McCarthy, John D. | 9 Sep 14:08 2014

Where can I download the daily.cvd and main.cvd files


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Denny Bortfeldt | 9 Sep 10:48 2014

Problem with missing information

Hello everyone,

I've got a little problem and don't know what happen to my system.
Everytime I start "clamscan" or "freshclam" I get the following error:
clamscan: /usr/local/lib/libxml2.so.2: no version information available (required by /usr/lib/libclamav.so.6)
clamscan: /usr/local/lib/libxml2.so.2: no version information available (required by /usr/lib/libclamav.so.6)
clamscan: /usr/local/lib/libxml2.so.2: no version information available (required by /usr/lib/libclamav.so.6)
clamscan: /usr/local/lib/libxml2.so.2: no version information available (required by /usr/lib/libclamav.so.6)

I'm using Debian 7 - everything patched and up-to-date.
Tried also "apt-get purge clamav clamav-base clamav-freshclam libclamav6" and install it again.
I also removed and installed libxml2 but the error stay.

Does anyone have an answer for my little problem?

Thanks in advance.

Sincerely,
Denny
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Urban Loesch | 8 Sep 16:57 2014
Picon

Fwd: Re: clamav-milter: Failed to create temporary file


Hi,

the patched version of clamav-milter is running since 5 days without problems.
I can confirm that your patch solved the problem.

Thanks and regards
Urban Loesch

-------- Original-Nachricht --------
Betreff: Re: [clamav-users] clamav-milter: Failed to create temporary file
Datum: Thu, 04 Sep 2014 15:21:00 +0200
Von: Urban Loesch <bind <at> enas.net>
An: Steven Morgan <smorgan <at> sourcefire.com>,  "J. David Rye" <d.rye <at> roadtech.co.uk>
Kopie (CC): Shawn Webb (shawebb) <shawebb <at> cisco.com>

Hi,

I installed the patch on one of my servers where it happens.
Now I have to wait some days, because to me it does not happen very frequently.

I let you know the result.

Many thanks
Urban

Am 04.09.2014 00:57, schrieb Steven Morgan:
> Hi,
> 
> We may have an answer. Is it possible try the following patch and see if it fixes the problem?
(Continue reading)

Hajo Locke | 8 Sep 16:04 2014
Picon
Picon

Hint for creating signatures

Hello,

from <http://www.dict.cc/englisch-deutsch/from.html> time 
<http://www.dict.cc/englisch-deutsch/time.html> to time 
<http://www.dict.cc/englisch-deutsch/time.html> i create some signatures 
from what i found in php-code of my users.
Now i found some malware that worries me. Its obfuscated php-code to 
execute all which was sent by POST (mostly spammails). If i unencrypt 
the code, so i always find the same malwarecode. But code how it can be 
found in php-page is always variable.

samples can be found here for next 2 weeks: http://pastebin.com/9VAW8FKK

What should i do now? Is there a trick to find a signature which fits 
for all samples or i have to create a different signature for every sample?
What <http://www.dict.cc/englisch-deutsch/What.html> is 
<http://www.dict.cc/englisch-deutsch/is.html> your 
<http://www.dict.cc/englisch-deutsch/your.html> view 
<http://www.dict.cc/englisch-deutsch/view.html> on 
<http://www.dict.cc/englisch-deutsch/on.html> this 
<http://www.dict.cc/englisch-deutsch/this.html> subject? 
<http://www.dict.cc/englisch-deutsch/subject%3F.html>

Thanks,
Hajo

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

(Continue reading)

Steve Basford | 5 Sep 11:10 2014

Sanesecurity:foxhole-databases

Hi All,

For those using Sanesecuriy foxhole databases, I've finally updated
their usage information:

http://sanesecurity.com/foxhole-databases/

Cheers,

Steve
Sanesecurity.com

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Ted Gilchrist | 4 Sep 23:24 2014
Picon

PUA.Misc.DoubleExtension-zippwd-4 false positive

I started receiving this virus warning, and I think it's a false alarm. I
read that I could use clamscan --detect-pua=no to have clamscan ignore such
PUA warnings, but that didn't work.

How should I proceed? I notice that this virus definition just got added
yesterday (http://blog.gmane.org/gmane.comp.security.virus.clamav.virusdb)

This message comes up for certain jar files.

Thanks.

--

-- 
"Speech, not just for humans"

http://www.google.com/profiles/egilchri
about.me/ted.gilchrist
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Mark Price | 4 Sep 17:23 2014

clamscan and PUA

In the past day we have had clamscan on several servers detect infected
files due to:  PUA.Windows.DoubleExtension-zippwd-3

I've read the clamscan manpage but have not had any luck with getting the
"--detect-pua" option to work.  Example:

# clamscan --detect-pua=no ./sample-msg1.txt
./sample-msg1.txt: PUA.Windows.DoubleExtension-zippwd-3 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3515268
Engine version: 0.98
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.05 MB (ratio 0.00:1)
Time: 9.402 sec (0 m 9 s)

In this case, is the infected file being detected by a PUA that I should be
able to disable with command line option?  Or is "PUA" simply part of the
virus signature name?

Thanks,

Mark
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

(Continue reading)

MAYER Hans | 3 Sep 17:46 2014
Picon

clamd crashed


Dear ClamAv Users,

In my environment I have 2 external  mail gateway in the DMZ, forwarding all e-mails to an internal mail server.
All of them are running Solaris 11 with sendmail and mimedefang as milter.
I am running this constellation since about more than a year very successfully without any downtime till 2 weeks.

Around 2 weeks ago all 3 servers stopped working for mail forwarding because the process clamd core dumped.
At that time I had in use a beta version of 0.98.4 it was clamav-0.98.4-rc1
I traced back the problem due to the fact I didn't use the latest version.
So I upgraded to clamav-0.98.4 and in the same step also mimedefang to the latest version 2.75
This is how mimedefang involves clamd in /usr/local/bin/mimedefang.pl
$Features{'Virus:CLAMD'}    = ('/usr/local/sbin/clamd' ne '/bin/false' ? '/usr/local/sbin/clamd' : 0);
The system worked stable for 2 weeks.

Yesterday evening I noticed the same problem. A restart didn't help. After short time clamed crashed again.
As short solution I disabled the virus scanning overnight.
Today I have a stable situation without changing anything. Of course pattern updates are running.
I assume an ugly attachment did crash the virus scanning process. Now this mail is passed and it's running fine.

I am worried about the fact that the ClamAV solution becomes more and more instable.

How can I support the ClamAV team with additional information to reach a stable system again ?
What I have is a 305 MB core dump from clamd for Sparc platform. But I think, this will not help.
In the meantime I started clamd with the option --debug
Till now I didn't find any entries in the syslog.

Kind regards
Hans

(Continue reading)

Gene Heskett | 3 Sep 12:40 2014

False positive for sure

Greetings;

This report from last nights clamscan is absolutely a false positive:
/home/gene/Downloads/Download/DriveWire4_linux_i386.tar.gz: 
PUA.Misc.DoubleExtension-zippwd-3 FOUND

Cheers, Gene Heskett
--

-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

YSPSC IT | 3 Sep 01:22 2014

PLEASE REMOVE

From this mailing list...

-----Original Message-----
From: clamav-users [mailto:clamav-users-bounces <at> lists.clamav.net] On Behalf
Of Steven Morgan
Sent: Wednesday, September 3, 2014 8:43 AM
To: ClamAV users ML
Subject: Re: [clamav-users] Conflicting structured data detections

Hi Frank,

I've looked at the code. --structured-ssn-format alone does nothing. What is
your result using both --structured-ssn-format and --detect-structured=yes?

Also, I hear you about your regex scan. If you want to open a ticket at
bugzilla.clamav.net and post your file, we can take a look at it.

Thanks,
Steve

On Fri, Aug 29, 2014 at 11:38 AM, Frank Sfalanga Jr. <
Frank <at> csiglobalvcard.com> wrote:

> Hello,
>
> I'm getting conflicting reports of SSN found within log files.  If I 
> use the '--detect-structured=yes' switch I get this result
>
>
> root <at> CSI-app1:/var/log# clamscan -v -i -r --detect-structured=yes
(Continue reading)

Frank Sfalanga Jr. | 29 Aug 17:38 2014

Conflicting structured data detections

Hello,

I'm getting conflicting reports of SSN found within log files.  If I use
the '--detect-structured=yes' switch I get this result

root <at> CSI-app1:/var/log# clamscan -v -i -r --detect-structured=yes
auth.log.3
Scanning auth.log.3
auth.log.3: Heuristics.Structured.SSN FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3513235
Engine version: 0.98.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 1.03 MB (ratio 0.00:1)
Time: 8.369 sec (0 m 8 s)

If I scan using the '--structured-ssn-format=2' switch I get no
detection of the SSN.  Like this:

root <at> CSI-app1:/var/log# clamscan -v -i -r  --structured-ssn-format=2
auth.log.3
Scanning auth.log.3

----------- SCAN SUMMARY -----------
Known viruses: 3513235
Engine version: 0.98.1
(Continue reading)


Gmane