Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] Clamav does not recognize known viruses
clamav-users at lists
Dec 21, 2023, 1:04 AM
Post #1 of 2 (98 views)
Permalink
Good morning,

I use clamav with the additional signatures from securiteinfo.

ClamAV 0.103.10/27129/Wed Dec 20 10:38:37 2023

Some time ago clamav was due for an update - since then it has
recognized almost nothing.

I start the scan with:

clamscan -i --move=/home/virusverdacht/erkannt /home/virusverdacht

/etc/clamav/freshclam.conf:


[...]
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sanesecurity.ftm
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/junk.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phish.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/rogue.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/scam.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamimg.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamattach.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/blurl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malwarehash.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malware.expert.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/hackingteam.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb
DatabaseCustomURL
http://ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndb
DatabaseCustomURL
http://ftp.swin.edu.au/sanesecurity/winnow_extended_malware.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow.attachments.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_bad_cw.hdb
DatabaseCustomURL
http://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb
DatabaseCustomURL
http://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb
DatabaseCustomURL
http://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb
DatabaseCustomURL
http://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/crdfam.clamav.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.hsb
DatabaseCustomURL https://urlhaus.abuse.ch/downloads/urlhaus.ndb
DatabaseCustomURL
https://www.securiteinfo.com/get/signatures/xxxxxx/securiteinfo.hdb
DatabaseCustomURL
https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfo.ign2
DatabaseCustomURL
https://www.securiteinfo.com/get/signatures/xxxx/javascript.ndb
DatabaseCustomURL
https://www.securiteinfo.com/get/signatures/xxxxx/spam_marketing.ndb
DatabaseCustomURL
https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfohtml.hdb
DatabaseCustomURL
https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfoascii.hdb
DatabaseCustomURL
https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfoandroid.hdb
DatabaseCustomURL
https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfoold.hdb
DatabaseCustomURL
https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfopdf.hdb
DatabaseCustomURL
https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfo0hour.hdb
DatabaseCustomURL
https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfo.mdb
DatabaseCustomURL
https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfo.yara
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/xxxx
/securiteinfo.pdb
[...]


/etc/clamav/clamav.conf
[...]
LogFile /var/log/clamav.log
LogTime yes
LogSyslog yes
LogFacility LOG_LOCAL2

PidFile /var/amavis/clamd.pid
DatabaseDirectory /var/clamav
OfficialDatabaseOnly no
LocalSocket /var/amavis/clamd
LocalSocketMode 660

FixStaleSocket yes

DetectPUA yes

IncludePUA Spy
IncludePUA Scanner
IncludePUA RAT

AlgorithmicDetection yes

ScanPE yes

ScanELF yes

DetectBrokenExecutables yes

ScanOLE2 yes

ScanPDF yes

ScanMail yes

ScanPartialMessages yes

PhishingSignatures yes

PhishingScanURLs yes

PhishingAlwaysBlockSSLMismatch no

PhishingAlwaysBlockCloak no

HeuristicScanPrecedence yes

StructuredDataDetection yes

StructuredMinCreditCardCount 5

StructuredMinSSNCount 5

StructuredSSNFormatNormal yes

StructuredSSNFormatStripped yes

Bytecode yes
[...]



I suspect he ignores the additional signatures.

But where is the mistake here?


greeting
Sebastian



_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Clamav does not recognize known viruses [ In reply to ]
clamav-users at lists
Dec 21, 2023, 6:25 AM
Post #2 of 2 (97 views)
Permalink
Hi Sebastian,

here on Ubuntu LTS i have the same issue.

Check the permission for:

-  /etc/init.d/clamav-deamon
- /etc/init.d/clamav-freshclam

By unknown reasons, they have the wrong permission by default.
It must have 0755, then it works well!

kind greetings
Marc


Von / From: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
An / To: Newcomer01 <mailto:newcomer01@posteo.de>
CC / CC: Sebastian <mailto:sebastian@debianfan.de>
Gesendet / Sent: Donnerstag, Dezember 21, 2023 um 10:04 (at 10:04 AM) +0100
Betreff / Subject: [clamav-users] Clamav does not recognize known viruses
> Good morning,
>
> I use clamav with the additional signatures from securiteinfo.
>
> ClamAV 0.103.10/27129/Wed Dec 20 10:38:37 2023
>
> Some time ago clamav was due for an update - since then it has
> recognized almost nothing.
>
> I start the scan with:
>
> clamscan -i --move=/home/virusverdacht/erkannt /home/virusverdacht
>
> /etc/clamav/freshclam.conf:
>
>
> [...]
> DatabaseOwner clamav
> UpdateLogFile /var/log/clamav/freshclam.log
> LogVerbose false
> LogSyslog false
> LogFacility LOG_LOCAL6
> LogFileMaxSize 0
> LogRotate true
> LogTime true
> Foreground false
> Debug false
> MaxAttempts 5
> DatabaseDirectory /var/lib/clamav
> DNSDatabaseInfo current.cvd.clamav.net
> ConnectTimeout 30
> ReceiveTimeout 0
> TestDatabases yes
> ScriptedUpdates yes
> CompressLocalDatabase no
> Bytecode true
> NotifyClamd /etc/clamav/clamd.conf
> # Check for new database 24 times a day
> Checks 24
> DatabaseMirror db.local.clamav.net
> DatabaseMirror database.clamav.net
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sanesecurity.ftm
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/junk.ndb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phish.ndb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/rogue.hdb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/scam.ndb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamimg.hdb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamattach.hdb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/blurl.ndb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malwarehash.hsb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malware.expert.hdb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/hackingteam.hsb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb
> DatabaseCustomURL
> http://ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndb
> DatabaseCustomURL
> http://ftp.swin.edu.au/sanesecurity/winnow_extended_malware.hdb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow.attachments.hdb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_bad_cw.hdb
> DatabaseCustomURL
> http://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb
> DatabaseCustomURL
> http://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb
> DatabaseCustomURL
> http://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb
> DatabaseCustomURL
> http://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/crdfam.clamav.hdb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.ndb
> DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.hsb
> DatabaseCustomURL https://urlhaus.abuse.ch/downloads/urlhaus.ndb
> DatabaseCustomURL
> https://www.securiteinfo.com/get/signatures/xxxxxx/securiteinfo.hdb
> DatabaseCustomURL
> https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfo.ign2
> DatabaseCustomURL
> https://www.securiteinfo.com/get/signatures/xxxx/javascript.ndb
> DatabaseCustomURL
> https://www.securiteinfo.com/get/signatures/xxxxx/spam_marketing.ndb
> DatabaseCustomURL
> https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfohtml.hdb
> DatabaseCustomURL
> https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfoascii.hdb
> DatabaseCustomURL
> https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfoandroid.hdb
> DatabaseCustomURL
> https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfoold.hdb
> DatabaseCustomURL
> https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfopdf.hdb
> DatabaseCustomURL
> https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfo0hour.hdb
> DatabaseCustomURL
> https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfo.mdb
> DatabaseCustomURL
> https://www.securiteinfo.com/get/signatures/xxxxx/securiteinfo.yara
> DatabaseCustomURL https://www.securiteinfo.com/get/signatures/xxxx
> /securiteinfo.pdb
> [...]
>
>
> /etc/clamav/clamav.conf
> [...]
> LogFile /var/log/clamav.log
> LogTime yes
> LogSyslog yes
> LogFacility LOG_LOCAL2
>
> PidFile /var/amavis/clamd.pid
> DatabaseDirectory /var/clamav
> OfficialDatabaseOnly no
> LocalSocket /var/amavis/clamd
> LocalSocketMode 660
>
> FixStaleSocket yes
>
> DetectPUA yes
>
> IncludePUA Spy
> IncludePUA Scanner
> IncludePUA RAT
>
> AlgorithmicDetection yes
>
> ScanPE yes
>
> ScanELF yes
>
> DetectBrokenExecutables yes
>
> ScanOLE2 yes
>
> ScanPDF yes
>
> ScanMail yes
>
> ScanPartialMessages yes
>
> PhishingSignatures yes
>
> PhishingScanURLs yes
>
> PhishingAlwaysBlockSSLMismatch no
>
> PhishingAlwaysBlockCloak no
>
> HeuristicScanPrecedence yes
>
> StructuredDataDetection yes
>
> StructuredMinCreditCardCount 5
>
> StructuredMinSSNCount 5
>
> StructuredSSNFormatNormal yes
>
> StructuredSSNFormatStripped yes
>
> Bytecode yes
> [...]
>
>
>
> I suspect he ignores the additional signatures.
>
> But where is the mistake here?
>
>
> greeting
> Sebastian
>
>
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat


_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal