Discussion:
[clamav-users] clamsubmit error
Arnaud Jacques
2018-05-05 05:38:13 UTC
Permalink
Hello,

Wanted to send some files to ClamAV using clamsubmit, got this error :

invalid cfduid and/or session id values provided by
clamav.net/presigned. Unable to continue submission.

Seems to be an error on ClamAV side... Is there something wrong ?

I did :
clamsubmit -e ***@securiteinfo.com -N Arnaud Jacques -n myfile
--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : ***@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#
Benny Pedersen
2018-05-05 12:30:11 UTC
Permalink
space is new arg ?

clamsubmit -e ***@securiteinfo.com -N "Arnaud Jacques" -n myfile

untested

imho create clamsubmit.conf as a ticket for new realeases of clamav
would be helpfull

so it could be just clamsubmit <file>
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Joel Esler (jesler)
2018-05-05 17:55:29 UTC
Permalink
I like this idea.
Post by Benny Pedersen
space is new arg ?
untested
imho create clamsubmit.conf as a ticket for new realeases of clamav would be helpfull
so it could be just clamsubmit <file>
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Joel Esler (jesler)
2018-05-05 17:56:09 UTC
Permalink
for I in `ls -l /tmp/files/malicious` do clamsubmit $I; done
Post by Benny Pedersen
space is new arg ?
untested
imho create clamsubmit.conf as a ticket for new realeases of clamav would be helpfull
so it could be just clamsubmit <file>
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Arnaud Jacques
2018-05-05 18:55:35 UTC
Permalink
Hello Joel,
Post by Joel Esler (jesler)
for I in `ls -l /tmp/files/malicious` do clamsubmit $I; done
ls -l ? Are you sure ? :)

Anyway, ATM, clamsubmit does not work.
Could you please give me some details about this error :
invalid cfduid and/or session id values provided by clamav.net/presigned.
Is it on my side or ClamAV side ?
How to resolve this ?
Thank you by advance.
--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : ***@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.cla
Walter H.
2018-05-05 19:11:01 UTC
Permalink
Post by Arnaud Jacques
Hello Joel,
Post by Joel Esler (jesler)
for I in `ls -l /tmp/files/malicious` do clamsubmit $I; done
ls -l ? Are you sure ? :)
no just this

for I in /tmp/files/malicious/*; do clamsubmit -N 'Me' -e ***@domain -n
$I; done
Luca Moscato
2018-10-18 09:28:41 UTC
Permalink
Hi there! Got the (almost) same issue here.

We gather all malwares from Das Malwerk and scan it with clamav, we
wanted to submit all false negtive we found but using clamsubmit this way

clamsubmit -n
/home/luca/malware/d77aca7d-f9f1-11e7-b482-80e65024849a.file -N luca -e
***@funambol.com

I receive:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a
href="http://www.clamav.net/sendmalware.cgi">here</a>.</p>
</body></html>

Is it expected?


Thanks

Luca

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Micah Snyder (micasnyd)
2018-10-18 16:25:58 UTC
Permalink
Hi Luca,

What version of ClamAV are you using?

Clamsubmit is broken in older versions of ClamAV but should be working in v0.100.1+


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Oct 18, 2018, at 5:28 AM, Luca Moscato <***@funambol.com<mailto:***@funambol.com>> wrote:

Hi there! Got the (almost) same issue here.

We gather all malwares from Das Malwerk and scan it with clamav, we wanted to submit all false negtive we found but using clamsubmit this way

clamsubmit -n /home/luca/malware/d77aca7d-f9f1-11e7-b482-80e65024849a.file -N luca -e ***@funambol.com<mailto:***@funambol.com>

I receive:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.clamav.net/sendmalware.cgi">here</a>.</p>
</body></html>

Is it expected?


Thanks

Luca

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Benny Pedersen
2018-05-05 20:29:48 UTC
Permalink
Post by Joel Esler (jesler)
for I in `ls -l /tmp/files/malicious` do clamsubmit $I; done
+1

add option to clamav-milter.conf to extract file attachment from email,
but only from 3dr party signatures

that way more malware would soon be detected

not needed if its already detected

wish to see foxhole as std signature
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Joel Esler (jesler)
2018-05-05 22:28:15 UTC
Permalink
Files that come in via the website, for the most part, are processed automatically. There is a lot of automation going on with web submissions.
Post by Joel Esler (jesler)
for I in `ls -l /tmp/files/malicious` do clamsubmit $I; done
+1
add option to clamav-milter.conf to extract file attachment from email, but only from 3dr party signatures
that way more malware would soon be detected
not needed if its already detected
wish to see foxhole as std signature
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Walter H.
2018-05-05 19:21:37 UTC
Permalink
Post by Arnaud Jacques
Hello,
invalid cfduid and/or session id values provided by
clamav.net/presigned. Unable to continue submission.
Seems to be an error on ClamAV side... Is there something wrong ?
I get this Error

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /sendmalware.cgi was not found on this server.</p>
</body></html>

I did

clamsubmit -e EMAIL -n FILE -N NAME
Joel Esler (jesler)
2018-05-05 22:27:40 UTC
Permalink
Are you using a current version of clamsubmit?
Post by Walter H.
Post by Arnaud Jacques
Hello,
invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.
Seems to be an error on ClamAV side... Is there something wrong ?
I get this Error
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /sendmalware.cgi was not found on this server.</p>
</body></html>
I did
clamsubmit -e EMAIL -n FILE -N NAME
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Arnaud Jacques
2018-05-06 05:28:08 UTC
Permalink
Post by Joel Esler (jesler)
Are you using a current version of clamsubmit?
Yes. Using Debian :

clamsubmit -v
ClamAV 0.100.0/24544/Sun May 6 06:28:26 2018
--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : ***@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Walter H.
2018-05-06 06:48:34 UTC
Permalink
Post by Arnaud Jacques
Post by Joel Esler (jesler)
Are you using a current version of clamsubmit?
clamsubmit -v
ClamAV 0.100.0/24544/Sun May 6 06:28:26 2018
Using CentOS 6

clamsubmit -v
ClamAV 0.99.4/24541/Sat May 5 06:29:16 2018
Micah Snyder (micasnyd)
2018-05-07 11:47:17 UTC
Permalink
Sorry to say that clamsubmit from ClamAV 0.99.4 is not expected to work.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On May 6, 2018, at 2:48 AM, Walter H. <***@mathemainzel.info<mailto:***@mathemainzel.info>> wrote:

On 06.05.2018 07:28, Arnaud Jacques wrote:


Le 06/05/2018 à 00:27, Joel Esler (jesler) a écrit :
Are you using a current version of clamsubmit?

Yes. Using Debian :

clamsubmit -v
ClamAV 0.100.0/24544/Sun May 6 06:28:26 2018


Using CentOS 6

clamsubmit -v
ClamAV 0.99.4/24541/Sat May 5 06:29:16 2018

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/con
Micah Snyder (micasnyd)
2018-05-07 11:45:29 UTC
Permalink
clamsubmit with ClamAV 0.100.0 should work fine. I am surprised to see that error. We fixed code in the near vicinity to that error statement shortly before the 0.100 release.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On May 6, 2018, at 1:28 AM, Arnaud Jacques <***@securiteinfo.com<mailto:***@securiteinfo.com>> wrote:



Le 06/05/2018 à 00:27, Joel Esler (jesler) a écrit :
Are you using a current version of clamsubmit?

Yes. Using Debian :

clamsubmit -v
ClamAV 0.100.0/24544/Sun May 6 06:28:26 2018
--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com<http://SecuriteInfo.com>

Téléphone : +33-(0)3.44.39.76.46
E-mail : ***@securiteinfo.com<mailto:***@securiteinfo.com>
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

htt
Thomas McCourt (tmccourt)
2018-05-11 13:23:20 UTC
Permalink
No such thing as 'too many submissions for us'
We will take them all __



On 5/11/18, 9:21 AM, "clamav-users on behalf of Arnaud Jacques" <clamav-users-***@lists.clamav.net on behalf of ***@securiteinfo.com> wrote:

Hello Jesler,
Is that you sending us all those submissions?! Fantastic amount!
Yes it is me.
Is it too much samples for you ?
I got so many to upload...
Time for Clamav to create generic signatures to detect all of these ;)


--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : ***@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadm
Micah Snyder (micasnyd)
2018-05-09 17:39:10 UTC
Permalink
It should be working again.

It appears that the move to force HTTPS redirection broke clamsubmit.
As you've noted, clamsubmit has not yet been upgraded to support HTTPS. It's not ideal, and I certainly wish to upgrade clamsubmit so it protects sensitive submissions, and so we can re-enable forced HTTPS redirection for all of clamav.net<http://clamav.net>.

The web interface, however, can do both http and https.

-Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On May 9, 2018, at 10:07 AM, Arnaud Jacques <***@securiteinfo.com<mailto:***@securiteinfo.com>> wrote:

Hello,

clamsubmit with ClamAV 0.100.0 should work fine. I am surprised to see that error. We fixed code in the near vicinity to that error statement shortly before the 0.100 release.

I got deeper today : I listened HTTP flow when I use
clamsubmit version 0.100.0 :

GET /reports/malware HTTP/1.1
Host: www.clamav.net<http://www.clamav.net>
Accept: */*

HTTP/1.1 301 Moved Permanently
Date: Wed, 09 May 2018 13:56:37 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Wed, 09 May 2018 14:56:37 GMT
Location: https://www.clamav.net/reports/malware
Server: cloudflare
CF-RAY: 4184aba783bb68ba-CDG


It seems clamsubmit use wrong (old) URL.
How is it possible in v0.100.0 ?

Bonus : it sends malware or false positive using HTTP, non encrypted submission. So it could transfert sensitive information on the network in clear text using clamsubmit.
--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com<http://SecuriteInfo.com>

Téléphone : +33-(0)3.44.39.76.46
E-mail : ***@securiteinfo.com<mailto:***@securiteinfo.com>
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

htt
Joel Esler (jesler)
2018-05-11 13:11:34 UTC
Permalink
On May 9, 2018, at 3:43 PM, Benny Pedersen <***@junc.eu<mailto:***@junc.eu>> wrote:

Micah Snyder (micasnyd) skrev den 2018-05-09 19:39:

The web interface, however, can do both http and https.

if users can do 2 things, most will do incorrect way

turning off ssl is not a good option to any problem

We will adjust clamsubmit to work with https in an upcoming release.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Joel Esler (jesler) via clamav-users
2018-05-11 14:06:20 UTC
Permalink
We may be able to provide you a better way to do this, if you have a massive amount?
Post by Thomas McCourt (tmccourt)
Hello Jesler,
Is that you sending us all those submissions?! Fantastic amount!
Yes it is me.
Is it too much samples for you ?
I got so many to upload...
Time for Clamav to create generic signatures to detect all of these ;)
--
Cordialement / Best regards,
Arnaud Jacques
Gérant de SecuriteInfo.com
Téléphone : +33-(0)3.44.39.76.46
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Arnaud Jacques via clamav-users
2018-05-11 14:23:34 UTC
Permalink
Hello Joel,
Post by Joel Esler (jesler) via clamav-users
We may be able to provide you a better way to do this, if you have a massive amount?
Yes a have massive amount, but anyway there is no problem for me to use
clamsubmit.
--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : ***@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
Loading...