ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
This topic is locked: you cannot edit posts or make replies.
CraigJConrad


Joined: 13 Feb 2016
Posts: 10
Reply with quote
jimimaseye: Thanks for the further info. I have been to the site and am feeling a bit ignorant, as it took some time to figure out exactly how to install it. I had to fix a few references in the bat file, as the path to the exe didn't include "\bin" in it, and there is still an error coming from the bat about a pipe being bad, but I *think* (hope) that is only about putting a comment into a file.

I can now see that running the update DOES put the SaneSecurity databases into the proper ClamWin folder. Now, how do I know that ClamWin is actually *using* these databases? I can't seem to find a log file that would confirm this.

Thanks ....
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
Well, I have on file and could email you one of the macro-type DOC viruses (office word document) that gets trapped by it but......

Not sure why you have 'problems' installing. It was clear and plain for me.
View user's profileSend private message
CraigJConrad


Joined: 13 Feb 2016
Posts: 10
Reply with quote
I'm not sure I want a virus file purposely sent. I was just hoping that there would be a log report identifying the databases as ClamWin loads them when it does a scan. As I don't tell ClamWin which databases to use, I guess I have to assume that it simply uses *every* database in that folder. I'm skeptical of that, because if you want to stop using one of them, you'd have to go into that folder and either rename its extension or delete it, as opposed to removing it from a list. A selection list would seem more appropriate.

As to the install, I'm probably just too anal (it serves me well in programming, but not always in processing written directions). The instructions begin by describing what the sigupdate.bat and signame.txt do, then go right into the need to install Rsync. And the Rsync instructions tell you to put things into the "winrsync folder". There was never any instruction telling you to unzip the SaneSecurity files and where to put them. So, there is no context for putting the Rsync into the winrsync folder -- it doesn't exist unless you did a step that isn't identified in the instructions. So, reading it seems that you have to install rsync first, but the folder doesn't exist -- I created one only to figure out later it is a subfolder of SaneSecurity. Then step 2 is for installing ClamAV (which I already had, of course), but it reads "I'm assuming that you are using ClamWin or ClamWin command line for the correct db location". I couldn't figure out what that was telling me -- how do I know if I'm using it "for the correct db location"? Anyway, I eventually just ignored that. Finally, the sigupdate.bat wasn't working (the db files weren't appearing in the folder), so I had to open it in a command prompt and debug it. It lacked the "\bin" part of the folder path in three places, and still reports a pipe error (which I've ignored as the db files seem to be getting to where they belong now).

Once I am confident that it is actually using the new databases, I will donate -- I've been unemployed for nearly three months, so it might not be very much, but the authors certainly deserve compensation ...

I am appreciative of your time and assistance ...

Craig
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
ok, ...


1, even if I sent you the 'virus', it is a word .DOC file (with a macro) and of no danger if you dont open it or you dont have macros in MS OFFICE to automatically run. If your software is working correctly it will identify it anyway, and of not you will just have a DOC as an attachment which you can just delete. Rest assured that Clamwin default definitions WONT detect it and when it is detected it will be by the .UNOFFICIAL sane definitions.

2, Your 'sigupdate' folder should contain:

readme.txt
signames.txt
sigupdate.bat (which should be called by task scheduler)
(you might also have a 'sigupdate' logfile too)
folder: dbtemp
folder: winrsync (containing rsync)

3, As long as you have everything set up you should see the new databases exist in the existing Clamwin database: "%appdata%\.clamwin\clamwin.conf" (opened as your Clamwin system user).

4, If you want to add or remove any of the databases from being included, simply edit the signames.txt file. Any that you do include you should see evidence in the database folder (3)

5, Clamwin loads all database that exist in the dtaabase folder

6, go to 1. (a BASIC reference there for you programmers). Very Happy

FWIW, my SIGUPDATE.BAT looks like this (also includes handling creation of update log files for tracing - Note: 7z.exe is 7Zip which you need to install and point to.):

Code:
@echo off

rem ----------------------------------------------------------------------
rem Sanesecurity downloader v0.4 beta for ClamWin/ClamAV (c) Steve Basford
rem Please see readme.txt
rem -----------------------------------------------------------------------

echo Sanesecurity downloader for ClamWin/ClamAV..

rem set the default log location
rem eg: %ProgramFiles%\ClamWin
rem eg: %ProgramFiles(x86)%\ClamWin

for /F "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /VALUE 2^>NUL`) do if '.%%i.'=='.LocalDateTime.' set ldt=%%j
set inDate=%ldt:~0,4%-%ldt:~4,2%-%ldt:~6,2%
set logloc="%ProgramFiles(x86)%\ClamWin\sigupdate"
set sigupdatelog=sigupdate_%inDate%.log

rem quick check for errors
IF NOT EXIST winrsync\rsync.exe echo "Warning: Cannot find rsync.exe [winsync\rsync.exe]
IF NOT EXIST signames.txt echo "Warning: signames.txt not found
IF NOT EXIST %logloc% echo Warning: log directory not found

IF NOT EXIST winrsync\rsync.exe goto fin
IF NOT EXIST signames.txt goto fin
IF NOT EXIST %logloc% goto fin

rem set ClamWin/ClamAV database path
rem example: %ALLUSERSPROFILE%\.clamwin\db\
rem example: C:\clamav\database

rem Automatically obtain the DB directory from the Clamwin.conf file
IF EXIST "%appdata%\.clamwin\clamwin.conf" FOR /F "eol=; eol=[ tokens=1,2* delims== " %%i in ('findstr /b /l /i "database"= "%appdata%\.clamwin\clamwin.conf"') DO set db=%%~j

IF NOT EXIST %db% echo Warning: Database directory not found
IF NOT EXIST %db% goto fin

echo Started: %date%-%time%
echo Started: %date%-%time% >> %logloc%\%sigupdatelog%
echo Downloading files from mirror...  >> %logloc%\%sigupdatelog%

rem grab all Sanesecurity mirrored files
rem place into dbtemp directory
SET CYGWIN=nontsec

rem ### Normal *public* rsync address is: rsync.sanesecurity.net
rem ### If you have been given a private donators rsync address, replace it in the line below

winrsync\rsync.exe >> %logloc%\%sigupdatelog% --timeout 120 -i  -vv -p -z -t rsync://rsync.sanesecurity.net/sanesecurity/* dbtemp

rem copy only changed files into ClamWin/ClamAV database directory
echo Copying changed databases into ClamAV database [%db%] directory...
echo Copying changed databases into ClamAV database [%db%] directory...  >> %logloc%\%sigupdatelog%
for /f "delims=" %%i in (signames.txt) do echo f|xcopy /F /M /Y "dbtemp\%%i" "%db%\%%i" >> %logloc%\%sigupdatelog%

rem echo Reloading ClamD....
rem echo Reloading ClamD....  >> %logloc%\%sigupdatelog%
rem reload clamd databases
rem net stop clamd
rem net start clamd

echo Finished: %date%-%time% >> %logloc%\%sigupdatelog%
echo Finished: %date%-%time%

for %%i in (sigupdate_????-*.log) do if not %%i == %sigupdatelog% "C:\Program Files\7-Zip\7z" a -t7z %logloc%\SigUpdateLogs.7z -uq0 %%i & del %%i
:fin


Last edited by jimimaseye on Tue Feb 16, 2016 2:44 pm; edited 2 times in total
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
ClamWin uses all the databases you have if they are properly installed. If they are not, you should probably get an error message when you try to scan. You can check the Clam AV detection by downloading the EICAR test file and scanning it.

I've used the non-Clam AV databases some time ago for a while, but I prefer to stick to the "official" DB. That should be enough if you use ClamWin as a backup scanner to a real-time AV as the ClamWin developers recommend.

I wouldn't contribute anything until your financial situation is more stable.

Thanks for using ClamWin!

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
GuitarBob wrote:
That should be enough if you use ClamWin as a backup scanner to a real-time AV as the ClamWin developers recommend.

Once the oven has cooked the chicken, to be sure it isnt still raw inside, show it to a candle.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
Well, yesterday I checked a malware on Virus Total. It was only detected by a handful of AVs, and Clam AV was one of them. It just depends upon what you get.

Instead of email attachments, the majority of viruses are now being spread via poisoned web sites, and you are redirected several times before you get to the site. So Clam probably relies upon Virus Total submissions unless it has a user that gets an attachment with a current malware. Clam AV has a place. If Bitdefender doesn't see a virus, they will not see it either. Clam AV certainly has a place for those who want it.

By the way, when I was working signatures, Bitdefender didn't do that well at detecting non-PE malware. Perhaps it's changed now with the comeback of macro malware, but Avira, Sophos, and Eset usually detected doc, JS, html, etc. first.

Regards,
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
I actually run Avira on my home laptop as it happens. (I would have swapped to Bitdefender but there is a little more tailorability/user control with Avira than there is Bitdefender FREE home edition).

FYI:
https://www.virustotal.com/en/file/ca8ee2783cdfe60ebcfbe1991ffbd952dc7c2bbab375b1e0f8f85b2a32d5a803/analysis/1455646006/ 3? months old

https://www.virustotal.com/en/file/14aff6171866b62575af7f71febd172727503aef58182443d7ebdca11d61a458/analysis/1455646242/ 17 months old!

https://www.virustotal.com/en/file/fcc639ddaf9b671fd1efdd70ad5a9358a18e9b3acd0e89f819a561933583c178/analysis/1455646471/ 2? months old.

All were uploaded to Clam as viruses (after being tested on VT) by me at the time of receiving them. Can you imagine the damage done in 17 months by those reliant on Clam?

This one: https://www.virustotal.com/en/file/1e9df8f10f5e9fc4cd48d79f3b58b01a44cd54ff1d57114227613700b898a996/analysis/1455646643/ received 15th January and STILL not detected by any of the signatures except SANESECURITY signatures (as a dangerous macro Doc) "Sanesecurity.Badmacro.Doc.badps1.UNOFFICIAL"
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
Well, you can always write your won signatures and submit them to the Clam team. Not sure what there response time is for pushing community signatures. Mine has always been different. Sometimes a week, sometimes a day.
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
ROCKNROLLKID wrote:
Well, you can always write your won signatures and submit them to the Clam team.

Well yes, its an option. IF......

a, you have the time and technical ability to do this. Most people, are just end users of such software
b, you think that being the victim of a virus attack because it was not covered by your chosen anti-virus software is morally compensated by choosing to write a signature yourself so that OTHERS dont suffer and can benefit from your misery (assuming once you have been hit you still have and can identify the incoming seed for you to extract the info from, oh and that Clam actually receive and adapt your signature. Taking a week is just ridiculous, and 17 months (and counting...) is even worse)

Personally, I dont fit either of the above profiles. I have no joy in wasting my time on the hope my signatures will help others whilst leaving my efforts at the mercy of a slack signature team/company, nor would I have a clue what to do even if I did. We are end users. I choose to use a dedicated team that provide signatures and software within a reasonable timeframe and with proven results (hence my use of 3rd party signatures for Clam and Bitdefender for the office clients)

You dont go to the supermarket to buy some milk and get given a cow and an empty bottle and told to milk your own.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4376
Location: USA
Reply with quote
I usually make a couple of signatures each day for myself based on a Sophos feed--old habits die hard. I delete the prior month sigs from the DB after a couple of weeks into the new month--assume either Clam has a sig or the malware is outdated by then. The Sane sigs should be good enough--they are developed by some dedicated people. The Clam AV sigs especially need some supplementation is in the non-PE stuff for us Windows users.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 562
Location: **UNKNOWN**
Reply with quote
The signatures you are rely on (sanesecurity) are pretty much end users themselves. They write them on their spare time and no one gets paid, outside of donations. The same is with ClamWin and ClamAV.

It is actually quite easy to make a static signature at ClamAV. It is the bytecode ones that are time consuming.
View user's profileSend private message
jimimaseye


Joined: 04 Jan 2014
Posts: 95
Reply with quote
ROCKNROLLKID wrote:
The signatures you are rely on (sanesecurity) are pretty much end users themselves. The same is with ClamWin and ClamAV.
Maybe so. Indeed, you dont need to be a commercial outfit to generate worthwhile sigs. The word missing here is DEDICATED. Sane seem to be on the case 24 hours a day and pride themselves in what they do (after all: pride = quality = success = donations = worth while and everyone happy) whereas it seems Clam sig makes fall down on the first step. Dedicated to providing the SOFTWARE and the brand name and making it look nice on a website but then fall short on ensuring it is in any use (like selling a Mercedes car because of its luxury and forgetting to put a decent engine in it. Looks good, and technically it IS a car as advertised. But rubbish when you come to use it).

P.S For those that say "Clam is mainly written for use on Linux (and therefore understandably falls short on windows systems)...." ...I thought the linux world was proud and say that you dont get viruses on Linux and that windows is the most dangerous and targetted OS in the world. So what is the point of making an antivirus software dedicated to linux systems (which dont get viruses) and no signatures any good for windows that does? (I think the answer to Clams long-term existence is in that question.)
View user's profileSend private message
sanesecurity


Joined: 09 Feb 2007
Posts: 7
Reply with quote
Just a few FP updates:

1) I submitted a few FP's to the ClamAV team and most of them have now been fixed, mainly Win.Downloader.Kuluoz-36
2) The FP reporting page at ClamAV has now been fixed: http://www.clamav.net/reports/fp

Concerning Sanesecurity signature generation:

a) Some sigs are static hashes and generated automatically (hourly) (rogue.hdb)
b) Some sigs are spam/malware domains found in my spam feed(s) and generated automatically (hourly) (blurl.ndb/jurlbl.ndb)
c) Some sigs are manually generated (such as phish.ndb/badmacro.ndb and foxhole ones)

Overall they should provide enough generic sigs to block stuff right from the start and if that doesn't block it, the
automatic stuff should block the bad stuff at least hourly, which isn't too bad Smile

Cheers,

Steve
Sanesecurity.com
View user's profileSend private message
CraigJConrad


Joined: 13 Feb 2016
Posts: 10
Reply with quote
Well, I just got the first ClamWin scan report that reflects use of the SaneSecurity signatures. It reported nearly 400 problems -- all in files that have been there and stable for at least six months (some for eight years). The majority of them are Excel workbooks tagged with "Sanesecurity.Badmacro.Doc.admin.UNOFFICIAL FOUND". What is interesting is that nearly all of those are VBA macros for which I wrote 100% of the code. I'd be interested in knowing what I did in them that causes them to be marked as harmful. These macros do use Excel objects/services to read the directories, open/read/delete/create files, open/read/update MDBs, etc. Is that what leads to being tagged this way?
View user's profileSend private message
Sudden malware or false positives?
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 6 of 7  

  
  
 This topic is locked: you cannot edit posts or make replies.