Smith, David | 26 Feb 16:50 2015
Picon

daily.cvd out of date?

Just did a wget http://database.clamav.net/daily.cvd  and am getting a daily.cvd dated Aug 28  is there
something going on with the servers???

[root <at> SOMESERVER freshclam]# ls -la
total 90288
drwxr-xr-x 2 root root     4096 Feb 26 10:43 .
drwxr-xr-x 4 root root     4096 Feb 23 15:01 ..
-rw-r--r-- 1 root root 27596102 Aug 28 13:26 daily.cvd

Thanks!

Dave Smith                                                         drsmith <at> fsu.edu<mailto:drsmith <at> fsu.edu>                            (850)645-8024
Linux Administrators                                      its-unixadmins <at> fsu.edu<mailto:its-unixadmins <at> fsu.edu>              (850)644-2591
Information Technology Services             Florida State University

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Vladislav Kurz | 26 Feb 10:46 2015
X-Face
Picon

Why is ArchiveBlockMax obsoleted?

Hi all,

in response to recent wave of viruses that were not detected by any antivirus, 
we decided to simply block any nested zip files. (Exe inside Zip inside Zip).
So I tried to set MaxRecursion=1, just to find out that it passes such files 
as clean without scanning deeper. I want to block such files in the same 
manner as encrypted archives, but the ArchiveBlockMax option is obsolete. Why? 
Is there any undocumented replacement option for that?

On some man pages I found --max-block, but that is ignored as well.
Is there any reason to drop such function?

--

-- 
Best Regards
        Vladislav Kurz
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Marcio Fiorette | 25 Feb 13:36 2015
Picon

ClamAV installation is OUTDATE!

Senhores, bom dia!

Não estou conseguindo atualizar o ClamAV da versão 0.98.5 para 0.98.6
no Debian 7. Já segui os procedimentos que estão no site
www.clamav.net e mesmo assim não obtive sucesso.

Desde já, agradeço a atenção de todos.

Atenciosamente,
Marcio
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Denny Bortfeldt | 24 Feb 11:54 2015

Please deactivate this mirror

# wget db.de.clamav.net/daily.cvd
--2015-02-24 11:53:49--  http://db.de.clamav.net/daily.cvd
Resolving db.de.clamav.net (db.de.clamav.net)... 195.30.97.3, 212.227.138.145, 213.174.32.130, ...
Connecting to db.de.clamav.net (db.de.clamav.net)|195.30.97.3|:80... connected.
HTTP request sent, awaiting response... 503 Service Temporarily Unavailable
2015-02-24 11:53:49 ERROR 503: Service Temporarily Unavailable.

Can't download from it since several days.

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Andreas Schulze | 24 Feb 10:26 2015
Picon

format of current.cvd.clamav.net

Hello,

could somebody explain the meaning of the field in the mentioned TXT record ?

$ dig current.cvd.clamav.net txt +short
"0.98.6:55:20101:1424766540:1:63:43056:246"

Field1: 0.98.6 -> current software version
Field2: 55     -> ?
Field3: 20101  -> current pattern number
Filed4: 1424766540 -> timestamp for what ?
...

Thanks
Andreas

--

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info <at> datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70

Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dr. Robert Mayr (stellv. Vorsitzender)
Eckhard Schwarzer (stellv. Vorsitzender)
Dr. Peter Krug
(Continue reading)

G.W. Haywood | 22 Feb 18:58 2015
Picon

Re: clamav-milter LocalNet option / outgoing mail (Debian Wheezy)

Hi there,

On Sun, 22 Feb 2015, Daniel Spies wrote:

> In my opinion, it doesn't make any sense to scan e-mail leaving the
> server.

Welcome to my permanent block list.

--

-- 

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Daniel Spies | 22 Feb 01:42 2015
Picon

clamav-milter LocalNet option / outgoing mail (Debian Wheezy)

Hello,

what is the correct way to prevent clamav-milter (0.98.5 in Debian 
Wheezy) from scanning and tagging _outgoing_ e-mail? I assumed it was 
the LocalNet option; however, I did not manage to get it to work. Here 
is the man entry:

LocalNet STRING 	Messages originating from these hosts/networks will not 
be scanned. This option takes a host(name)/mask pair in CIRD notation 
and  can  be  repeated several times. If "/mask" is omitted, a host is 
assumed. To specify a locally orignated, non-smtp, email use the keyword 
"local"
Default: unset (scan everything regardless of the origin)

Here is what I tried:

LocalNet 127.0.0.1/32 ::1/128 local
clamav-milterERROR: Can't resolve LocalNet hostname 127.0.0.1/32 ::1

LocalNet 127.0.0.1/32 ::1/128
clamav-milterERROR: Can't resolve LocalNet hostname 127.0.0.1/32 ::1

LocalNet 127.0.0.1/32
OK, BUT scan/tag happens

LocalNet ::1/128
OK, BUT scan/tag happens

LocalNet local
OK, BUT scan/tag happens
(Continue reading)

khan wahid | 19 Feb 23:13 2015
Picon

clamd virus delete command

Hi,Is there any command that tells the clamd to delete the infected files?
Thank you.
Best regards,Khan 
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Steve Basford | 19 Feb 10:05 2015

EquationAPT sigs

Hi All,

EquationAPT is in the news... so in case this is useful...

copy the following to EquationAPT.hdb:

03718676311de33dd0b8f4f18cffd488:376320:Sanesecurity.Rogue.EquationAPT.1
0a209ac0de4ac033f31d6ba9191a8f7a:184320:Sanesecurity.Rogue.EquationAPT.2
11fb08b9126cdb4668b3f5135cf7a6c5:212480:Sanesecurity.Rogue.EquationAPT.3
24a6ec8ebf9c0867ed1c097f4a653b8d:163840:Sanesecurity.Rogue.EquationAPT.4
2a12630ff976ba0994143ca93fecd17f:221184:Sanesecurity.Rogue.EquationAPT.5
4556ce5eb007af1de5bd3b457f0b216d:380928:Sanesecurity.Rogue.EquationAPT.6
6fe6c03b938580ebf9b82f3b9cd4c4aa:62464:Sanesecurity.Rogue.EquationAPT.7
752af597e6d9fd70396accc0b9013dbe:132608:Sanesecurity.Rogue.EquationAPT.8
9180d5affe1e5df0717d7385e7f54386:17920:Sanesecurity.Rogue.EquationAPT.9
9b1ca66aab784dc5f1dfe635d8f8a904:573440:Sanesecurity.Rogue.EquationAPT.10

For those using rogue.hdb detection is there already.

clamscan --datbase=EquationAPT.hdb --infected etc. etc.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
(Continue reading)

G.W. Haywood | 16 Feb 18:34 2015
Picon

Re: Sanesecurity FakeDate questions

Hi there,

On Mon, 16 Feb 2015, Alex Regan wrote:

> Specifically, can someone tell me if the following are legitimate
> senders or if they should be blocked anyway?
>
> From: "Enterprise Guide" <admin <at> enterpriseguide.com>
> From: Fred Pryor Seminars/CareerTrack
> <Fred_Pryor_Seminars/CareerTrack <at> knowpower.biz>
> From: TravelMole Daily UK Newswire <travelmole-wire <at> travelmole.email>
>
> I'm hoping someone has an opinion on these senders and can help me
> determine if fakedate is enough to quarantine them or if they're
> considered spam anyway?

It's up to you to decide whether you consider any particular message
spam or not.  I would take the view that all of those would qualify,
but I'm on the hanging bench.

--

-- 

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

(Continue reading)

Alex Regan | 16 Feb 17:34 2015
Picon

Sanesecurity FakeDate questions

Hi,

I'm using the sanesecurity rules with clamav on fedora20. I'm hoping 
it's okay to ask sanesecurity questions here.

I'm finding that it's very frequently hitting on fakedate, causing the 
message to be quarantined, and wondered what other people's experiences 
were with this one rule.

X-Amavis-Alert: INFECTED, message contains virus:
         Sanesecurity.Spam.12283.Fakedate.UNOFFICIAL

Date: Mon, 16 Feb 2015 02:00:00 -0500

Specifically, can someone tell me if the following are legitimate 
senders or if they should be blocked anyway?

From: "Enterprise Guide" <admin <at> enterpriseguide.com>
From: Fred Pryor Seminars/CareerTrack 
<Fred_Pryor_Seminars/CareerTrack <at> knowpower.biz>
From: TravelMole Daily UK Newswire <travelmole-wire <at> travelmole.email>

I'm hoping someone has an opinion on these senders and can help me 
determine if fakedate is enough to quarantine them or if they're 
considered spam anyway?

Thanks,
Alex

_______________________________________________
(Continue reading)


Gmane