G.W. Haywood | 4 Oct 21:35 2014
Picon

Re: Why are the ClamAV team so slow at creating signatures ?

Hi Steve,

On Sat, 4 Oct 2014, Steve Basford wrote:

> Slightly off topic, does anyone have a folder full of saved malware
> zips/rars etc. they have kept over the past xxx months, if so can U
> contact me off-list...

I don't, exactly, but I do keep records and do I look at them.

Firstly I'm only interested in what's in electronic mail.  I don't run
Windows boxes, and on the odd occasion that I need one I fire up a VM.

However the several mail servers and many other Linux boxes for which
I'm responsible have the potential to assist in the propagation of
malicious software to customers, suppliers, colleagues, family and
casual acquaintances all around the world.  Although running only
Linux boxes means I can more or less forget the threat from malware to
the machines themselves, I take the view that using them to communicate
with more vulnerable systems gives me some responsibilities.  One of my
employees could, for example, forward a message with a malicious link
in it (to which the Linux box she uses is not vulnerable) to someone
using XP.  Six months after XP went EOL, over 25% of the Windows boxes
in the UK for example are still running it.

I can't say I blame people for not wanting to be shafted by Microsoft
yet again, but I don't think they're being very responsible.  Perhaps
they'd only have themselves to blame for not using Linux, but I don't
want to add to their problems, nor to those of almost everyone else,
by sending them a virus for which their machine has no defence - and
(Continue reading)

Tim Smith | 3 Oct 13:19 2014
Picon

Why are the ClamAV team so slow at creating signatures ?

Hi,

Over the last 24-48 hours, I submitted a number of email attachments.
RAR files that contained viruses.

Running one or two of them through VirusTotal today, I see ClamAV have
*STILL* not managed to produce virus definitions for them !

All of the commercial vendors I submitted the samples to had analysed
and created samples in timeframes ranging from hours to one day.

At this rate I'm going to be dumping ClamAV from my systems and
subscribing to a service from a commercial vendor .....

Looking forward to hearing the reasons why !
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Bernd Kuhls | 3 Oct 10:55 2014
Picon

Bugzilla setup, was: Re: ARM Cross Compile

Steven Morgan <smorgan <at> sourcefire.com> wrote in news:CAH-
jhOA_stD2h8pvK3zU_aa3q0rfOE0r7S_F=xWJMihhtBCAVA <at> mail.gmail.com:

> Thanks for the reports. Yes, we can fix those, I've opened bugzilla bug
> 11124 for the next ClamAV maintenance release.

Hi,

is there a problem with bugzilla?
"You are not authorized to access bug #11124." is all I see when I try to 
access the bug at https://bugzilla.clamav.net/show_bug.cgi?id=11124

Regards, Bernd

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Picon

ARM Cross Compile

Notes on cross compiling clamav-0.98.4 for freescale based arm board

Down load clamav-0.98.4.tar.gz

tar xvzf clamav-0.98.4.tar.gz

mkdir clamav_install_dir

created exports for cross compiler so configure finds the right stuff, e.g.; PATH, ARCH, CFLAGS, LDFLAGS,
CROSS_COMPILE, CC, AR, LD.

cd clamav-0.98.4

This is the configure line I finally got to work:

./configure --build=i686-host-linux-gnu --host=arm-fsl-linux-gnueabi --with-openssl=/<built
rootfs dir>/usr --with-zlib=/<built rootfs dir/usr --includedir=/<built rootfs dir>/usr/include
--libdir=/<built rootfs dir>/usr/lib --with-gnu-ld --with-sysroot=/<built rootfs dir> -
-prefix=/<my clamav build dir>/clamav_install_dir --disable-clamav --enable-unrar=no

In clamav-0.98.4/clamdscan/proto.c, sockaddr_un was unknown, so made the following change:

#ifndef _WIN32
// extern struct sockaddr_un nixsock;
struct sockaddr_in nixsock;
#endif20140924

make

make install
(Continue reading)

Paul Kosinski | 23 Sep 03:17 2014

Re: clamav-users Digest, Vol 120, Issue 17

On Mon, 22 Sep 2014 12:00:01 -0400
clamav-users-request <at> lists.clamav.net wrote:

> Message: 1
> Date: Sun, 21 Sep 2014 13:15:15 -0400
> From: Jerry <jerry <at> seibercom.net>
> To: clamav-users <at> lists.clamav.net
> Subject: Re: [clamav-users] Daily.cvd file
> Message-ID: <20140921131515.66636b94 <at> scorpio>
> Content-Type: text/plain; charset=UTF-8
> 
> On Thu, 18 Sep 2014 17:24:37 +0100 (BST), G.W. Haywood stated:
> 
> > Hi there,
> > 
> > On Thu, 18 Sep 2014, Joel Esler wrote:
> > 
> > > [something or other, I can't really tell]
> > 
> > Joel, PLEASE get a decent mail client, your messages on this list
> > are pretty near indecipherable.
> 
> I am using Claws-Mail, and I am not experiencing any problems
> reading his emails.

I also use Claws-Mail, and have little trouble reading the ClamAV
digests -- at least *after* I disabled colorizing "signatures", since
the first separator line seemed to cause the rest of the mail to be
viewed as if it were a giant signature.

(Continue reading)

Al Varnell | 26 Sep 08:48 2014
Picon

Html.Exploit.CVE_2012_2546

I seem to be getting lots of hits on my browser cache when accessing some several popular sites, including
the Apple Support Community Forum.  Looks like it was just added earlier today by Alain in daily 19432.

-Al-
--

-- 
Al Varnell
Mountain View, CA

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

chamal desilva | 26 Sep 07:09 2014
Picon

LibClamAV Warning: cli_scanxz: decompress file size exceeds limits

Hi,

OS: Ubuntu 14.04 64 bit
ClamAv Version: ClamAV 0.98.1/19437/Fri Sep 26 04:06:13 2014

1. Download http://llvm.org/releases/3.5.0/cfe-3.5.0.src.tar.xz
2. Scan - clamscan cfe-3.5.0.src.tar.xz
3. Receive this warning and output.
    LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only   scanning 27262976 bytes
cfe-3.5.0.src.tar.xz: OK

Best Regards,
Chamal.

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Tim Edwards | 25 Sep 17:31 2014

Whitelist Zip.Suspect.MiscDoubleExtension

The recent addition of Zip.Suspect.MiscDoubleExtension signatures has been
causing a lot of trouble for us, as it keeps getting flagged for completely
innocuous files such as foo_handle_pdf.js.

I've been adding each signature to our whitelist, such
as Zip.Suspect.MiscDoubleExtension-1, Zip.Suspect.MiscDoubleExtension-2,
etc.  Is there a simple way to whitelist Zip.Suspect.MiscDoubleExtension-*
?   I tried using a regex in the whitelist file to no avail.

​Thanks,​
Tim

--
Tim
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Thorvald Hallvardsson | 23 Sep 13:44 2014
Picon

False positives phishing sites

Hi guys,

I need a bit of help in understanding why ClamAV finds phishing URLs in the
very very legitimate emails.

I have got some customers complaining that some emails from normal retail
shops (newsletters) are marked as phising. Also multiple customers having
issues with receiving emails from Amazon Master Card (Bank of America)
being marked as phishing. We have multiple examples where exact viruses are
not being identified... viruses like 2-3 years old.

I update databases every couple of hours. I know it's hard to keep
signatures up-to-date but there are few cases which I don't understand.

However let's focus on the Amazon email about MasterCard.

The output from clamscan --debug says:
LibClamAV debug: Got a match: youraccount.mbna.co.uk/ with /ku.oc.anbm
LibClamAV debug: Before inserting .: .youraccount.mbna.co.uk
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.www.bankofamerica.co.uk
LibClamAV debug: Phishing: looking up in whitelist:
.www.bankofamerica.co.uk:.youraccount.mbna.co.uk; host-only:1
LibClamAV debug: Looking up in regex_list: www.bankofamerica.co.uk:y
ouraccount.mbna.co.uk/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
different
LibClamAV debug: found Possibly Unwanted:
Heuristics.Phishing.Email.SpoofedDomain
(Continue reading)

David Cain | 23 Sep 00:26 2014

Locked freshclam.log error msg

ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
ERROR: /var/log/clamav/freshclam.log is locked by another process

DC
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

David Cain | 23 Sep 00:23 2014

Freshclam.log locked weekly

Hi all,

I'm running ClamAV work amavisd-new on a Debian Wheezy server. I update the serve with security and s/w
updates weekly, so it's on the latest now for the distro.

Every Sunday at exactly 9PM EDT (0100 UTC), cron sends me an email that freshclam.log is locked. Thing is,
I'm not running freshclam with cron, and there's not ANYTHING in crontab, cron.d, cron.hourly,
cron.daily or cron.weekly that's supposed to be running at that time.

Any idea what's going on? Any thoughts appreciated.

DC
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Gmane