Actually, the clamscanner is now finding these files, so someone must have updated something since yesterday (which is when these files came in):
/home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S: Doc.Dropper.Agent-6374331-0 FOUND /home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S!MAIL:InvoiceETT3600920.doc!...!(3)ZIP:docProps/core.xml: Doc.Dropper.Agent-6374331-0 FOUND I'll go ahead and submit my file anyway, in case this is something different. --Mark -----Original Message----- From: Steven Morgan <smor...@sourcefire.com> Date: Wed, 15 Nov 2017 15:50:31 -0500 To: ClamAV users ML <clamav-users@lists.clamav.net> Subject: Re: [clamav-users] Virus Malvare not detected Mark, Please open a bug report about this issue at bugzilla.clamav.net. Please include your file and we can look into the issues. Thanks, Steve On Wed, Nov 15, 2017 at 2:45 PM, Mark Foley <mfo...@novatec-inc.com> wrote: > I'm going to continue piggybacking onto this thread as it deals with > Clamav's > non-discovery of the malware attached to messages with the subject "Invoice > ...". Although, I don't know if this is the same type of attachment. > > The attachments I've been getting are .docx file named as .doc files. In > examining the contents of these archives I find: > > $ unzip -l InvoiceZGC3020188.doc > Archive: InvoiceZGC3020188.doc > Length Date Time Name > --------- ---------- ----- ---- > 1510 01-01-1980 00:00 [Content_Types].xml > 590 01-01-1980 00:00 _rels/.rels > 1226 01-01-1980 00:00 word/_rels/document.xml.rels > 5097 01-01-1980 00:00 word/document.xml > 5424 01-01-1980 00:00 word/media/image1.emf > 132276 01-01-1980 00:00 word/media/image2.png > 6850 01-01-1980 00:00 word/theme/theme1.xml > 6144 01-01-1980 00:00 word/embeddings/oleObject1.bin > 4809 01-01-1980 00:00 word/settings.xml > 1299 01-01-1980 00:00 word/fontTable.xml > 576 01-01-1980 00:00 word/webSettings.xml > 995 01-01-1980 00:00 docProps/app.xml > 29121 01-01-1980 00:00 word/styles.xml > 732 01-01-1980 00:00 docProps/core.xml > --------- ------- > 196649 14 files > > "Normal" .docx files do not have the oleObject1.bin as an archive members. > I do > have ScanOLE2 and OLE2BlockMacros enabled. So why isn't clamav detecting > this > oleObject1.bin member? > > (To where should I submit a sample of this attachment?) > > --Mark > > -----Original Message----- > From: Mark Foley <mfo...@novatec-inc.com> > Date: Wed, 15 Nov 2017 13:18:23 -0500 > Organization: Novatec Software Engineering, LLC > To: clamav-users@lists.clamav.net > > I'm having this same issue. The problem as I see it is that the .doc > attached to > these "Invoice" message is encrypted and clamav does not see what's > inside. I'm > discussing this encrypted attachment issue in my thread, subject: "password > protected encrypted .docx files". I'm continuing to research this. > > --Mark > > On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel <emanuel.gonza...@donweb.com> > wrote: > > > Other virus not detected > > > > https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f > 78103d2e87bd4331654bc65c0daeb176dd/detection > > > > > > El 14/11/17 a las 09:52, Emanuel escribió: > > > Scan the attachment, clamav not detect this file. > > > > > > > > > El 14/11/17 a las 09:51, Al Varnell escribió: > > >> You mentioned two attachments. Kaspersky and ClamXAV appear to catch > > >> the first one, but neither catch the second one you showed us. The > > >> SHA246 for a file is the same no matter what scanner is used. > > >> > > >> -Al- > > >> > > >> On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote: > > >>> the first scan is with kaspersky online > > >>> > > >>> > > >>> El 14/11/17 a las 09:31, Al Varnell escribió: > > >>>> That's not the same file you showed before. The SHA256 is different. > > >>>> > > >>>> -Al- > > >>>> > > >>>> On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote: > > >>>>> Please see > > >>>>> > > >>>>> https://www.virustotal.com/es-ar/file/ > 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b > 5da4/analysis/1510662252/ > > >>>>> <https://www.virustotal.com/es-ar/file/ > 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b > 5da4/analysis/1510662252/> > > >>>>> <https://www.virustotal.com/es-ar/file/ > 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b > 5da4/analysis/1510662252/ > > >>>>> <https://www.virustotal.com/es-ar/file/ > 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b > 5da4/analysis/1510662252/>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> El 14/11/17 a las 09:00, Al Varnell escribió: > > >>>>>> According to VirusTotal, ClamAV does detect it as > > >>>>>> Doc.Dropper.Agent-6369707-0 > > >>>>>> <https://www.virustotal.com/en/file/ > 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/ > > >>>>>> <https://www.virustotal.com/en/file/ > 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/ > > > > >>>>>> <https://www.virustotal.com/en/file/ > 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/ > > >>>>>> <https://www.virustotal.com/en/file/ > 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/ > >>> > > >>>>>> > > >>>>>> > > >>>>>> but go ahead and try to submit it anyway. > > >>>>>> > > >>>>>> -Al- > > >>>>>> > > >>>>>> On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote: > > >>>>>>> Hello, > > >>>>>>> > > >>>>>>> I received two docs files in a email with the Subject "Invoice". > > >>>>>>> The attachment is a malware virus, clamav not detected this. > > >>>>>>> > > >>>>>>> Scan with kaspersky > > >>>>>>> > > >>>>>>> > > >>>>>>> Scan result > > >>>>>>> File is infected > > >>>>>>> Detected threats > > >>>>>>> Trojan-Downloader.MSWord.Agent.bqx > > >>>>>>> File size > > >>>>>>> 144.95 KB > > >>>>>>> File type > > >>>>>>> OOXML/DOCUMENT > > >>>>>>> Scan date > > >>>>>>> Nov 14 2017 08:15:42 > > >>>>>>> Databases release date > > >>>>>>> Nov 14 2017 10:36:04 UTC > > >>>>>>> MD5 > > >>>>>>> 70bdc39f8f57e090bebc4616924cdadc > > >>>>>>> SHA1 > > >>>>>>> ecf414f8523627a0d5d6637041f6e1e3bbcee62e > > >>>>>>> SHA256 > > >>>>>>> 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf > > >>>>>>> > > >>>>>>> it's possible to add manually this virus to the clamav database? > > >>>> > > >>>> > > >>>> _______________________________________________ > > >>>> clamav-users mailing list > > >>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net > > > > >>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > >>>> > > >>>> > > >>>> Help us build a comprehensive ClamAV guide: > > >>>> https://github.com/vrtadmin/clamav-faq > > >>>> > > >>>> http://www.clamav.net/contact.html#ml > > >> -Al- > > >> > > >> > > >> _______________________________________________ > > >> clamav-users mailing list > > >> clamav-users@lists.clamav.net > > >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > >> > > >> > > >> Help us build a comprehensive ClamAV guide: > > >> https://github.com/vrtadmin/clamav-faq > > >> > > >> http://www.clamav.net/contact.html#ml > > > > > > > -- > > envialosimple.com <http://www.envialosimple.com> > > Emanuel Gonzalez > > Deliverability Specialist > > emanuel.gonza...@donweb.com <mailto:emanuel.gonza...@donweb.com> > > www.envialosimple.com <http://www.envialosimple.com> > > by donweb <http://www.envialosimple.com> > > > > Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son > > confidenciales, de uso exclusivo para el destinatario del mismo. La > > divulgación y/o uso del mismo sin autorización por parte de DonWeb.com > > queda prohibida. > > DonWeb.com no se hace responsable del mensaje por la falsificación y/o > > alteración del mismo. > > De no ser Ud el destinatario del mismo y lo ha recibido por error, por > > favor, notifique al remitente y elimínelo de su sistema. > > Confidentiality Note: This message and any attachments (the message) are > > confidential and intended solely for the addressees. Any unauthorised > > use or dissemination is prohibited by DonWeb.com. > > DonWeb.com shall not be liable for the message if altered or falsified. > > If you are not the intended addressee of this message, please cancel it > > immediately and inform the sender > > Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem > > conter dados confidenciais ou privilegiados. > > Se você os recebeu por engano ou não é um dos destinatários aos quais > > ela foi endereçada, por favor destrua-a e a todos os seus eventuais > > anexos ou copias realizadas, imediatamente. > > É proibida a retenção, distribuição, divulgação ou utilização de > > quaisquer informações aqui contidas. > > Por favor, informenos sobre o recebimento indevido desta mensagem, > > retornando-a para o autor. > > > > _______________________________________________ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
