Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Alternate definitions for ClamAV

    Scheduled Pinned Locked Moved Cache/Proxy
    43 Posts 13 Posters 23.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      johnabbot
      last edited by

      my update log is also ok but in Squid Anti-Virus on the dashboard I see this

      Statistics Unknown (no log exists)

      Have I set up ClamAV correctly?

      Anyone else get this?

      1 Reply Last reply Reply Quote 0
      • A
        AR15USR
        last edited by

        @johnabbot:

        my update log is also ok but in Squid Anti-Virus on the dashboard I see this

        Statistics Unknown (no log exists)

        Have I set up ClamAV correctly?

        Anyone else get this?

        Maybe you haven't detected a virus yet, so nothing to show?


        2.6.0-RELEASE

        1 Reply Last reply Reply Quote 0
        • A
          AR15USR
          last edited by

          I am having a lot of legitimate updates being blocked by these additional definitions. I do till see a lot of traffic from these same apps/vendors (Apple, Sophos, Adobe, MS) making it through still though.

          Here a a few examples:

          Date-Time	Message	Virus	URL	Host	User
          16.09.2016 21:46:03	VIRUS FOUND	Sanesecurity.Foxhole.Zip_JsNum_wrd.UNOFFICIAL	http://appldnld.apple.com/ios10.0/...[i]/com_apple_MobileAsset_CoreSuggestions/6a3ed2b4a6e1de61c084583a57a0efdff20d2b48.zip	-	-
          
          16.09.2016 17:24:44	VIRUS FOUND	Sanesecurity.Foxhole.Zip_fs211.UNOFFICIAL	http://d1.sophosupd.com/update/5bd003b17a6fd2d057620295800499acx000.dat	-	-
          
          16.09.2016 17:17:06	VIRUS FOUND	Sanesecurity.Foxhole.Zip_doc_js.UNOFFICIAL	http://bg2.v4.a.dl.ws.microsoft.com/dl/content/c/updt/2016/09/19c9cb69-f6ed-49d2-81d5-24c8f4de9cb9_96035d20a923a671f386073b34d004fa5125bd7b.appxbundle?P1=1474071897
          
          5.09.2016 05:12:44	VIRUS FOUND	Sanesecurity.Foxhole.Zip_jsname.UNOFFICIAL	http://a1.mzstatic.com/us/r30/Purple71/v4/6d/30/a2/6d30a250-66eb-9f40-80d9-07fa321fe70f/icon1280x768.lsr
          
          I have removed the Foxhole definitions source from freshclam but that hasn't stopped the blocks above. Here is my additional definitions list:
          
          [code]DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/junk.ndb
          DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phish.ndb
          DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/rogue.hdb
          DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/badmacro.ndb
          DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/scam.ndb
          DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sanesecurity.ftm
          DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2[/code]
          
          Any thoughts/ideas?
          
          Edit: Maybe the "icon1280x768.lsr is a legit virus? 
          https://www.virustotal.com/en/file/7f2c0860d6810f8557cf921f1604c01da5f4eae5155bdbf53ed7cafb2d6aeb3a/analysis/
          
          The mzstatic.com domain is an apple domain I believe.[/i]
          

          2.6.0-RELEASE

          1 Reply Last reply Reply Quote 0
          • S
            Stewart
            last edited by

            The Foxhole definitions are the ones responsible for scanning inside of Zip files I believe.  If it's still being blocked then what is it saying is blocking it?  If it still says Foxhole then there should be some way of clearing those definitions out of ClamAV.  Maybe a Freshclam?  I'm not sure.

            Looking at the virustotal link it appears it is not a virus so maybe it is a false positive?

            1 Reply Last reply Reply Quote 0
            • A
              AR15USR
              last edited by

              Stewart you can see in my above post, in the first 'code' section it reports that sane security.foxhole.xxx is the responsible database(s). I'm not exactly sure which that is though.

              I removed the 3 foxhole databases and it still blocked. I have just removed the sanesecurity database and I will see if it still blocks.

              In the end I might try and reporting the blocks to SaneSecurity as false positives and see what they say. Although on their site they say and database with 'unofficial' on it is not theirs.


              2.6.0-RELEASE

              1 Reply Last reply Reply Quote 0
              • P
                Peen
                last edited by

                Any insight on my previous post? Set it up as instructed. The DB's all update, and I checked the DB's were there. But I don't see them being applied. Also doesn't seem to be blocking anything more in my tests.

                This is what my DB says…

                Squid Version   3.5.19_1
                Antivirus Scanner   ClamAV 0.99.2    C-ICAP 0.4.3 +  SquidClamav 6.10
                Antivirus Bases
                Database Date Version Builder
                daily.cld 2016.09.19 22224 neo
                bytecode.cvd 2016.06.23 283 neo
                main.cvd 2016.03.16 57 amishhammer
                Last Update Mon Sep 19 17:03:48 2016
                Statistics Found 3 virus(es) total.

                1 Reply Last reply Reply Quote 0
                • S
                  sanesecurity
                  last edited by

                  Hi All,

                  Just popped in to say if you find any more FP's on files with foxhole_filename.cdb

                  I'll need a direct file download url, so I can download and scan this end.

                  I've fixed a couple of the FP's already, so thanks for pointing them out.

                  Cheers,

                  Steve
                  Sanesecurity

                  1 Reply Last reply Reply Quote 0
                  • A
                    AR15USR
                    last edited by

                    Sanesecurity, good to see you here!

                    I have several. How would you like me to get those to you?


                    2.6.0-RELEASE

                    1 Reply Last reply Reply Quote 0
                    • A
                      AR15USR
                      last edited by

                      @Peen:

                      Any insight on my previous post? Set it up as instructed. The DB's all update, and I checked the DB's were there. But I don't see them being applied. Also doesn't seem to be blocking anything more in my tests.

                      This is what my DB says…

                      Squid Version   3.5.19_1
                      Antivirus Scanner   ClamAV 0.99.2    C-ICAP 0.4.3 +  SquidClamav 6.10
                      Antivirus Bases
                      Database Date Version Builder
                      daily.cld 2016.09.19 22224 neo
                      bytecode.cvd 2016.06.23 283 neo
                      main.cvd 2016.03.16 57 amishhammer
                      Last Update Mon Sep 19 17:03:48 2016
                      Statistics Found 3 virus(es) total.

                      Based on the logs you posed above it looks like its working. I don't get the additional databases showing up in the dashboard widget either, but I know they are working due to the blocking happening. Also when I run freshclam I see them updating.

                      I'm guessing the Squid Antivirus Widget doesn't report on custom databases, would be nice to have that fixed.


                      2.6.0-RELEASE

                      1 Reply Last reply Reply Quote 0
                      • P
                        Peen
                        last edited by

                        Good to know it's working and you have the same thing happening. I did try to open that link you posted with the icon.lsr and it did let me download it. On the WICAR malware test page, I get some blocks so I do know ClamAV is working.

                        1 Reply Last reply Reply Quote 0
                        • S
                          sanesecurity
                          last edited by

                          @AR15USR:

                          Sanesecurity, good to see you here!

                          I have several. How would you like me to get those to you?

                          You can copy/paste the links and I'll download them with wget to test.
                          or perhaps you can pop them into dropbox or some other file storage and send me the link.

                          Cheers,

                          Steve
                          Sanesecurity.com

                          1 Reply Last reply Reply Quote 0
                          • S
                            Stewart
                            last edited by

                            @Peen:

                            Any insight on my previous post? Set it up as instructed. The DB's all update, and I checked the DB's were there. But I don't see them being applied. Also doesn't seem to be blocking anything more in my tests.

                            This is what my DB says…

                            Squid Version   3.5.19_1
                            Antivirus Scanner   ClamAV 0.99.2    C-ICAP 0.4.3 +  SquidClamav 6.10
                            Antivirus Bases
                            Database Date Version Builder
                            daily.cld 2016.09.19 22224 neo
                            bytecode.cvd 2016.06.23 283 neo
                            main.cvd 2016.03.16 57 amishhammer
                            Last Update Mon Sep 19 17:03:48 2016
                            Statistics Found 3 virus(es) total.

                            If you run a freshclam and see them updating then they are in there.  What if you download a file to the box and run a clamscan on it?  If it catches it then it may be a proxy integration thing.

                            1 Reply Last reply Reply Quote 0
                            • A
                              AR15USR
                              last edited by

                              @Stewart:

                              @Peen:

                              Any insight on my previous post? Set it up as instructed. The DB's all update, and I checked the DB's were there. But I don't see them being applied. Also doesn't seem to be blocking anything more in my tests.

                              This is what my DB says…

                              Squid Version   3.5.19_1
                              Antivirus Scanner   ClamAV 0.99.2    C-ICAP 0.4.3 +  SquidClamav 6.10
                              Antivirus Bases
                              Database Date Version Builder
                              daily.cld 2016.09.19 22224 neo
                              bytecode.cvd 2016.06.23 283 neo
                              main.cvd 2016.03.16 57 amishhammer
                              Last Update Mon Sep 19 17:03:48 2016
                              Statistics Found 3 virus(es) total.

                              If you run a freshclam and see them updating then they are in there.  What if you download a file to the box and run a clamscan on it?  If it catches it then it may be a proxy integration thing.

                              2 days with no more of the FP's. Looks like they are fixed, thanks sanesecurity…


                              2.6.0-RELEASE

                              1 Reply Last reply Reply Quote 0
                              • S
                                Stewart
                                last edited by

                                @AR15USR:

                                @Stewart:

                                @Peen:

                                Any insight on my previous post? Set it up as instructed. The DB's all update, and I checked the DB's were there. But I don't see them being applied. Also doesn't seem to be blocking anything more in my tests.

                                This is what my DB says…

                                Squid Version   3.5.19_1
                                Antivirus Scanner   ClamAV 0.99.2    C-ICAP 0.4.3 +  SquidClamav 6.10
                                Antivirus Bases
                                Database Date Version Builder
                                daily.cld 2016.09.19 22224 neo
                                bytecode.cvd 2016.06.23 283 neo
                                main.cvd 2016.03.16 57 amishhammer
                                Last Update Mon Sep 19 17:03:48 2016
                                Statistics Found 3 virus(es) total.

                                If you run a freshclam and see them updating then they are in there.  What if you download a file to the box and run a clamscan on it?  If it catches it then it may be a proxy integration thing.

                                2 days with no more of the FP's. Looks like they are fixed, thanks sanesecurity…

                                Yup, Steve is awesome!  You guys have no idea how responsive and helpful he's been.  Thanks @sanesecurity!

                                1 Reply Last reply Reply Quote 0
                                • I
                                  IggyB
                                  last edited by

                                  Great thread. Thanks so much for this information and to sanesecurity for db's

                                  Is there a way i could whitelist a specific website in clam .conf files?

                                  1 Reply Last reply Reply Quote 0
                                  • I
                                    IggyB
                                    last edited by

                                    I also forgot to mention once you do load advanced configuration the settings on the page will be void.

                                    So if you want to disable clamav scanning streamed audio/video while advance mode is enabled you can add this code to the end of squidclamav.conf

                                    Do not scan (streamed) videos and audios

                                    abort ^..(flv|f4f|mp(3|4))(?.)?$
                                    abort ^..(m3u|pls|wmx|aac|mpeg)(?.)?$
                                    abortcontent ^video/x-flv$
                                    abortcontent ^video/mp4$
                                    abortcontent ^audio/mp4$
                                    abortcontent ^.audio/mp4.$
                                    abortcontent ^video/webm$
                                    abortcontent ^audio/webm$
                                    abortcontent ^video/MP2T$
                                    abortcontent ^audio/wmx$
                                    abortcontent ^audio/mpeg$
                                    abortcontent ^audio/aac$
                                    abortcontent ^.application/x-mms-framed.$

                                    2. In freshclam.conf don't forget to change to your nearest server. Do not touch one below described as "database.clamav.net is round-robin"

                                    Mine is Australia

                                    Uncomment the following line and replace XY with your country

                                    code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.

                                    You can use db.XY.ipv6.clamav.net for IPv6 connections.

                                    DatabaseMirror db.au.clamav.net

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      AR15USR
                                      last edited by

                                      Thanks IggyB..


                                      2.6.0-RELEASE

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        asterix
                                        last edited by

                                        After updating to above settings I am getting this false positive Virus detected warning in diag_edit.php of pfSense page. How can I get rid of this?

                                        SquidClamav 6.10: Virus detected!

                                        The requested URL http://192.168.1.1/diag_edit.php contains a virus
                                        Virus name: Sanesecurity.Malware.26368.JsHeur.UNOFFICIAL

                                        This file cannot be downloaded.

                                        Origin: - / -

                                        1 Reply Last reply Reply Quote 0
                                        • I
                                          Impatient
                                          last edited by

                                          You can try this https://forum.pfsense.org/index.php?topic=120154.msg664657#msg664657 for a temporary work around but I believe that disable's the definition.

                                          Otherwise you will have to contact sane security.

                                          1 Reply Last reply Reply Quote 0
                                          • A
                                            asterix
                                            last edited by

                                            Thanks, that worked.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.