Alternate definitions for ClamAV
-
Sanesecurity, good to see you here!
I have several. How would you like me to get those to you?
-
Any insight on my previous post? Set it up as instructed. The DB's all update, and I checked the DB's were there. But I don't see them being applied. Also doesn't seem to be blocking anything more in my tests.
This is what my DB says…
Squid Version 3.5.19_1
Antivirus Scanner ClamAV 0.99.2 C-ICAP 0.4.3 + SquidClamav 6.10
Antivirus Bases
Database Date Version Builder
daily.cld 2016.09.19 22224 neo
bytecode.cvd 2016.06.23 283 neo
main.cvd 2016.03.16 57 amishhammer
Last Update Mon Sep 19 17:03:48 2016
Statistics Found 3 virus(es) total.Based on the logs you posed above it looks like its working. I don't get the additional databases showing up in the dashboard widget either, but I know they are working due to the blocking happening. Also when I run freshclam I see them updating.
I'm guessing the Squid Antivirus Widget doesn't report on custom databases, would be nice to have that fixed.
-
Good to know it's working and you have the same thing happening. I did try to open that link you posted with the icon.lsr and it did let me download it. On the WICAR malware test page, I get some blocks so I do know ClamAV is working.
-
Sanesecurity, good to see you here!
I have several. How would you like me to get those to you?
You can copy/paste the links and I'll download them with wget to test.
or perhaps you can pop them into dropbox or some other file storage and send me the link.Cheers,
Steve
Sanesecurity.com -
Any insight on my previous post? Set it up as instructed. The DB's all update, and I checked the DB's were there. But I don't see them being applied. Also doesn't seem to be blocking anything more in my tests.
This is what my DB says…
Squid Version 3.5.19_1
Antivirus Scanner ClamAV 0.99.2 C-ICAP 0.4.3 + SquidClamav 6.10
Antivirus Bases
Database Date Version Builder
daily.cld 2016.09.19 22224 neo
bytecode.cvd 2016.06.23 283 neo
main.cvd 2016.03.16 57 amishhammer
Last Update Mon Sep 19 17:03:48 2016
Statistics Found 3 virus(es) total.If you run a freshclam and see them updating then they are in there. What if you download a file to the box and run a clamscan on it? If it catches it then it may be a proxy integration thing.
-
Any insight on my previous post? Set it up as instructed. The DB's all update, and I checked the DB's were there. But I don't see them being applied. Also doesn't seem to be blocking anything more in my tests.
This is what my DB says…
Squid Version 3.5.19_1
Antivirus Scanner ClamAV 0.99.2 C-ICAP 0.4.3 + SquidClamav 6.10
Antivirus Bases
Database Date Version Builder
daily.cld 2016.09.19 22224 neo
bytecode.cvd 2016.06.23 283 neo
main.cvd 2016.03.16 57 amishhammer
Last Update Mon Sep 19 17:03:48 2016
Statistics Found 3 virus(es) total.If you run a freshclam and see them updating then they are in there. What if you download a file to the box and run a clamscan on it? If it catches it then it may be a proxy integration thing.
2 days with no more of the FP's. Looks like they are fixed, thanks sanesecurity…
-
Any insight on my previous post? Set it up as instructed. The DB's all update, and I checked the DB's were there. But I don't see them being applied. Also doesn't seem to be blocking anything more in my tests.
This is what my DB says…
Squid Version 3.5.19_1
Antivirus Scanner ClamAV 0.99.2 C-ICAP 0.4.3 + SquidClamav 6.10
Antivirus Bases
Database Date Version Builder
daily.cld 2016.09.19 22224 neo
bytecode.cvd 2016.06.23 283 neo
main.cvd 2016.03.16 57 amishhammer
Last Update Mon Sep 19 17:03:48 2016
Statistics Found 3 virus(es) total.If you run a freshclam and see them updating then they are in there. What if you download a file to the box and run a clamscan on it? If it catches it then it may be a proxy integration thing.
2 days with no more of the FP's. Looks like they are fixed, thanks sanesecurity…
Yup, Steve is awesome! You guys have no idea how responsive and helpful he's been. Thanks @sanesecurity!
-
Great thread. Thanks so much for this information and to sanesecurity for db's
Is there a way i could whitelist a specific website in clam .conf files?
-
I also forgot to mention once you do load advanced configuration the settings on the page will be void.
So if you want to disable clamav scanning streamed audio/video while advance mode is enabled you can add this code to the end of squidclamav.conf
Do not scan (streamed) videos and audios
abort ^..(flv|f4f|mp(3|4))(?.)?$
abort ^..(m3u|pls|wmx|aac|mpeg)(?.)?$
abortcontent ^video/x-flv$
abortcontent ^video/mp4$
abortcontent ^audio/mp4$
abortcontent ^.audio/mp4.$
abortcontent ^video/webm$
abortcontent ^audio/webm$
abortcontent ^video/MP2T$
abortcontent ^audio/wmx$
abortcontent ^audio/mpeg$
abortcontent ^audio/aac$
abortcontent ^.application/x-mms-framed.$2. In freshclam.conf don't forget to change to your nearest server. Do not touch one below described as "database.clamav.net is round-robin"
Mine is Australia
Uncomment the following line and replace XY with your country
code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
You can use db.XY.ipv6.clamav.net for IPv6 connections.
DatabaseMirror db.au.clamav.net
-
Thanks IggyB..
-
After updating to above settings I am getting this false positive Virus detected warning in diag_edit.php of pfSense page. How can I get rid of this?
SquidClamav 6.10: Virus detected!
The requested URL http://192.168.1.1/diag_edit.php contains a virus
Virus name: Sanesecurity.Malware.26368.JsHeur.UNOFFICIALThis file cannot be downloaded.
Origin: - / -
-
You can try this https://forum.pfsense.org/index.php?topic=120154.msg664657#msg664657 for a temporary work around but I believe that disable's the definition.
Otherwise you will have to contact sane security.
-
Thanks, that worked.
-
The alternative definitions have been triggering on iOS app updates of late.
Has anyone else seen this behaviour?
VIRUS FOUND Sanesecurity.Foxhole.JS_Zip_19.UNOFFICIAL
http://appldnld.apple.com/ios10.0/091-00410-20170307-333298AC-FD56-11E6-A830-06ECE1925776/com_apple_MobileAsset_CoreSuggestions/5b0b88c6446d899e5bec5a5ac298ed55bbbf1cbb.zip
-
The FPs need to be reported to the signatures maintainer. (But please understand that these things are mostly made for email AV filtering.)
-
Yes I've been getting those too. You can report it here:
http://sanesecurity.com/support/false-positives/
-
Hi
We are busy adding full support for pfsense to the next version of the script : https://github.com/extremeshok/clamav-unofficial-sigs
Please post issues here: https://github.com/extremeshok/clamav-unofficial-sigs/issues/
-
5.6.1 released with pfsense support : https://github.com/extremeshok/clamav-unofficial-sigs
Install guide is here : https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/guides/pfsense.md
Version 5.6.1 (updated 2017-03-18) eXtremeSHOK.com Maintenance Packers/Javascript_exploit_and_obfuscation.yar false positive rating increased to HIGH Codeclimate fixes Incremented the config to version 73 Version 5.6 (updated 2017-03-17) eXtremeSHOK.com Maintenance PGP is now optional and no longer a requirement and pgp support is auto-detected Full support for MacOS / OS X and added clamav install guide Full support for pfSense and added clamav install guide Added os configs for Zimbra and Debian 8 with systemd Much better error messages with possible solutions given Better checking of possible issues Update all SANESECURITY signature databases Support for clamav-devel (clamav compiled from source) Added full proxy support to wget and curl Replace allot of "echo | cut | sed" with bash substitutions Added fallbacks/substitutions for various commands xshok_file_download and xshok_draw_time_remaining functions added to replace redundant code blocks Removed SANESECURITY mbl.ndb as this file is not showing up on the rsync mirrors Allow exit code 23 for rsync Major refactoring : Normalize comments, quotes, functions, conditions Protect various arguments and "POSIX-ize" script integrity Enhanced testing with travis-ci, including clamav 0.99 Incremented the config to version 72 -
Thank you for this.
All went well here except.
WARNING: Failed connection to http://cdn.rfxn.com/downloads - SKIPPED linuxmalwaredetect rfxn.ndb update -
Hi
Where does Clam AV store the files it believes are viruses (or does it even)?
I'd like to be able to extract them to check against Virus Total / RE them etc
Anyone know the answer to this?