Hi there,
On Fri, 6 Aug 2021, Christopher Marczewski wrote:
On 8/5/21 3:12 AM, G.W. Haywood via clamav-users wrote:
...
What should I do now?
Ged: The submitted sample for
SHA256:fc1e483dbb60d49205e3d238b3d090e6cc7a49b775bf4e519aba7117ab3a5b43 did
not pass our guardrail checks for eligible conviction and signature
creation. I couldn't find a past run on Jotti matching this hash, too.
Thanks for looking into this.
You don't necessarily get exactly what's sent to Jotti, as what's sent
to you may be just a MIME part. We only send it to Jotti to check
that what we're about to send to you is indeed malicious.
When submitting this file to the same service, I receive no alerts from any
of the endpoint solutions:
https://virusscan.jotti.org/en-US/filescanjob/wh66zum612
We did notice the filename provided was
da741cdec6a0db5f40b79cbfbe300761450d216159ea83533d754d7de43cf6a3. Could
this be the hash for the sample in question?
Yes, but that's mainly a sort of placeholder for the mail log to find
when it was sent and what the scanner thought about it. Sometimes a
mail triggers a Sanesecurity signature but not a ClamAV one for example
and that gets logged.
We will need this particular file to be submitted, as we currently
do not have a record of
SHA256:da741cdec6a0db5f40b79cbfbe300761450d216159ea83533d754d7de43cf6a3
being submitted in the past. I also couldn't find the sample myself.
As you'll have guessed we see malicious mail relatively infrequently,
the vast majority of scan triggers are spam, phishing, 419s, etc. so
handling it isn't a lot of work at this end, which is why I asked what
I should do and not what you were going to do. :) It's puzzling that
you can't find the sample but I don't think it's worth spending a lot
of your time on it. The malicious mail will likely turn up again, and
when it does we'll give it special treatment.
I guess the main thing that I've learned from this is that I don't
understand clamsubmit very well. I've seen very little documentation
and the 'man' page is extremely terse. Can you direct me to some
explanation of how it all hangs together? After this maybe we'll
implement something to record exactly what clamsubmit sends; we CC
mail reports to our own abuse address but the clamsubmit reports are
not at present copied anywhere else, so repeating a submission isn't
straightforward at the moment.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
