Yes, both those signatures were added in daily - 24045 last night (my time).
-Al- On Wed, Nov 15, 2017 at 01:14 PM, Mark Foley wrote: > > Actually, the clamscanner is now finding these files, so someone must have > updated something since yesterday (which is when these files came in): > > /home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S: > Doc.Dropper.Agent-6374331-0 FOUND > /home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S!MAIL:InvoiceETT3600920.doc!...!(3)ZIP:docProps/core.xml: > Doc.Dropper.Agent-6374331-0 FOUND > > I'll go ahead and submit my file anyway, in case this is something different. > > --Mark >> >> -----Original Message----- >> From: Steven Morgan <smor...@sourcefire.com> >> Date: Wed, 15 Nov 2017 15:50:31 -0500 >> To: ClamAV users ML <clamav-users@lists.clamav.net> >> Subject: Re: [clamav-users] Virus Malvare not detected >> >> Mark, >> >> Please open a bug report about this issue at bugzilla.clamav.net. Please >> include your file and we can look into the issues. >> >> Thanks, >> Steve >> >> >> >> On Wed, Nov 15, 2017 at 2:45 PM, Mark Foley <mfo...@novatec-inc.com> wrote: >> >>> I'm going to continue piggybacking onto this thread as it deals with >>> Clamav's >>> non-discovery of the malware attached to messages with the subject "Invoice >>> ...". Although, I don't know if this is the same type of attachment. >>> >>> The attachments I've been getting are .docx file named as .doc files. In >>> examining the contents of these archives I find: >>> >>> $ unzip -l InvoiceZGC3020188.doc >>> Archive: InvoiceZGC3020188.doc >>> Length Date Time Name >>> --------- ---------- ----- ---- >>> 1510 01-01-1980 00:00 [Content_Types].xml >>> 590 01-01-1980 00:00 _rels/.rels >>> 1226 01-01-1980 00:00 word/_rels/document.xml.rels >>> 5097 01-01-1980 00:00 word/document.xml >>> 5424 01-01-1980 00:00 word/media/image1.emf >>> 132276 01-01-1980 00:00 word/media/image2.png >>> 6850 01-01-1980 00:00 word/theme/theme1.xml >>> 6144 01-01-1980 00:00 word/embeddings/oleObject1.bin >>> 4809 01-01-1980 00:00 word/settings.xml >>> 1299 01-01-1980 00:00 word/fontTable.xml >>> 576 01-01-1980 00:00 word/webSettings.xml >>> 995 01-01-1980 00:00 docProps/app.xml >>> 29121 01-01-1980 00:00 word/styles.xml >>> 732 01-01-1980 00:00 docProps/core.xml >>> --------- ------- >>> 196649 14 files >>> >>> "Normal" .docx files do not have the oleObject1.bin as an archive members. >>> I do >>> have ScanOLE2 and OLE2BlockMacros enabled. So why isn't clamav detecting >>> this >>> oleObject1.bin member? >>> >>> (To where should I submit a sample of this attachment?) >>> >>> --Mark >>> >>> -----Original Message----- >>> From: Mark Foley <mfo...@novatec-inc.com> >>> Date: Wed, 15 Nov 2017 13:18:23 -0500 >>> Organization: Novatec Software Engineering, LLC >>> To: clamav-users@lists.clamav.net >>> >>> I'm having this same issue. The problem as I see it is that the .doc >>> attached to >>> these "Invoice" message is encrypted and clamav does not see what's >>> inside. I'm >>> discussing this encrypted attachment issue in my thread, subject: "password >>> protected encrypted .docx files". I'm continuing to research this. >>> >>> --Mark >>> >>> On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel <emanuel.gonza...@donweb.com> >>> wrote: >>> >>>> Other virus not detected >>>> >>>> https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f >>> 78103d2e87bd4331654bc65c0daeb176dd/detection >>>> >>>> >>>> El 14/11/17 a las 09:52, Emanuel escribió: >>>>> Scan the attachment, clamav not detect this file. >>>>> >>>>> >>>>> El 14/11/17 a las 09:51, Al Varnell escribió: >>>>>> You mentioned two attachments. Kaspersky and ClamXAV appear to catch >>>>>> the first one, but neither catch the second one you showed us. The >>>>>> SHA246 for a file is the same no matter what scanner is used. >>>>>> >>>>>> -Al- >>>>>> >>>>>> On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote: >>>>>>> the first scan is with kaspersky online >>>>>>> >>>>>>> >>>>>>> El 14/11/17 a las 09:31, Al Varnell escribió: >>>>>>>> That's not the same file you showed before. The SHA256 is different. >>>>>>>> >>>>>>>> -Al- >>>>>>>> >>>>>>>> On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote: >>>>>>>>> Please see >>>>>>>>> >>>>>>>>> https://www.virustotal.com/es-ar/file/ >>> 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b >>> 5da4/analysis/1510662252/ >>>>>>>>> <https://www.virustotal.com/es-ar/file/ >>> 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b >>> 5da4/analysis/1510662252/> >>>>>>>>> <https://www.virustotal.com/es-ar/file/ >>> 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b >>> 5da4/analysis/1510662252/ >>>>>>>>> <https://www.virustotal.com/es-ar/file/ >>> 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b >>> 5da4/analysis/1510662252/>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> El 14/11/17 a las 09:00, Al Varnell escribió: >>>>>>>>>> According to VirusTotal, ClamAV does detect it as >>>>>>>>>> Doc.Dropper.Agent-6369707-0 >>>>>>>>>> <https://www.virustotal.com/en/file/ >>> 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/ >>>>>>>>>> <https://www.virustotal.com/en/file/ >>> 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/ >>>> >>>>>>>>>> <https://www.virustotal.com/en/file/ >>> 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/ >>>>>>>>>> <https://www.virustotal.com/en/file/ >>> 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/ >>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> but go ahead and try to submit it anyway. >>>>>>>>>> >>>>>>>>>> -Al- >>>>>>>>>> >>>>>>>>>> On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote: >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> I received two docs files in a email with the Subject "Invoice". >>>>>>>>>>> The attachment is a malware virus, clamav not detected this. >>>>>>>>>>> >>>>>>>>>>> Scan with kaspersky >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Scan result >>>>>>>>>>> File is infected >>>>>>>>>>> Detected threats >>>>>>>>>>> Trojan-Downloader.MSWord.Agent.bqx >>>>>>>>>>> File size >>>>>>>>>>> 144.95 KB >>>>>>>>>>> File type >>>>>>>>>>> OOXML/DOCUMENT >>>>>>>>>>> Scan date >>>>>>>>>>> Nov 14 2017 08:15:42 >>>>>>>>>>> Databases release date >>>>>>>>>>> Nov 14 2017 10:36:04 UTC >>>>>>>>>>> MD5 >>>>>>>>>>> 70bdc39f8f57e090bebc4616924cdadc >>>>>>>>>>> SHA1 >>>>>>>>>>> ecf414f8523627a0d5d6637041f6e1e3bbcee62e >>>>>>>>>>> SHA256 >>>>>>>>>>> 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf >>>>>>>>>>> >>>>>>>>>>> it's possible to add manually this virus to the clamav database? >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> clamav-users mailing list >>>>>>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net >>>> >>>>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>>>>>>> >>>>>>>> >>>>>>>> Help us build a comprehensive ClamAV guide: >>>>>>>> https://github.com/vrtadmin/clamav-faq >>>>>>>> >>>>>>>> http://www.clamav.net/contact.html#ml >>>>>> -Al- >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> clamav-users mailing list >>>>>> clamav-users@lists.clamav.net >>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>>>>> >>>>>> >>>>>> Help us build a comprehensive ClamAV guide: >>>>>> https://github.com/vrtadmin/clamav-faq >>>>>> >>>>>> http://www.clamav.net/contact.html#ml >>>>> >>>> >>>> -- >>>> envialosimple.com <http://www.envialosimple.com> >>>> Emanuel Gonzalez >>>> Deliverability Specialist >>>> emanuel.gonza...@donweb.com <mailto:emanuel.gonza...@donweb.com> >>>> www.envialosimple.com <http://www.envialosimple.com> >>>> by donweb <http://www.envialosimple.com> >>>> >>>> Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son >>>> confidenciales, de uso exclusivo para el destinatario del mismo. La >>>> divulgación y/o uso del mismo sin autorización por parte de DonWeb.com >>>> queda prohibida. >>>> DonWeb.com no se hace responsable del mensaje por la falsificación y/o >>>> alteración del mismo. >>>> De no ser Ud el destinatario del mismo y lo ha recibido por error, por >>>> favor, notifique al remitente y elimínelo de su sistema. >>>> Confidentiality Note: This message and any attachments (the message) are >>>> confidential and intended solely for the addressees. Any unauthorised >>>> use or dissemination is prohibited by DonWeb.com. >>>> DonWeb.com shall not be liable for the message if altered or falsified. >>>> If you are not the intended addressee of this message, please cancel it >>>> immediately and inform the sender >>>> Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem >>>> conter dados confidenciais ou privilegiados. >>>> Se você os recebeu por engano ou não é um dos destinatários aos quais >>>> ela foi endereçada, por favor destrua-a e a todos os seus eventuais >>>> anexos ou copias realizadas, imediatamente. >>>> É proibida a retenção, distribuição, divulgação ou utilização de >>>> quaisquer informações aqui contidas. >>>> Por favor, informenos sobre o recebimento indevido desta mensagem, >>>> retornando-a para o autor. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml