.net.	60	IN	A	78.46.84.244
(Continue reading)

Steve Basford | 9 Feb 11:21 2015

certificates

Hi,

Can anyone confirm...

In one of the latest source files:

"+ \end{itemize}
+	\item For more information and examples please see
\url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164}."

The urls:

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164
and  https://www.clamav.net/ for that matter...

Gives an error in firefox...

"
www.clamav.net uses an invalid security certificate. The certificate is
only valid for the following names: *.herokuapp.com, herokuapp.com (Error
code: ssl_error_bad_cert_domain)"

Checked here too, same result...

https://www.sslshopper.com/ssl-checker.html#hostname=www.clamav.net
https://sslcheck.globalsign.com/en_GB/sslcheck?host=www.clamav.net

Cheers,

Steve
(Continue reading)

Virgo Pärna | 5 Feb 09:46 2015
Picon

Custom clamav rule to block exe and scr files in archive.

    Recently I have received some viruses that have scr inside zip 
arhcive inside zip archive. And also there have been some cab's containing exe 
files.

    Since I have already blocked exe and scr files in exim mime check I did try
to search Google for blocking those files inside archives. And since I did not 
have mutch success with it, I decided to post sample rules here.

    I created exe_in_archive.cdb file in clamav database directory, that 
contains:
Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
Archived_SCR:*:*:.*\.scr:*:*:*:*:*:*
Archived_PIF:*:*:.*\.pif:*:*:*:*:*:*
Archived_COM:*:*:.*\.com:*:*:*:*:*:*

--

-- 
Virgo Pärna 
virgo.parna <at> mail.ee

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
james henrydoss | 4 Feb 02:09 2015
Picon

Re: ClamAV(R) blog: ClamAV 0.98.6 has been released!

Hi Joel,

I am looking for some notes to run Clam AV to scan Virtual Machine
Instances.. I have a small OpenSwitch based implementation which runs two
instances of Ubuntu. I wanted to scan the ENVIRONMENT with ClamAV being run
on one of the instances.

Thanks
James Henrydoss

On Tue, Jan 27, 2015 at 6:24 PM, Joel Esler (jesler) <jesler <at> cisco.com>
wrote:

>
> http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html
>
> ClamAV 0.98.6 is a bug fix release correcting the following:
>
>
>   *   library shared object revisions.
>   *   installation issues on some Mac OS X and FreeBSD platforms.
>   *   includes a patch from Sebastian Andrzej Siewior making ClamAV pid
> files compatible with systemd.
>   *   - Fix a heap out of bounds condition with crafted Yoda's crypter
> files. This issue was discovered by Felix Groebert of the Google Security
> Team.
>   *   - Fix a heap out of bounds condition with crafted mew packer files.
> This issue was discovered by Felix Groebert of the Google Security Team.
>   *   - Fix a heap out of bounds condition with crafted upx packer files.
> This issue was discovered by Kevin Szkudlapski of Quarkslab.
(Continue reading)

Jihyun-Chang | 2 Feb 16:21 2015

I have some queries about ClamAV

Dear ClamAV users,
Hi~ I am a student interested in security.
I have a few questions about ClamAV. I already understand that ClamAV can have the ability to quarantine an
infected file if it finds one.

So, I want to know, 
1. I cannot find this ability (ability to quarantine) in user menual. could anyone let me know where it is ?
2. where is the infected files move to? and next ? user should be fixed(or removed) the infected files ?

I look forward to ClamAV user's response.
Best Regards.

~Chang~

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Gregg Neal | 19 Jan 08:01 2015
Picon

deleting viruses ???


What do I do with this many viruses ?     should they all be deleted?       Are they likely to be a problem?,   Gregg

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Dennis Peterson | 29 Jan 16:05 2015

ExtraDatabase question

Is this a deprecated feature we can/should ignore?

dp
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Grzegorz Falkowski | 29 Jan 12:05 2015
Picon

Re: [squidclamAV] Configure ClamAV Daemon to scan but not block

Hello,
I configured clamAV with c-icap on ubuntu. I want to configure it to only
scan files and log but not to block.
Unfortunately I can't find any information how it can be done.
Is there any solution that allow me achieve my goal.
Thank You in advance
Best Regards
Grzegorz

2015-01-28 14:56 GMT+01:00 Ansaltian . <grzeg.falkowski <at> gmail.com>:

> Hello,
> I configured clamAV with c-icap on ubuntu. I want to configure it to only
> scan files but not to block.
> Unfortunately I cant find any information how I can make it.
> Is there any solution that allow me achieve my goal.
> Thank You in advance
> Best Regards
> Grzegorz
>
>
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Gmane