Alternate definitions for ClamAV
-
Good to know it's working and you have the same thing happening. I did try to open that link you posted with the icon.lsr and it did let me download it. On the WICAR malware test page, I get some blocks so I do know ClamAV is working.
-
Sanesecurity, good to see you here!
I have several. How would you like me to get those to you?
You can copy/paste the links and I'll download them with wget to test.
or perhaps you can pop them into dropbox or some other file storage and send me the link.Cheers,
Steve
Sanesecurity.com -
Any insight on my previous post? Set it up as instructed. The DB's all update, and I checked the DB's were there. But I don't see them being applied. Also doesn't seem to be blocking anything more in my tests.
This is what my DB says…
Squid Version 3.5.19_1
Antivirus Scanner ClamAV 0.99.2 C-ICAP 0.4.3 + SquidClamav 6.10
Antivirus Bases
Database Date Version Builder
daily.cld 2016.09.19 22224 neo
bytecode.cvd 2016.06.23 283 neo
main.cvd 2016.03.16 57 amishhammer
Last Update Mon Sep 19 17:03:48 2016
Statistics Found 3 virus(es) total.If you run a freshclam and see them updating then they are in there. What if you download a file to the box and run a clamscan on it? If it catches it then it may be a proxy integration thing.
-
Any insight on my previous post? Set it up as instructed. The DB's all update, and I checked the DB's were there. But I don't see them being applied. Also doesn't seem to be blocking anything more in my tests.
This is what my DB says…
Squid Version 3.5.19_1
Antivirus Scanner ClamAV 0.99.2 C-ICAP 0.4.3 + SquidClamav 6.10
Antivirus Bases
Database Date Version Builder
daily.cld 2016.09.19 22224 neo
bytecode.cvd 2016.06.23 283 neo
main.cvd 2016.03.16 57 amishhammer
Last Update Mon Sep 19 17:03:48 2016
Statistics Found 3 virus(es) total.If you run a freshclam and see them updating then they are in there. What if you download a file to the box and run a clamscan on it? If it catches it then it may be a proxy integration thing.
2 days with no more of the FP's. Looks like they are fixed, thanks sanesecurity…
-
Any insight on my previous post? Set it up as instructed. The DB's all update, and I checked the DB's were there. But I don't see them being applied. Also doesn't seem to be blocking anything more in my tests.
This is what my DB says…
Squid Version 3.5.19_1
Antivirus Scanner ClamAV 0.99.2 C-ICAP 0.4.3 + SquidClamav 6.10
Antivirus Bases
Database Date Version Builder
daily.cld 2016.09.19 22224 neo
bytecode.cvd 2016.06.23 283 neo
main.cvd 2016.03.16 57 amishhammer
Last Update Mon Sep 19 17:03:48 2016
Statistics Found 3 virus(es) total.If you run a freshclam and see them updating then they are in there. What if you download a file to the box and run a clamscan on it? If it catches it then it may be a proxy integration thing.
2 days with no more of the FP's. Looks like they are fixed, thanks sanesecurity…
Yup, Steve is awesome! You guys have no idea how responsive and helpful he's been. Thanks @sanesecurity!
-
Great thread. Thanks so much for this information and to sanesecurity for db's
Is there a way i could whitelist a specific website in clam .conf files?
-
I also forgot to mention once you do load advanced configuration the settings on the page will be void.
So if you want to disable clamav scanning streamed audio/video while advance mode is enabled you can add this code to the end of squidclamav.conf
Do not scan (streamed) videos and audios
abort ^..(flv|f4f|mp(3|4))(?.)?$
abort ^..(m3u|pls|wmx|aac|mpeg)(?.)?$
abortcontent ^video/x-flv$
abortcontent ^video/mp4$
abortcontent ^audio/mp4$
abortcontent ^.audio/mp4.$
abortcontent ^video/webm$
abortcontent ^audio/webm$
abortcontent ^video/MP2T$
abortcontent ^audio/wmx$
abortcontent ^audio/mpeg$
abortcontent ^audio/aac$
abortcontent ^.application/x-mms-framed.$2. In freshclam.conf don't forget to change to your nearest server. Do not touch one below described as "database.clamav.net is round-robin"
Mine is Australia
Uncomment the following line and replace XY with your country
code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
You can use db.XY.ipv6.clamav.net for IPv6 connections.
DatabaseMirror db.au.clamav.net
-
Thanks IggyB..
-
After updating to above settings I am getting this false positive Virus detected warning in diag_edit.php of pfSense page. How can I get rid of this?
SquidClamav 6.10: Virus detected!
The requested URL http://192.168.1.1/diag_edit.php contains a virus
Virus name: Sanesecurity.Malware.26368.JsHeur.UNOFFICIALThis file cannot be downloaded.
Origin: - / -
-
You can try this https://forum.pfsense.org/index.php?topic=120154.msg664657#msg664657 for a temporary work around but I believe that disable's the definition.
Otherwise you will have to contact sane security.
-
Thanks, that worked.
-
The alternative definitions have been triggering on iOS app updates of late.
Has anyone else seen this behaviour?
VIRUS FOUND Sanesecurity.Foxhole.JS_Zip_19.UNOFFICIAL
http://appldnld.apple.com/ios10.0/091-00410-20170307-333298AC-FD56-11E6-A830-06ECE1925776/com_apple_MobileAsset_CoreSuggestions/5b0b88c6446d899e5bec5a5ac298ed55bbbf1cbb.zip
-
The FPs need to be reported to the signatures maintainer. (But please understand that these things are mostly made for email AV filtering.)
-
Yes I've been getting those too. You can report it here:
http://sanesecurity.com/support/false-positives/
-
Hi
We are busy adding full support for pfsense to the next version of the script : https://github.com/extremeshok/clamav-unofficial-sigs
Please post issues here: https://github.com/extremeshok/clamav-unofficial-sigs/issues/
-
5.6.1 released with pfsense support : https://github.com/extremeshok/clamav-unofficial-sigs
Install guide is here : https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/guides/pfsense.md
Version 5.6.1 (updated 2017-03-18) eXtremeSHOK.com Maintenance Packers/Javascript_exploit_and_obfuscation.yar false positive rating increased to HIGH Codeclimate fixes Incremented the config to version 73 Version 5.6 (updated 2017-03-17) eXtremeSHOK.com Maintenance PGP is now optional and no longer a requirement and pgp support is auto-detected Full support for MacOS / OS X and added clamav install guide Full support for pfSense and added clamav install guide Added os configs for Zimbra and Debian 8 with systemd Much better error messages with possible solutions given Better checking of possible issues Update all SANESECURITY signature databases Support for clamav-devel (clamav compiled from source) Added full proxy support to wget and curl Replace allot of "echo | cut | sed" with bash substitutions Added fallbacks/substitutions for various commands xshok_file_download and xshok_draw_time_remaining functions added to replace redundant code blocks Removed SANESECURITY mbl.ndb as this file is not showing up on the rsync mirrors Allow exit code 23 for rsync Major refactoring : Normalize comments, quotes, functions, conditions Protect various arguments and "POSIX-ize" script integrity Enhanced testing with travis-ci, including clamav 0.99 Incremented the config to version 72 -
Thank you for this.
All went well here except.
WARNING: Failed connection to http://cdn.rfxn.com/downloads - SKIPPED linuxmalwaredetect rfxn.ndb update -
Hi
Where does Clam AV store the files it believes are viruses (or does it even)?
I'd like to be able to extract them to check against Virus Total / RE them etc
Anyone know the answer to this?
-
Hi
I have an issue with a false positive, I've reported it ages ago but it keeps showing up.
Anyone know how to remove Sanesecurity.Foxhole?
The blizzard of false positives is obscuring the real viruses it catches, which is annoying.
Cheers
Jon
-
I figured I would post an update on a few things to add I've found if it helps others referencing this as I did, all pulled from my running config on pfSense 22.01 and can be placed in the noted files without setting the manual config option if familiar between command line in the GUI and/or a Putty console:
Do not scan (streamed) videos and audios: place in "/usr/local/etc/c-icap/squidclamav.conf" and remove the # to enable the extras if wanted:
abort ^.*\.(wav|aiff|ogg|flac|opus|flv|f4f|m2a|mjpeg|mov|mp(2|3|4))(\?.*)?$ abort ^.*\.(avi|avs|mpg|asf|mkv|dv|m1v|m2v|m3u|pls|wmx|aac|mpeg|ogm|ogv|ts)(\?.*)?$ abortcontent ^video\/x-flv$ abortcontent ^audio\/aiff$ abortcontent ^video\/mp4$ abortcontent ^audio\/mp4$ abortcontent ^.*audio\/mp4.*$ abortcontent ^video\/webm$ abortcontent ^audio\/webm$ abortcontent ^video\/mp2t$ abortcontent ^audio\/wmx$ abortcontent ^audio\/mpeg$ abortcontent ^audio\/x-mpeg$ abortcontent ^audio\/aac$ abortcontent ^video\/x-msvideo$ abortcontent ^video\/msvideo$ abortcontent ^video\/avi$ abortcontent ^video\/mpeg$ abortcontent ^video\/x-mpeg$ abortcontent ^video\/ogg$ abortcontent ^audio\/ogg$ abortcontent ^audio\/opus$ abortcontent ^video\/mp2t$ abortcontent ^audio\/wav$ abortcontent ^video\/3gpp$ abortcontent ^audio\/3gpp$ abortcontent ^video\/3gpp2$ abortcontent ^audio\/3gpp2$ abortcontent ^video\/x-motion-jpeg$ abortcontent ^video\/x-dv$ abortcontent ^video\/x-ms-asf$ abortcontent ^video\/quicktime$ abortcontent ^.*application\/x-mms-framed.*$ # Do not scan images #abort ^.*\.(ico|gif|png|jpg)$ #abortcontent ^image\/.*$ # Do not scan text files #abort ^.*\.(css|xml|xsl|js|html|jsp)$ #abortcontent ^text\/.*$ #abortcontent ^application\/x-javascript$ # Do not scan streamed videos #abortcontent ^video\/x-flv$ #abortcontent ^video\/mp4$ # Do not scan flash files #abort ^.*\.swf$ #abortcontent ^application\/x-shockwave-flash$ # Do not scan sequence of framed Microsoft Media Server (MMS) data packets #abortcontent ^.*application\/x-mms-framed.*$ # White list some sites #whitelist .*\.clamav.netFollowing Securiteinfo guide to ensure maximum detection rates, I did edit my clamd.conf and enabled the PUA option but found I first had to enable that in the GUI first before editing the suggested clamd.conf file and proceeded to do the same in the other two copies pfSense builds the running file from on reboots/reloads. Each of the following are located in "/usr/local/etc/c-icap/" :
"clamd.conf" "clamd.conf.default" and "clamd.conf.pfsense"
modified these lines:DetectPUA yes ExcludePUA PUA.Win.Packer ExcludePUA PUA.Win.Trojan.Packed ExcludePUA PUA.Win.Trojan.Molebox ExcludePUA PUA.Win.Packer.Upx ExcludePUA PUA.Doc.Packed MaxScanSize 150M MaxFileSize 100M MaxRecursion 40 MaxEmbeddedPE 100M MaxHTMLNormalize 50M MaxScriptNormalize 50M MaxZipTypeRcg 50M