[clamav-users] clamav-users Digest, Vol 143, Issue 20

T.A. Gregory tagsitqaf at gmail.com
Sun Oct 30 16:54:35 EDT 2016


re: FreshClam Errors - Deprecated version

No. I'm not in Tanzania. I'm in the U.S.

When I run that command I get this return:

database.clamav.net is an alias for db.local.clamav.net.

db.local.clamav.net is an alias for db.us.rr.clamav.net.

followed by a series of IP Addresses.

Are you thinking that I'm getting redirected somewhere?

TAG

On Tue, Oct 25, 2016 at 9:00 AM, <clamav-users-request at lists.clamav.net>
wrote:

> Send clamav-users mailing list submissions to
>         clamav-users at lists.clamav.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> or, via email, send a message with subject or body 'help' to
>         clamav-users-request at lists.clamav.net
>
> You can reach the person managing the list at
>         clamav-users-owner at lists.clamav.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of clamav-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Last Seven daily Updates have been almost empty
>       (Joel Esler (jesler))
>    2. WSF viruses, and other issues (John T. Bryan)
>    3. Re: WSF viruses, and other issues (Kris Deugau)
>    4. Re: WSF viruses, and other issues (Steve basford)
>    5. Freshclam Errors - Deprecated version? (TAGSIT QAF)
>    6. Re: Freshclam Errors - Deprecated version? (Al Varnell)
>    7. Install from source on Ubuntu 8.04 Hardy (Chris Nelson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 24 Oct 2016 16:24:52 +0000
> From: "Joel Esler (jesler)" <jesler at cisco.com>
> To: ClamAV users ML <clamav-users at lists.clamav.net>
> Subject: Re: [clamav-users] Last Seven daily Updates have been almost
>         empty
> Message-ID: <D9211426-F4A9-408A-92FF-D0A73C39BB75 at cisco.com>
> Content-Type: text/plain; charset="utf-8"
>
> We?re building a new daily now that should fix the issue.
>
> --
> Joel Esler | Talos: Manager| jesler at cisco.com<mailto:jesler at cisco.com>
>
>
>
>
>
> On Oct 24, 2016, at 2:56 AM, Al Varnell <alvarnell at mac.com<mailto:alva
> rnell at mac.com>> wrote:
>
> Never quite sure when I should bring this up, but daily 22415 through
> 22421 have included exactly one new signature and one dropped signature
> (both in 22418).
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 24 Oct 2016 12:57:07 -0400
> From: "John T. Bryan" <john at johnbryan.us>
> To: <clamav-users at lists.clamav.net>
> Subject: [clamav-users] WSF viruses, and other issues
> Message-ID: <015601d22e17$a798f330$f6cad990$@johnbryan.us>
> Content-Type: text/plain;       charset="iso-8859-1"
>
> I?ve been running ClamAV now for some years as the virus-checking plug-in
> on
> my main multi-client mail server.? For a long time, I was very pleased with
> it and how easily I was able to integrate it into the custom software back
> when I first switched to it.
>
> Lately, however, ClamAV never seems to catch any of the viruses that are
> coming at my server.? My custom-built spam-checking software is
> inadvertently catching the majority of them after ClamAV has passed them.?
> I
> have noticed two primary patterns to the viruses that are coming through
> these days:
>
> * ZIP files containing a WSF (Windows Script File) and possibly some small
> distractor files
>
> * ZIP files containing a JavaScript file and possibly some small distractor
> files
>
> As for the WSF files, my primary issue there is that ClamAV seems to refuse
> to check them at all; I have added literally hundreds of signatures for
> these to my local signatures file but ClamAV still does not identify them
> as
> viruses afterwards.
>
> As for the JavaScript files, these are being obfuscated in various ways,
> mostly just by altering the names of variables in the script and similar
> obvious non-semantic alterations.? The obfuscation is almost certainly
> being
> done by automated processes of some sort.? As a result, even multiple
> copies
> of the same script produce different signatures due to the non-semantic
> changes in the script.? I have added literally thousands of these to my
> signature files but, of course, I rarely see the same obfuscated version
> again and virtually none of them are getting caught.
>
> The only malware that is being consistently caught these days is stuff
> identified by the heuristics as OLE documents containing macros and spoofed
> domains; I have had about a dozen of those in the last 30 days.? Alas, the
> spoofed domains checking produces almost as many false positives as real
> ones.
>
> I dutifully send a copy of each new false negative that shows up on my
> server off to your evaluation team.? I have no idea if you?re even looking
> at them but I do send them.? Hopefully that?s helping.
>
> As a programmer myself, I understand the difficulty in identifying an
> obfuscated script, but is anything being done to address this?? And what
> can
> be done about the WSF files that aren?t being checked at all?? Not that I
> expect it will matter much; the ones I have examined by hand appear to be
> obfuscated in ways similar to the JavaScript files.
>
> Thanks!
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 24 Oct 2016 14:30:15 -0400
> From: Kris Deugau <kdeugau at vianet.ca>
> To: ClamAV users ML <clamav-users at lists.clamav.net>
> Subject: Re: [clamav-users] WSF viruses, and other issues
> Message-ID: <580E5337.6030708 at vianet.ca>
> Content-Type: text/plain; charset=windows-1252
>
> John T. Bryan wrote:
> > I?ve been running ClamAV now for some years as the virus-checking
> plug-in on
> > my main multi-client mail server.  For a long time, I was very pleased
> with
> > it and how easily I was able to integrate it into the custom software
> back
> > when I first switched to it.
> >
> > Lately, however, ClamAV never seems to catch any of the viruses that are
> > coming at my server.  My custom-built spam-checking software is
> > inadvertently catching the majority of them after ClamAV has passed
> them.  I
> > have noticed two primary patterns to the viruses that are coming through
> > these days:
> >
> > * ZIP files containing a WSF (Windows Script File) and possibly some
> small
> > distractor files
> >
> > * ZIP files containing a JavaScript file and possibly some small
> distractor
> > files
> >
> > As for the WSF files, my primary issue there is that ClamAV seems to
> refuse
> > to check them at all; I have added literally hundreds of signatures for
> > these to my local signatures file but ClamAV still does not identify
> them as
> > viruses afterwards.
>
> .wsf files are not pattern-matched as-is, they're decoded and normalized
> first.  Run clamscan --leave-temps foo.wsf, and inspect the files left
> in /tmp/clamav* (or wherever ClamAV leaves its temporary working files)
> for the actual content ClamAV does its matching against.
>
> Note that this actually strips off some of the obfuscation, making it a
> little tricky if the pattern you're trying to match is, in and of
> itself, the obfuscation.
>
> I'd guess you're just using hash signatures from sigtool --md5 (or
> --sha1, or --sha256), since if you collect a number of examples from a
> single run you *can* find similarities in the files to create
> pattern-based sigs that match a range of files.
>
> I've posted one of the crude utilities I've been using under
> http://www.deepnet.cx/~kdeugau/clamtools/.  This takes several files,
> grabs a more or less arbitrary block of 8K hex characters (based on the
> $baseoffset and $fromstart variables - I keep the script open in a text
> editor and change these as I go), and spits out a pattern, with ?? or
> {nn} bits for variant character runs, formatted for a .ndb signature.  I
> tend to manually copy-paste an extract of that as a signature rather
> than using the whole thing.  You can use this on any set of files you
> think are likely to be similar, and if they're not as similar as you
> thought (or the segment you set it up to extract isn't) you'll get
> either something like "{2345}abf3{3243}", or possibly a couple of blank
> lines, as output.
>
> The other thing to try is an archive-contents filename signature.  I
> haven't had much luck with the newer "any archive type" version, but
> I've had decent luck with the older-style .zip-only .zmd signature file.
>  I still see hits on some of those signatures I've added locally coming
> up on several years after first adding them.
>
> -kgd
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 24 Oct 2016 19:49:36 +0100
> From: Steve basford <steveb_clamav at sanesecurity.com>
> To: ClamAV users ML <clamav-users at lists.clamav.net>
> Subject: Re: [clamav-users] WSF viruses, and other issues
> Message-ID:
>         <157f806c600.27d5.3eaa884a23ece66aada06ae82ee56a
> ba at sanesecurity.com>
> Content-Type: text/plain; format=flowed; charset="UTF-8"
>
> Hi John,
>
> phish.ndb, rogue.ndb for most malware,
> See foxhole sigs for other levels of detection.
>
> As well as .js, .wsf and .hta malware, now
> seeing and detecting .lnk malware with an auto downloading PowerShell
> command, which is nasty.
>
> Cheers,
>
> Steve
> Twitter: @sanesecurity
>
>
>
> On 24 October 2016 17:57:52 "John T. Bryan" <john at johnbryan.us> wrote:
>
> > Ive been running ClamAV now for some years as the virus-checking plug-in
> on
> > my main multi-client mail server.? For a long time, I was very pleased
> with
> > it and how easily I was able to integrate it into the custom software
> back
> > when I first switched to it.
> >
> > Lately, however, ClamAV never seems to catch any of the viruses that are
> > coming at my server.? My custom-built spam-checking software is
> > inadvertently catching the majority of them after ClamAV has passed
> them.? I
> > have noticed two primary patterns to the viruses that are coming through
> > these days:
> >
> > * ZIP files containing a WSF (Windows Script File) and possibly some
> small
> > distractor files
> >
> > * ZIP files containing a JavaScript file and possibly some small
> distractor
> > files
> >
> > As for the WSF files, my primary issue there is that ClamAV seems to
> refuse
> > to check them at all; I have added literally hundreds of signatures for
> > these to my local signatures file but ClamAV still does not identify
> them as
> > viruses afterwards.
> >
> > As for the JavaScript files, these are being obfuscated in various ways,
> > mostly just by altering the names of variables in the script and similar
> > obvious non-semantic alterations.? The obfuscation is almost certainly
> being
> > done by automated processes of some sort.? As a result, even multiple
> copies
> > of the same script produce different signatures due to the non-semantic
> > changes in the script.? I have added literally thousands of these to my
> > signature files but, of course, I rarely see the same obfuscated version
> > again and virtually none of them are getting caught.
> >
> > The only malware that is being consistently caught these days is stuff
> > identified by the heuristics as OLE documents containing macros and
> spoofed
> > domains; I have had about a dozen of those in the last 30 days.? Alas,
> the
> > spoofed domains checking produces almost as many false positives as real
> > ones.
> >
> > I dutifully send a copy of each new false negative that shows up on my
> > server off to your evaluation team.? I have no idea if youre even looking
> > at them but I do send them.? Hopefully thats helping.
> >
> > As a programmer myself, I understand the difficulty in identifying an
> > obfuscated script, but is anything being done to address this?? And what
> can
> > be done about the WSF files that arent being checked at all?? Not that I
> > expect it will matter much; the ones I have examined by hand appear to be
> > obfuscated in ways similar to the JavaScript files.
> >
> > Thanks!
> >
> >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 24 Oct 2016 20:56:04 -0700
> From: TAGSIT QAF <tagsitqaf at gmail.com>
> To: clamav-users at lists.clamav.net
> Subject: [clamav-users] Freshclam Errors - Deprecated version?
> Message-ID:
>         <CAJLh0txUTY2Uja9-VCJ1Os6rVuD=W+zWookuHgyEk3cFrDOW8A at mail.
> gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Relative newbie with brand new install. I manually downloaded the latest
> version of ClamAV directly from the site so I'm reasonably sure it
> shouldn't be deprecated, yet I'm getting these errors:
>
>
> etc/cron.daily/freshclam:
>
> ERROR: Can't get information about db.# tz zone descriptions (deprecated
> version).
>
> ERROR: getpatch: Can't download daily-22421.cdiff from db.# tz zone
> descriptions (deprecated version).
>
> ERROR: Can't get information about db.# tz zone descriptions (deprecated
> version).ERROR: Can't download daily.cvd from db.# tz zone descriptions
> (deprecated version).
>
> Any help would be appreciated. TAG
>
> PS Tried to look through old threads and didn't see this anywhere but I
> only went back a few months. If' it's already been discussed, can you
> kindly just direct me to where.
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 24 Oct 2016 22:08:58 -0700
> From: Al Varnell <alvarnell at mac.com>
> To: ClamAV users ML <clamav-users at lists.clamav.net>
> Subject: Re: [clamav-users] Freshclam Errors - Deprecated version?
> Message-ID: <5C7A693A-922F-4D79-86EA-F8FB7ABA2C2A at mac.com>
> Content-Type: text/plain; charset="us-ascii"
>
> That doesn't look like any mirror site I've ever seen listed, but then
> they have not gotten around to giving us back the mirror status page.
>
> Are you located in or close to Tanzania?
>
> What do you get with the following Command?
>
> host database.clamav.net
>
> -Al-
>
> On Mon, Oct 24, 2016 at 08:56 PM, TAGSIT QAF wrote:
> >
> > Relative newbie with brand new install. I manually downloaded the latest
> > version of ClamAV directly from the site so I'm reasonably sure it
> > shouldn't be deprecated, yet I'm getting these errors:
> >
> >
> > etc/cron.daily/freshclam:
> >
> > ERROR: Can't get information about db.# tz zone descriptions (deprecated
> > version).
> >
> > ERROR: getpatch: Can't download daily-22421.cdiff from db.# tz zone
> > descriptions (deprecated version).
> >
> > ERROR: Can't get information about db.# tz zone descriptions (deprecated
> > version).ERROR: Can't download daily.cvd from db.# tz zone descriptions
> > (deprecated version).
> >
> > Any help would be appreciated. TAG
> >
> > PS Tried to look through old threads and didn't see this anywhere but I
> > only went back a few months. If' it's already been discussed, can you
> > kindly just direct me to where.
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 3573 bytes
> Desc: not available
> URL: <http://lists.clamav.net/pipermail/clamav-users/
> attachments/20161024/fc48448f/attachment-0001.bin>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 25 Oct 2016 10:41:51 -0500
> From: "Chris Nelson" <chris at goapluscc.com>
> To: <clamav-users at lists.clamav.net>
> Subject: [clamav-users] Install from source on Ubuntu 8.04 Hardy
> Message-ID: <B8324C012C98444BA472494D033181A5 at apluschris01>
> Content-Type: text/plain;       charset="us-ascii"
>
> OS Ubuntu 8.04.3 Hardy - installed ClamAV 0.99.2 yesterday, and can't seem
> to get the daemon / clamd to function.
> Installed in /usr/local/sbin - previously had 0.97 and earlier but had the
> mpool_malloc() loop issue so had to torch it.
>
> Here's what I get now when loading rc.local @boot:
> -------clip
> Mon Oct 24 19:52:54 2016 -> +++ Started at Mon Oct 24 19:52:54 2016
> Mon Oct 24 19:52:54 2016 -> Received 0 file descriptor(s) from systemd.
> Mon Oct 24 19:52:54 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH:
> x86_64, CPU: x86_64)
> Mon Oct 24 19:52:54 2016 -> Running as user clamav (UID 111, GID 121)
> Mon Oct 24 19:52:54 2016 -> Log file size limited to 4294967295 bytes.
> Mon Oct 24 19:52:54 2016 -> Reading databases from /var/lib/clamav
> Mon Oct 24 19:52:54 2016 -> Not loading PUA signatures.
> Mon Oct 24 19:52:54 2016 -> Bytecode: Security mode set to "TrustSigned".
> Mon Oct 24 19:53:11 2016 -> Loaded 4990948 signatures.
>
> Mon Oct 24 19:53:14 2016 -> ERROR: LOCAL: Socket file
> /var/run/clamav/clamd.ctl could not be bound: No such file or directory
> -------end clip
>
> As I'm typically a apt-get package installer, I don't know where to start
> looking to ident and resolve the problem for this?
> I had previously been getting a simple segmentation fault error at the end
> of load echoes from clamd when executing from command line, but fixed that,
> I think.
>
>
> If anyone knows a speedy way to inquire with ClamAV authors, please also
> let
> me know.  I'll try the proper channels and see if I can get some insight
> from them.
>
>
> Thank you
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ------------------------------
>
> End of clamav-users Digest, Vol 143, Issue 20
> *********************************************
>



More information about the clamav-users mailing list