Jan 28, 2021 ClamAV's embedded file type recognition detects some files found in non-archive formats but for archive formats and compressed data streams like bzip2 and gzip, it will often detect file type magic bytes of compressed files and then attempt to parse the compressed data as if they were whole files, resulting in wasted CPU cycles and confusing warnings. ClamAV's embedded file type recognition detects some files found in non-archive formats but for archive formats and compressed data streams like bzip2 and gzip, it will often detect file type magic bytes of compressed files and then attempt to parse the compressed data as if they were whole files, resulting in wasted CPU cycles and confusing warnings. ClamAV is an extremely advanced command-line driven antivirus for UNIX based systems. ClamXav is a port for Mac OS X, complete with GUI interface. One of the best antivirus for OS X. Compatibility Architecture: PPC x86 (Intel:Mac) First download is for Snow Leopard (10.6), second is for Leopard (10.5), whilst the third is for Tiger (10.4).
I don’t have all the information on this yet, but I’ve had two ClamXav user complain today of commercial software being identified as infected by Osx.Trojan.FkCode-1. I can’t locate it on the clamav-virusdb list, but perhaps it was just added today.The first is 'accordion.1.6.2(83).dmg', downloaded from <http://yourhead.com/accordion/download/index.html> which I verified was identified. It’s a RapidWeaver Plug-in from YourHead.com.
I submitted it to VirusTotal with the following 1/51 results:
<https://www.virustotal.com/en/file/ae4258463f9d5d339920da61a381f3dec366cb4598bd3fe1d3a0e9af2f4624ec/analysis/>.
So I uploaded it to Send a false positive report, but got the following response:
> Result:
> This file is not detected by ClamAV. Please update your CVD database before reporting false-positives. If you are using third-party databases/unofficial signatures, please contact the author of the signature. We can only process false-positives generated by ClamAV Official signatures.
>
> Please correct the above errors and retry. Thank you for helping the ClamAV project.
I updated definitions and it was still detected as infected. ClamXav still using v0.98.1. I’ve had this happen once before, but have no idea how it could test positive on two Macs and VirusTotal, but not on your site.
MD5 = f247e5f45b7a30ce600be34e66d93fa8
The second file is named 'Rapport-5.dmg” which is an older version of Trusteer Rapport for Mac. The latest version does not test positive, but that’s not surprising to me. I’ve asked the user to upload his file to VirusTotal and will post the results once I have them. This is yet another example of OS X .dmg files being falsely identified as infected. All of these signatures follow the same pattern of detecting multiple strings of characters (mostly the letter “a”) contained in an XML section of the .dmg file. I believe this is provided as overhead information concerning the file and does not contain any data at all to positively identify the contents of the image file. Since the formats of the XML portion of the .dmg files are all very similar, I suspect it will be extremely difficult to uniquely fingerprint such files by using XML strings.
-Al-
--
Al Varnell
Mountain View, CA _______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/mlClamAv is a command line virus scanner. It runs on all the major platforms, Windown,Linux, and OSX. You can download the source and install it from there, or you can follow these simple steps to install it using MacPorts.
Clamav Mac Dmg Free
To install ClamAv check the ports including clam by listing these:
port search clam
Then to install the files issue:
sudo port install clamav clam-server clamsmtp p5-mail-clamav
Once the ports are installed you'll need to configure ClamAv. The following is an extract from the port installation echo:
To configure clamd and freshclam look for the following files:
/opt/local/etc/clamd.conf
/opt/local/etc/freshclam.conf
If these files do not exist you can copy the sample conf files into place:
sudo cp /opt/local/etc/clamd.conf.sample /opt/local/etc/clamd.conf
sudo cp /opt/local/etc/freshclam.conf.sample /opt/local/etc/freshclam.conf
Edit /opt/local/etc/clamd.conf to your liking, example:
# Comment out 'Example' near the top if it exists
#Example
LogFile /opt/local/var/log/clamav/clamd.log
PidFile /opt/local/var/run/clamav/clamd.pid
LocalSocket /opt/local/var/run/clamav/clamd.socket
TCPSocket 3310
TCPAddr 127.0.0.1
Foreground yes
Edit /opt/local/etc/freshclam.conf to your liking, example:
# Comment out 'Example' near the top if it exists
#Example
UpdateLogFile /opt/local/var/log/clamav/freshclam.log
PidFile /opt/local/var/run/clamav/freshclam.pid
NotifyClamd /opt/local/etc/clamd.conf
The important thing when editing these configuration files, is that the directories for clams and freshclam points to the same directories. I let mine point to:
/opt/local/var/log/clamav/
/opt/local/var/run/clamav/
And, make sure that the TCPSocket and TCPAddr are set, enabling you to use ClamAv from within other programs. After installation you'll need to create an entry in the ports share directory. The reason for this is that ClamAv runs in this directory and the directory is not created on installation. Create it like this:
sudo mkdir -p /opt/local/share/clamav
sudo chown clamav:clamav /opt/local/share/clamav
Now you're ready to create a fresh clam, issue:
sudo freshclam -v
Current working dir is /opt/local/share/clamav
Max retries 3
ClamAV update process started at Thu Mar 24 00:01:09 2016
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 632
Software version from DNS: 0.99.1
main.cvd version from DNS: 57
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cvd version from DNS: 21470
daily.cld is up to date (version: 21470, sigs: 83891, f-level: 63, builder: neo)
bytecode.cvd version from DNS: 275
bytecode.cvd is up to date (version: 275, sigs: 45, f-level: 63, builder: amishhammer)
ClamAv will generate a new virus signature file. When it is done, you're ready to scan your box. This is done by:
clamscan -ro ~/
----------- SCAN SUMMARY -----------
Known viruses: 4297361
Engine version: 0.99.1
Scanned directories: 132235
Scanned files: 595659
Infected files: 0
Total errors: 4
Data scanned: 72096.62 MB
Data read: 136687.80 MB (ratio 0.53:1)
Time: 22133.709 sec (368 m 53 s)
It'll take loads of time to finish. As, almost, all other codlin tools --help or man clamscan displays all the options you can pass to the program. Next, you'll need to get ClamAv running automatically. Following the installation instructions, another extract:
Clamav Download
Two launchd startup items have been installed.To load clamd and freshclam do the following:
sudo launchctl load -w /Library/LaunchDaemons/org.macports.clamd.plist
sudo launchctl load -w /Library/LaunchDaemons/org.macports.freshclam.plist
To unload clamd and freshclam do the following:
sudo launchctl unload -w /Library/LaunchDaemons/org.macports.clamd.plist
sudo launchctl unload -w /Library/LaunchDaemons/org.macports.freshclam.plist
Issue both of the commands that loads the deamons, then check that the clamd is running.
ps -aef | grep clamd
The result should look somewhat like this:
0 25965 1 0 4:52PM ?? 0:07.78 /opt/local/sbin/clamd
Clamav For Mac
If your are using Thunderbird and Firefox you can use ClamAv to scan your downloads and your mails. Install the firefox add-on Fireclam, and the Thunderbird add-on clamdrip LIN.The clam drip LIN extension if meant for Linux only, but it's all runnable using the port version of ClamAv. simply press the: Download for Linux anyway link anyhu!
And import the add on in Thunderbird. Ignore the *beware* message, if you do not trust me, check the contents of the plugin file, using unzip to extract it and inspect the code. It, doesn't look malicious to me.
Clamav For Linux
Next, go to the Thunderbird add on, and select the clam drib preferences. Configure it to listen to the clamd available on localhost:3310.Now, all you have to do to verify that ClamAv is running, is to check your mail.