Thorvald Hallvardsson | 23 Sep 13:44 2014
Picon

False positives phishing sites

Hi guys,

I need a bit of help in understanding why ClamAV finds phishing URLs in the
very very legitimate emails.

I have got some customers complaining that some emails from normal retail
shops (newsletters) are marked as phising. Also multiple customers having
issues with receiving emails from Amazon Master Card (Bank of America)
being marked as phishing. We have multiple examples where exact viruses are
not being identified... viruses like 2-3 years old.

I update databases every couple of hours. I know it's hard to keep
signatures up-to-date but there are few cases which I don't understand.

However let's focus on the Amazon email about MasterCard.

The output from clamscan --debug says:
LibClamAV debug: Got a match: youraccount.mbna.co.uk/ with /ku.oc.anbm
LibClamAV debug: Before inserting .: .youraccount.mbna.co.uk
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.www.bankofamerica.co.uk
LibClamAV debug: Phishing: looking up in whitelist:
.www.bankofamerica.co.uk:.youraccount.mbna.co.uk; host-only:1
LibClamAV debug: Looking up in regex_list: www.bankofamerica.co.uk:y
ouraccount.mbna.co.uk/
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too
different
LibClamAV debug: found Possibly Unwanted:
Heuristics.Phishing.Email.SpoofedDomain
(Continue reading)

David Cain | 23 Sep 00:26 2014

Locked freshclam.log error msg

ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
ERROR: /var/log/clamav/freshclam.log is locked by another process

DC
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

David Cain | 23 Sep 00:23 2014

Freshclam.log locked weekly

Hi all,

I'm running ClamAV work amavisd-new on a Debian Wheezy server. I update the serve with security and s/w
updates weekly, so it's on the latest now for the distro.

Every Sunday at exactly 9PM EDT (0100 UTC), cron sends me an email that freshclam.log is locked. Thing is,
I'm not running freshclam with cron, and there's not ANYTHING in crontab, cron.d, cron.hourly,
cron.daily or cron.weekly that's supposed to be running at that time.

Any idea what's going on? Any thoughts appreciated.

DC
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Paul Kosinski | 19 Sep 20:30 2014

Re: daily.cvd vs main.cvd

On Fri, 19 Sep 2014 12:00:00 -0400
Al Varnell <alvarnell <at> mac.com> wrote:
> OK, so I?m a bit confused by this.
> 
> I realize that many of us have different approaches to updating the
> database, due to different circumstances in network access, etc.,
> but why are you downloading daily.cvd five times a day instead of
> using freshclam to incrementally update as recommended to all users,
> if bandwidth is such an important resource to you?  It certainly has
> a negative impact to the mirror network if many users are doing this
> routinely.
> [SNIP]

We *are* using freshclam to acquire daily.cvd. I used the term
'download' to denote the concept of acquiring data from a remote
computer, it doesn't mean that we go to the mysterious URL which is
being discontinued to retrieve daily.cvd.

In particular, every hour at 7 minutes past the hour (see crontab
entry below) a wrapper script is executed via cron which in turn
invokes freshclam. The wrapper script logs various information every
time it runs, whether or not anything is actually pulled from the
ClamAV mirror. (See below for log excerpts.)

The statement in my earlier posting about 'downloading' 5 times in one
day was merely a reference to the fact that on that particular day
freshclam decided to retrieve a new daily.cvd 5 times, out of 24
hourly checks. And, in spite of the use of freshclam, the daily.cvd
that got retrieved was quite large (28 MB, according to Wireshark's
"Follow TCP Stream" function).
(Continue reading)

Paul Kosinski | 18 Sep 23:53 2014

Re: daily.cvd vs main.cvd

On Thu, 18 Sep 2014 12:00:00 -0400
Joel Esler wrote:

> You are not remembering correctly. That may have been true a decade
> ago, but for the last half dozen years or so the main stayed the
> same for every new release and was only updated when it was more
> efficient to update it than to continue downloading large daily?s. I
> seem to recall that the last update was late and that there was
> approximately a year between updates in earlier days, but even that
> varied.

According to our backup records (see below), in the 2 year period from
April 2008 to April 2010, there were *7* different main.cvd files (at
least), or more often than one every two releases (see below).

> You may be correct in that it's time for another update, but since
> it mostly impacts the load on network servers and not you and other
> clients, that?s something the team will need to analyze and decide.
> 
> All is correct here.  I'll check with the team of when
> the 'rollover' will take place, as this has a substantial impact on
> the mirror infrastructure, we have to let the mirrors know before we
> do it.  As you can imagine, the 7M+ users of ClamAV all downloading
> a main.cvd from a mirror is quite heavy on bandwidth if you aren?t
> expecting it.

I don't know exactly how big a new main.cvd file would be, but even
if it were as big as the current main.cvd (62 MB) *plus* the current
daily.cvd (28 MB) taken together, it would still be only 90 MB, which
is significantly less than the 140 MB for the 5 updates to the
(Continue reading)

G.W. Haywood | 18 Sep 18:24 2014
Picon

Re: Daily.cvd file

Hi there,

On Thu, 18 Sep 2014, Joel Esler wrote:

> [something or other, I can't really tell]

Joel, PLEASE get a decent mail client, your messages on this list are
pretty near indecipherable.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Paul Kosinski | 18 Sep 06:59 2014

Re: Daily.cvd file

Hi,

I'm running ClamAV 0.98.4, yet when I built it the main.cvd file was
from 17 Sep 2013 (now a year old!), and the daily.cvd files have been
about 28 MB each. Even though I have been running a local mirror on our
LAN for years now, it's really annoying that the daily.cvd files are so
big.

When ClamAV was independent, every new release had an updated
main.cvd, and the daily.cvd files were of modest size. Now the whole
0.98.x series has the same main.cvd, and the daily.cvds keep getting
bigger. The immediately previous main.cvd, in the 0.97.x series, was
shipped with 0.97.3 and was dated Oct 2011.

So now we've had the same main.cvd for a year, and before that, almost
2 years!

May I suggest that it would save everybody a lot of bandwidth if
main.cvd was updated at least with each release, and probably whenever
the daily.cvd gets so big that updating it several times a day exceeds
the bandwidth for one update of main.cvd. 

For example, on 17 Sep 2014 (yesterday), we updated daily.cvd 5 times
(checking once per hour at HH:07), for a total of about 140 MB!
Furthermore, according to Wireshark, a download was indeed about 28 MB
(no RSYNC-style compression apparently).

So, as you improve the Website and the servers, consider reducing the
total bandwidth used in some way. It will help everybody.

(Continue reading)

James Meason | 17 Sep 14:53 2014
Picon

Joomla Templates - False Possitive

Hi guys,
I have seen a similar thread about tweaks you are making to CLAMAV signitures.

Hi, we run a cpanel webhosting server..  We have never had trouble 
uploading Rockettheme joomla template zips before but now suddenly they 
are being blocked from upload with 

Upload Status
osmosis-1.1-rocketlauncher_j32.zip
 (osmosis-1.1-rocketlauncher_j32.zip): Virus Detected; File not 
Uploaded! (Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND)

This is not a virus infected file however,and affects all of the rocket theme launcher packs ....

We definately nned to be able to upload these Joomla installers

 Any help to get this fixed would be appreciated...

 Thanks

James Meason

 		 	   		  
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

(Continue reading)

Al Varnell | 16 Sep 23:28 2014
Picon

FP: Win.Worm.Chir-681

The following file was found in Adobe PhotoShop CS6 infected with Win.Worm.Chir-681 (apparently added to
the database earlier today):

/Applications/Adobe Photoshop CS6/Adobe Photoshop CS6.app/Contents/Required/Droplet Template.exe

I’ve submitted it as a False Positive (MD5=fd5137d1998bf8fcbab832123dd72256), but I’m curious
about one thing.

Why doesn’t VirusTotal identify it as infected 
<https://www.virustotal.com/en/file/86ee28923d4e7255762442fe93f220237197a756182ce320f5f6887b5c7147c5/analysis/1410901675/>
when it shows the .text PE section of the file matches the signature hash (316287b0b4a47ada39244de795b7ca3c)?

-Al-
--

-- 
Al Varnell
Mountain View, CA

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Volcy, Georges | 15 Sep 20:03 2014

daily.cvd file.

I've been unable to find and download daily.cvd  files on the clamav.net site.
I wanted to know if clamav is no longer providing the daily.cvd  files.
I'm still running clamav version 0.97.
Thanks,
Georges Volcy
SCADA Engineer - EMS
PSEG Long Island
CNI - EMS Provisioning & Support
(516) 545-4481 (Desk)
(516) 492-9773 (Cell)
(516) 545-4064 (Office)
Note: As of January 1, 2014, my email address is now georges.volcy <at> pseg.com<mailto:georges.volcy <at> pseg.com>

-----------------------------------------
The information contained in this e-mail, including any attachment(s), is intended solely for use by the
named addressee(s).  If you are not the intended recipient, or a person designated as responsible for
delivering such messages to the intended recipient, you are not authorized to disclose, copy,
distribute or retain this message, in whole or in part, without written authorization from PSEG.  This
e-mail may contain proprietary, confidential or privileged information. If you have received this
message in error, please notify the sender immediately. This notice is included in all e-mail messages
leaving PSEG.  Thank you for your cooperation.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Tommy Berglund | 11 Sep 09:27 2014
Picon

Warning in ClamAV update process

I always get these warnings and it is always ip 192.121.13.5
Any way to avoid these warnings?

Debian 7.0
clamav 0.98.4

  Last Status:
     main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, 
builder: neo)
     WARNING: getfile: daily-19353.cdiff not found on remote server (IP: 
192.121.13.5)
     WARNING: getpatch: Can't download daily-19353.cdiff from 
db.local.clamav.net
     Trying host db.local.clamav.net (193.1.193.64)...
     Downloading daily-19353.cdiff [100%]
     daily.cld updated (version: 19353, sigs: 1098868, f-level: 63, 
builder: neo)
     bytecode.cvd is up to date (version: 242, sigs: 46, f-level: 63, 
builder: dgoddard)
     Database updated (3523139 signatures) from db.local.clamav.net (IP: 
193.1.193.64)
     Clamd successfully notified about the update.

  The following ERRORS and/or WARNINGS were detected when
  running the ClamAV update process.  If these ERRORS and/or
  WARNINGS do not show up in the "Last Status" section above,
  then their underlying cause has probably been corrected.

  WARNINGS:
     getpatch: Can't download daily-19348.cdiff from 
(Continue reading)


Gmane