Mailing List Archive

Our signature is cover all platforms.

Sent from my Apple Watch

On Mar 25, 2019, at 08:13, J.R. via clamav-users <clamav-users@lists.clamav.net> wrote:

> I keep thinking about this from time to time, but keep forgetting to
> post before I get sidetracked doing something else...
>
> Are the ClamAV default signature files geared towards Windows
> executables / malware / documents / (generic spam)? Or do they cover
> other platforms as well?
>
> Reason I'm asking, I've seen an increasing amount of people posting
> about their non-windows platforms that are scanning their *entire*
> system, and I'm wondering if it is just a waste of CPU cycles, or if
> there are actual signatures that could detect anything on those
> platforms (that are not windows related)?
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Our signatures cover all platforms. Sorry, can’t type on watch. :)

Sent from my ? iPad

> On Mar 25, 2019, at 08:20, Joel Esler (jesler) via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Our signature is cover all platforms.
>
> Sent from my Apple Watch
>
>> On Mar 25, 2019, at 08:13, J.R. via clamav-users <clamav-users@lists.clamav.net> wrote:
>>
>> I keep thinking about this from time to time, but keep forgetting to
>> post before I get sidetracked doing something else...
>>
>> Are the ClamAV default signature files geared towards Windows
>> executables / malware / documents / (generic spam)? Or do they cover
>> other platforms as well?
>>
>> Reason I'm asking, I've seen an increasing amount of people posting
>> about their non-windows platforms that are scanning their *entire*
>> system, and I'm wondering if it is just a waste of CPU cycles, or if
>> there are actual signatures that could detect anything on those
>> platforms (that are not windows related)?
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Hi there,

On Mon, 25 Mar 2019, J.R. wrote:

> ... I've seen an increasing amount of people posting about their
> non-windows platforms that are scanning their *entire* system ...

People have been doing that kind of thing for years, I'm not sure how
much it's increasing. Most of the time it seems to me they don't know
why they're doing it nor even, if there is something in there to find,
how likely it is that a ClamAV scan will find it. You often see scans
of /proc/, /dev/ and the like - which is only going to cause problems,
not solve them. If for example you're hosting files for Windows hosts
on non-windows platforms there's certainly a case for scanning shared
data areas, but I don't know how representative that is of the typical
ClamAV user. Although we share files with Windows platforms we really
only use ClamAV to scan mail. I guess we're as untypical of a ClamAV
user as you'll get. The main reason we use ClamAV is for third-party
databases such as the excellent set produced by Steve at Sanesecurity
(once again, thanks, Steve). Even so, ever since we took to rejecting
mail based on things like geography it really is just the occasional
catch. With an average incoming rate of mail of ca. 1200 attempts per
day(*), since January 2018 I've seen one genuine catch by ClamAV. As
it happens it was a malicious Word document, cunningly disguised as a
statement of account from a local hotel. As it happens we don't have
an account with that hotel - and we don't use Word, nor even Windows.

(*) After firewalling, 15 percent actually get to connect to port 25.

> I'm wondering if it is just a waste of CPU cycles, or if there are
> actual signatures that could detect anything on those platforms
> (that are not windows related)?

People do all sorts of daft things. A lot of what they do wastes CPU
(and the associated energy, which I think thesedays is more important)
but one can't really deny that there might be the occasional surprise.
Very occasional indeed, however, in the case of most *nix boxes, and I
can't remember the last time I scanned a Linux box using ClamAV or any
other package. At the time I didn't expect to find anything, I think
it was an experiment just to see how many false positives it gave and
how long it took.

It's a while since I looked at this, so I did a few 'grep's on 'daily':

mail6:/etc/mail/clamav# >>> wc daily.cld
1531682 1534564 117369856 daily.cld
mail6:/etc/mail/clamav# >>> grep -ai Win daily.cld | wc
853283 853326 66772035
mail6:/etc/mail/clamav# >>> grep -ai Andr daily.cld | wc
255329 255329 18510754
mail6:/etc/mail/clamav# >>> grep -ai doc daily.cld | wc
154521 154584 11340974
mail6:/etc/mail/clamav# >>> grep -ai unix daily.cld | wc
86435 86437 6496632
mail6:/etc/mail/clamav# >>> grep -ai java daily.cld | wc
38254 38260 2686509
mail6:/etc/mail/clamav# >>> grep -ai OSX daily.cld | wc
35652 35652 2531765
mail6:/etc/mail/clamav# >>> grep -ai PDF daily.cld | wc
11133 11147 801891
mail6:/etc/mail/clamav# >>> grep -ai xls daily.cld | wc
10227 10227 748439
mail6:/etc/mail/clamav# >>> grep -ai Phish daily.cld | wc
3257 3257 1348569
mail6:/etc/mail/clamav# >>> grep -ai linux daily.cld | wc
2 2 296

All right, I ran that last one as a bit of a joke but you can see
where the biggest problems are.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Actually, from what we understand, ClamAV is mostly used to scan email.

Sent from my ? iPhone

> On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Although we share files with Windows platforms we really
> only use ClamAV to scan mail. I guess we're as untypical of a ClamAV
> user as you'll get.

We use it to scan entire Unix and Linux hosts.

Regards, Scott

> -----Original Message-----
> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Joel Esler (jesler) via clamav-users
> Sent: Monday, March 25, 2019 12:37 PM
> To: ClamAV users ML <clamav-users@lists.clamav.net>
> Cc: Joel Esler (jesler) <jesler@cisco.com>; G.W. Haywood <clamav@jubileegroup.co.uk>
> Subject: [External] Re: [clamav-users] Are signatures for Windows only?
>
> Actually, from what we understand, ClamAV is mostly used to scan email.
>
> Sent from my ? iPhone
>
> > On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
> >
> > Although we share files with Windows platforms we really
> > only use ClamAV to scan mail. I guess we're as untypical of a ClamAV
> > user as you'll get.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> People have been doing that kind of thing for years, I'm not sure how
> much it's increasing. Most of the time it seems to me they don't know
> why they're doing it nor even, if there is something in there to find,
> how likely it is that a ClamAV scan will find it.

I know people have been scanning their entire systems all these years.
I was referring to just casually observing recently more people
"posting on the mailing list" about when they do a full scan on their
system.

> Although we share files with Windows platforms we really
> only use ClamAV to scan mail. I guess we're as untypical of a ClamAV
> user as you'll get.

I only use ClamAV to scan email on my linux box. To me that seems like
the most common / typical use.

> Even so, ever since we took to rejecting
> mail based on things like geography it really is just the occasional
> catch.

Yep, other measures for me too has meant that ClamAV *might* get one
hit a day, which typically is a 3rd party phishing signature. I'm sure
if ClamAV didn't catch it the email would still have been flagged and
deleted as spam from other measures.

> It's a while since I looked at this, so I did a few 'grep's on 'daily':

You inspired me to take a look at the signature files, and using
sigtool to unpack them I browsed each of them (not really sure what
each file does) and indeed there are lots of signatures labeled Unix &
Multios and such. Looks like I might run a manual scan on the file
system and see what happens.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

*decloaks*

We (Loughborough University) use ClamAV on our inbound and outbound mail servers, in front of and after Office 365 mailboxes. It sits in the middle of a fairly complex set of moving parts - another AV product, DNS blacklists, file hash checks, local 'reputation', several anti-spam tools and a load of custom local config (we're an Exim shop so have almost infinite flexibility).

We have a number of 'unofficial' databases loaded - some Sanesecurity ones as others have mentioned - and some custom local stuff that doesn't fit into the other bits.

Picking a random recent day, we had 135000 rejections, 6500 of which were from ClamAV. By comparison, we accepted & delivered 25000 messages to 66000 recipients (non-unique).

I know we're not unique in this regard, and I'm thankful ClamAV exists for many reasons, not least its extensibility!

Graeme

________________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Joel Esler (jesler) via clamav-users <clamav-users@lists.clamav.net>
Sent: 25 March 2019 19:36
To: ClamAV users ML
Cc: Joel Esler (jesler); G.W. Haywood
Subject: Re: [clamav-users] Are signatures for Windows only?

Actually, from what we understand, ClamAV is mostly used to scan email.

Sent from my ? iPhone

> On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Although we share files with Windows platforms we really
> only use ClamAV to scan mail. I guess we're as untypical of a ClamAV
> user as you'll get.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

That’s super interesting. I’d be interested in what the 6500 signatures were. Just for a real world “what are you seeing” conversation.

Sent from my ? iPad

> On Mar 25, 2019, at 18:07, Graeme Fowler via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> *decloaks*
>
> We (Loughborough University) use ClamAV on our inbound and outbound mail servers, in front of and after Office 365 mailboxes. It sits in the middle of a fairly complex set of moving parts - another AV product, DNS blacklists, file hash checks, local 'reputation', several anti-spam tools and a load of custom local config (we're an Exim shop so have almost infinite flexibility).
>
> We have a number of 'unofficial' databases loaded - some Sanesecurity ones as others have mentioned - and some custom local stuff that doesn't fit into the other bits.
>
> Picking a random recent day, we had 135000 rejections, 6500 of which were from ClamAV. By comparison, we accepted & delivered 25000 messages to 66000 recipients (non-unique).
>
> I know we're not unique in this regard, and I'm thankful ClamAV exists for many reasons, not least its extensibility!
>
> Graeme
>
> ________________________________________
> From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Joel Esler (jesler) via clamav-users <clamav-users@lists.clamav.net>
> Sent: 25 March 2019 19:36
> To: ClamAV users ML
> Cc: Joel Esler (jesler); G.W. Haywood
> Subject: Re: [clamav-users] Are signatures for Windows only?
>
> Actually, from what we understand, ClamAV is mostly used to scan email.
>
> Sent from my ? iPhone
>
>> On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>>
>> Although we share files with Windows platforms we really
>> only use ClamAV to scan mail. I guess we're as untypical of a ClamAV
>> user as you'll get.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Have emailed you off-list.

Graeme


________________________________________
From: Joel Esler (jesler) <jesler@cisco.com>
Sent: 25 March 2019 22:08
To: ClamAV users ML
Cc: Graeme Fowler
Subject: Re: [clamav-users] Are signatures for Windows only?

That’s super interesting. I’d be interested in what the 6500 signatures were. Just for a real world “what are you seeing” conversation.

Sent from my ? iPad

> On Mar 25, 2019, at 18:07, Graeme Fowler via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> *decloaks*
>
> We (Loughborough University) use ClamAV on our inbound and outbound mail servers, in front of and after Office 365 mailboxes. It sits in the middle of a fairly complex set of moving parts - another AV product, DNS blacklists, file hash checks, local 'reputation', several anti-spam tools and a load of custom local config (we're an Exim shop so have almost infinite flexibility).
>
> We have a number of 'unofficial' databases loaded - some Sanesecurity ones as others have mentioned - and some custom local stuff that doesn't fit into the other bits.
>
> Picking a random recent day, we had 135000 rejections, 6500 of which were from ClamAV. By comparison, we accepted & delivered 25000 messages to 66000 recipients (non-unique).
>
> I know we're not unique in this regard, and I'm thankful ClamAV exists for many reasons, not least its extensibility!
>
> Graeme
>
> ________________________________________
> From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Joel Esler (jesler) via clamav-users <clamav-users@lists.clamav.net>
> Sent: 25 March 2019 19:36
> To: ClamAV users ML
> Cc: Joel Esler (jesler); G.W. Haywood
> Subject: Re: [clamav-users] Are signatures for Windows only?
>
> Actually, from what we understand, ClamAV is mostly used to scan email.
>
> Sent from my ? iPhone
>
>> On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>>
>> Although we share files with Windows platforms we really
>> only use ClamAV to scan mail. I guess we're as untypical of a ClamAV
>> user as you'll get.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> That’s super interesting. I’d be interested in what the
> 6500 signatures were. Just for a real world “what are
> you seeing” conversation.

Any update on when ClamAV might be re-implementing the ability to
submit detection stats?

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

It's nice to hear that others are interested in the detection stats feature.
It is a very high priority for us, though we have a couple other high priorities we're tackling first.

We had hoped to re-implement it for 0.102. I'm still crossing my fingers that we can get it done, but we've lost a lot of time working on improving ClamAV code quality and security.

Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.



?On 3/26/19, 9:13 AM, "clamav-users on behalf of J.R. via clamav-users" <clamav-users-bounces@lists.clamav.net on behalf of clamav-users@lists.clamav.net> wrote:

> That’s super interesting. I’d be interested in what the
> 6500 signatures were. Just for a real world “what are
> you seeing” conversation.

Any update on when ClamAV might be re-implementing the ability to
submit detection stats?

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Mon, 25 Mar 2019, Joel Esler wrote:

> On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users ... wrote:
>
> > ... we really only use ClamAV to scan mail. I guess we're as
> > untypical of a ClamAV user as you'll get.
>
> Actually, from what we understand, ClamAV is mostly used to scan email.

Quite so.

On Tue, 26 Mar 2019, Graeme Fowler wrote:

> We (Loughborough University) use ClamAV ...

Unfortunately when I was at Loughborough University (Electronic and
Electrical Engineering) ClamAV did not exist. Nor did the Internet,
as I graduated in 1976 (*). :/

> Picking a random recent day, we had 135000 rejections, 6500 of which
> were from ClamAV. By comparison, we accepted & delivered 25000
> messages ...

On that day's numbers it looks like ClamAV is rejecting about 5% of
rejected mail. Here, in fifteen months, it's rejected _less_ than
0.0002% (although I'll grant that both are likely poor statistics).

On Mon, 25 Mar 2019, J.R. wrote:

> Yep, other measures for me too has meant that ClamAV *might* get one
> hit a day, which typically is a 3rd party phishing signature. I'm
> sure if ClamAV didn't catch it the email would still have been
> flagged and deleted as spam from other measures.
>
> > It's a while since I looked at this, so I did a few 'grep's on 'daily':
>
> You inspired me to take a look at the signature files ...

Excellent! I like to inspire. :)

Obviously I didn't mean that using ClamAV to scan mail is untypical,
it's our 0.0002% detection rate which I think might be untypical. I
should be very concerned if I relied on *any* anti-virus package to
stop one in twenty malicious payloads. Not that I'm saying LU does,
there isn't enough information here to make that call. But my guess
is that the typical ClamAV user feels that, if a message has been
scanned, it's probably safe to use a mail client's GUI to read it.
I'm pretty sure that it isn't (and my mail client doesn't have one,
and I'm *sure* that's untypical).

On Mon, 25 Mar 2019, Joel Esler wrote:

> That?s super interesting. I?d be interested in what the 6500
> signatures were. Just for a real world ?what are you seeing?
> conversation.

As Micah said:

On Tue, 26 Mar 2019, Micah Snyder wrote:

> We had hoped to re-implement it for 0.102. I'm still crossing my
> fingers that we can get it done

It could be valuable to us to have the fed back information published
but you can see how it might be valuable to the wrong people too.

> but we've lost a lot of time working on improving ClamAV code
> quality and security.

That's not lost time. It's time well used. :)

--

73,
(*) G.W. Haywood, BSc (1st hons 1976), CEng, MIET, MRIN.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Everyone,

Can you please try this link see if you can download the file as for us its
not working: http://www.clamav.net/downloads/production/ClamAV-0.101.2.exe

we are getting this message:

This page isn’t working

*www.clamav.net <http://www.clamav.net>* is currently unable to handle this
request.
HTTP ERROR 500

*Best Regards*

*Clayton Bugeja*

*_________________________________*

*System Administrator*

*Transactium Ltd.*


*Tel: (356) 2333 3000*

*Direct: (356) 2333 7109*


*Email: clayton@transactium.com <clayton@transactium.com>*

*Web: www.transactium.com <http://www.transactium.com/>*



This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify Clayton
@transactium.com <clayton@transactium.com> Any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this email.


On Wed, Mar 27, 2019 at 12:08 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Mon, 25 Mar 2019, Joel Esler wrote:
>
> > On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users ... wrote:
> >
> > > ... we really only use ClamAV to scan mail. I guess we're as
> > > untypical of a ClamAV user as you'll get.
> >
> > Actually, from what we understand, ClamAV is mostly used to scan email.
>
> Quite so.
>
> On Tue, 26 Mar 2019, Graeme Fowler wrote:
>
> > We (Loughborough University) use ClamAV ...
>
> Unfortunately when I was at Loughborough University (Electronic and
> Electrical Engineering) ClamAV did not exist. Nor did the Internet,
> as I graduated in 1976 (*). :/
>
> > Picking a random recent day, we had 135000 rejections, 6500 of which
> > were from ClamAV. By comparison, we accepted & delivered 25000
> > messages ...
>
> On that day's numbers it looks like ClamAV is rejecting about 5% of
> rejected mail. Here, in fifteen months, it's rejected _less_ than
> 0.0002% (although I'll grant that both are likely poor statistics).
>
> On Mon, 25 Mar 2019, J.R. wrote:
>
> > Yep, other measures for me too has meant that ClamAV *might* get one
> > hit a day, which typically is a 3rd party phishing signature. I'm
> > sure if ClamAV didn't catch it the email would still have been
> > flagged and deleted as spam from other measures.
> >
> > > It's a while since I looked at this, so I did a few 'grep's on 'daily':
> >
> > You inspired me to take a look at the signature files ...
>
> Excellent! I like to inspire. :)
>
> Obviously I didn't mean that using ClamAV to scan mail is untypical,
> it's our 0.0002% detection rate which I think might be untypical. I
> should be very concerned if I relied on *any* anti-virus package to
> stop one in twenty malicious payloads. Not that I'm saying LU does,
> there isn't enough information here to make that call. But my guess
> is that the typical ClamAV user feels that, if a message has been
> scanned, it's probably safe to use a mail client's GUI to read it.
> I'm pretty sure that it isn't (and my mail client doesn't have one,
> and I'm *sure* that's untypical).
>
> On Mon, 25 Mar 2019, Joel Esler wrote:
>
> > That?s super interesting. I?d be interested in what the 6500
> > signatures were. Just for a real world ?what are you seeing?
> > conversation.
>
> As Micah said:
>
> On Tue, 26 Mar 2019, Micah Snyder wrote:
>
> > We had hoped to re-implement it for 0.102. I'm still crossing my
> > fingers that we can get it done
>
> It could be valuable to us to have the fed back information published
> but you can see how it might be valuable to the wrong people too.
>
> > but we've lost a lot of time working on improving ClamAV code
> > quality and security.
>
> That's not lost time. It's time well used. :)
>
> --
>
> 73,
> (*) G.W. Haywood, BSc (1st hons 1976), CEng, MIET, MRIN.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

?Hi Clayton,
Use lowercase for the filename or go to www.clamav.net click on Download, scroll down to the Windows packages and select the one you require.
Regards,
Andy.

From: Clayton BugejaSent: Wednesday, 27 March 2019 11:20To: ClamAV users MLReply To: ClamAV users MLCc: G.W. HaywoodSubject: Re: [clamav-users] Are signatures for Windows only?
Hi Everyone,
Can you please try this link see if you can download the file as for us its not working: http://www.clamav.net/downloads/production/ClamAV-0.101.2.exe"]http://www.clamav.net/downloads/production/ClamAV-0.101.2.exe
we are getting this message:
This page isn’t working

http://www.clamav.net"]www.clamav.net is currently unable to handle this request.HTTP ERROR 500


Best Regards

Clayton Bugeja

_________________________________

System Administrator

Transactium Ltd.


Tel: (356) 2333 3000

Direct: (356) 2333 7109


Email: clayton@transactium.com


Web: http://www.transactium.com/"]www.transactium.com



This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify Clayton@transactium.com Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

On Wed, Mar 27, 2019 at 12:08 PM G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:

Hi there,

On Mon, 25 Mar 2019, Joel Esler wrote:

> On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users ... wrote:
>
> > ... we really only use ClamAV to scan mail. I guess we're as
> > untypical of a ClamAV user as you'll get.
>
> Actually, from what we understand, ClamAV is mostly used to scan email.

Quite so.

On Tue, 26 Mar 2019, Graeme Fowler wrote:

> We (Loughborough University) use ClamAV ...

Unfortunately when I was at Loughborough University (Electronic and
Electrical Engineering) ClamAV did not exist. Nor did the Internet,
as I graduated in 1976 (*). :/

> Picking a random recent day, we had 135000 rejections, 6500 of which
> were from ClamAV. By comparison, we accepted & delivered 25000
> messages ...

On that day's numbers it looks like ClamAV is rejecting about 5% of
rejected mail. Here, in fifteen months, it's rejected _less_ than
0.0002% (although I'll grant that both are likely poor statistics).

On Mon, 25 Mar 2019, J.R. wrote:

> Yep, other measures for me too has meant that ClamAV *might* get one
> hit a day, which typically is a 3rd party phishing signature. I'm
> sure if ClamAV didn't catch it the email would still have been
> flagged and deleted as spam from other measures.
>
> > It's a while since I looked at this, so I did a few 'grep's on 'daily':
>
> You inspired me to take a look at the signature files ...

Excellent! I like to inspire. :)

Obviously I didn't mean that using ClamAV to scan mail is untypical,
it's our 0.0002% detection rate which I think might be untypical. I
should be very concerned if I relied on *any* anti-virus package to
stop one in twenty malicious payloads. Not that I'm saying LU does,
there isn't enough information here to make that call. But my guess
is that the typical ClamAV user feels that, if a message has been
scanned, it's probably safe to use a mail client's GUI to read it.
I'm pretty sure that it isn't (and my mail client doesn't have one,
and I'm *sure* that's untypical).

On Mon, 25 Mar 2019, Joel Esler wrote:

> That?s super interesting. I?d be interested in what the 6500
> signatures were. Just for a real world ?what are you seeing?
> conversation.

As Micah said:

On Tue, 26 Mar 2019, Micah Snyder wrote:

> We had hoped to re-implement it for 0.102. I'm still crossing my
> fingers that we can get it done

It could be valuable to us to have the fed back information published
but you can see how it might be valuable to the wrong people too.

> but we've lost a lot of time working on improving ClamAV code
> quality and security.

That's not lost time. It's time well used. :)

--

73,
(*) G.W. Haywood, BSc (1st hons 1976), CEng, MIET, MRIN.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users"]https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq"]https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml"]http://www.clamav.net/contact.html#ml

On Mar 27, 2019, at 11:07, G.W. Haywood wrote:
> On that day's numbers it looks like ClamAV is rejecting about 5% of
> rejected mail. Here, in fifteen months, it's rejected _less_ than
> 0.0002% (although I'll grant that both are likely poor statistics).

Hello, fellow Loughborough graduate :)

We have a large number of other checks in line before content gets accepted and messages get passed to ClamAV. I'm not going to detail them here as this is a public mailing list, but suffice to say that you only get your message scanned if it hasn't tripped one of a large number of other rules we have in place. We use Exim, so we have almost infinite flexibility at all decision points in the SMTP transaction flow.

Given ClamAV's extensible nature, we're making use of a number of 'unofficial' signature databases which catch an awful lot of bad behaviour. Actual infectious agents (viruses, trojans, RATs and so on) are a very small fraction of the whole - largely because the indiscriminate ones that spew forth from older botnets and infected hosts are rejected before they pass any content to us.

ClamAV is part of a many-layered defence-in-depth approach, but without it we'd have a significant gap.

Graeme

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Wed, 2019-03-27 at 11:07 +0000, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Mon, 25 Mar 2019, Joel Esler wrote:
>
> > On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users ... wrote:
> >
> > > ... we really only use ClamAV to scan mail. I guess we're as
> > > untypical of a ClamAV user as you'll get.
> >
> > Actually, from what we understand, ClamAV is mostly used to scan
> > email.
>
> Quite so.
>
> On Tue, 26 Mar 2019, Graeme Fowler wrote:
>
> > We (Loughborough University) use ClamAV ...
>
> Unfortunately when I was at Loughborough University (Electronic and
> Electrical Engineering) ClamAV did not exist. Nor did the Internet,
> as I graduated in 1976 (*). :/
>
> > Picking a random recent day, we had 135000 rejections, 6500 of
> > which
> > were from ClamAV. By comparison, we accepted & delivered 25000
> > messages ...
>
> On that day's numbers it looks like ClamAV is rejecting about 5% of
> rejected mail. Here, in fifteen months, it's rejected _less_ than
> 0.0002% (although I'll grant that both are likely poor statistics).
>
> On Mon, 25 Mar 2019, J.R. wrote:
>
> > Yep, other measures for me too has meant that ClamAV *might* get
> > one
> > hit a day, which typically is a 3rd party phishing signature. I'm
> > sure if ClamAV didn't catch it the email would still have been
> > flagged and deleted as spam from other measures.
> >
> > > It's a while since I looked at this, so I did a few 'grep's on
> > > 'daily':
> >
> > You inspired me to take a look at the signature files ...
>
> Excellent! I like to inspire. :)
>
> Obviously I didn't mean that using ClamAV to scan mail is untypical,
> it's our 0.0002% detection rate which I think might be untypical. I
> should be very concerned if I relied on *any* anti-virus package to
> stop one in twenty malicious payloads. Not that I'm saying LU does,
> there isn't enough information here to make that call. But my guess
> is that the typical ClamAV user feels that, if a message has been
> scanned, it's probably safe to use a mail client's GUI to read it.
> I'm pretty sure that it isn't (and my mail client doesn't have one,
> and I'm *sure* that's untypical).
>
> On Mon, 25 Mar 2019, Joel Esler wrote:
>
> > That?s super interesting. I?d be interested in what the 6500
> > signatures were. Just for a real world ?what are you seeing?
> > conversation.
>
I run ClamAV on my incoming mail here at home in conjunction with SA. I
also run a small perl script 'clamstats.pl' that was written about
15yrs ago by Paul Venezia. So, since this is just my home system my
stats are very few since 2 Jan of this year. This is just mail that
isn't put into other folders first by Procmail. The script also makes a
nice looking .html file.

22 Virus Types Detected
------------------------------------------
SecuriteInfo.com.Spam-
8755.UNOFFICIAL(bc6d2c8f49e4e0d015 1 4.55%
SecuriteInfo.com.Spam-
5087.UNOFFICIAL(ce46beba4b24c6f8de 1 4.55%
Sanesecurity.Phishing.Fake.Coin.27586.UNOFFICIAL(0000000 1
4.55%
SecuriteInfo.com.Spam-
5060.UNOFFICIAL(1f58b47551ff77c15a 1 4.55%
SecuriteInfo.com.Spam-
3019.UNOFFICIAL(d85fd8056a7740a8df 1 4.55%
SecuriteInfo.com.Spam-
3835.UNOFFICIAL(9a2d57fd755174de44 1 4.55%
SecuriteInfo.com.Spam-
5060.UNOFFICIAL(b7ae06a46f2943f2a5 1 4.55%
SecuriteInfo.com.Spam-
5060.UNOFFICIAL(d23a20a925aa96f9e1 1 4.55%
SecuriteInfo.com.Spam-
3019.UNOFFICIAL(fe560f6601c350dbbf 1 4.55%
SecuriteInfo.com.Spam-
5060.UNOFFICIAL(615e99ca5b46843b5e 1 4.55%
SecuriteInfo.com.Spam-
4044.UNOFFICIAL(37b28d2bbad9ed1a5f 1 4.55%
SecuriteInfo.com.Spam-
2895.UNOFFICIAL(000000000000000000 1 4.55%
SecuriteInfo.com.Spam-
5060.UNOFFICIAL(c65de330c02b18117b 1 4.55%
Sanesecurity.Phishing.Fake.Coin.27622.UNOFFICIAL(0000000 1
4.55%
SecuriteInfo.com.Spam-
8755.UNOFFICIAL(97f0b7069e0cbad9f7 1 4.55%
SecuriteInfo.com.Spam-
3835.UNOFFICIAL(c3bb70311ce1ea7d19 1 4.55%
SecuriteInfo.com.Spam-
8755.UNOFFICIAL(5269acdb10a7bf81de 1 4.55%
SecuriteInfo.com.Spam-
3835.UNOFFICIAL(b3cfb50a01c714a5eb 1 4.55%
SecuriteInfo.com.Spam-
8755.UNOFFICIAL(b6396a22ce5637efaf 1 4.55%
SecuriteInfo.com.Spam-
3019.UNOFFICIAL(53e6ed8c5476d215ed 1 4.55%
SecuriteInfo.com.Spam-
4044.UNOFFICIAL(580e2fe07ab4a4eff6 1 4.55%
SecuriteInfo.com.Spam-
5060.UNOFFICIAL(4e9a21ef313466c6fb 1 4.55%

Not sure if this would work for a large organization since it pretty
much requires that the clamd.log not be rotated so that the correct
number of caught virus's is maintained.

--
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:56:27 up 16:18, 1 user, load average: 1.55, 1.15, 1.15
Description: Ubuntu 18.04.2 LTS, kernel 4.15.0-46-generic

We use ClamAV (actually libclamav) with HAVP to scan HTTP traffic as
well as using it (clamd) to scan incoming email.

Since so much traffic is moving to HTTPS, I would love to see some
browser plugins -- in our case Firefox (ESR) -- for ClamAV. Something
that used libclamav (ala HAVP) would be best. Given the unfortunate
removal of XUL, a Firefox "Extension" (as opposed to a "Plugin") might
no longer be possible, and would certainly be slower than something
plugged in to the guts of Firefox. A hook in Firefox which piped data
to clamd (or whatever) might also be adequately fast.


On Mon, 25 Mar 2019 19:36:49 +0000
"Joel Esler \(jesler\) via clamav-users"
<clamav-users@lists.clamav.net> wrote:

> Actually, from what we understand, ClamAV is mostly used to scan
> email.
>
> Sent from my ? iPhone
>
> > On Mar 25, 2019, at 12:22, G.W. Haywood via clamav-users
> > <clamav-users@lists.clamav.net> wrote:
> >
> > Although we share files with Windows platforms we really
> > only use ClamAV to scan mail. I guess we're as untypical of a
> > ClamAV user as you'll get.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml