Hello, I've tried to find an answer from clamav-users but still no reply in that mail list.
I'm forwarding my message to this list and hope some one help me to find that is the problem. ---------- Forwarded message ---------- From: Konstantin Date: Thu, Mar 24, 2016 at 11:29 PM Subject: Unexpected behaviour To: clamav-us...@lists.clamav.net Hello I have 2 Gentoo based SMTP servers. Both hosts have the same packages installed with the same USE flags. I'm using clamav-0.98.7 with amavisd. Output from clamconf attached to this message. Clamav settings and signature files are equal. I have a custom signature e350ca9b3b6ddbdabd3845a66f755f22122b8eb5ed79b9d19bd87e34e4aa5008:340992:Trojan.DNC4 for this doc file https://malwr.com/analysis/ZTdiYjRiMDZlNzEyNDUwZmI3OTdiYjg4NTYxMDMyNmM/ Both hosts found malware in this file with clamscan command. No problem in this case. Here is the problem i have. When a message scanned with clamd then only host1 detect trojan with custom signature. host1: echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat - "UNIX-CONNECT:/var/run/clamav/clamd.sock" /tmp/feb_invoice_1426277.doc: Trojan_Generic.DNC4.UNOFFICIAL FOUND host2 detect it as Heuristics.OLE2.ContainsMacros: echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat - "UNIX-CONNECT:/var/run/clamav/clamd.sock" /tmp/feb_invoice_1426277.doc: Heuristics.OLE2.ContainsMacros FOUND Another interesting thing is that host1 detect that trojan not by signature with size 340992(original doc file). I suppose that there was detected a PE32 file inside that .doc file with this signature: c3DNC406e57af90685a7002f7ea63340a1e7d3a1ed3805e7ec8b0909865b57bd6c:126976:Trojan_Generic.DNC4 Can you guys please explain how this happened and what can be a difference between these 2 hosts? I expect that if a signature found then Heuristics results not appear. Thank you. -- This message was delivered using 100% recycled electrons. -- This message was delivered using 100% recycled electrons.
Checking configuration files in /etc Config file: clamd.conf ----------------------- LogFile = "/var/log/clamav/clamd.log" StatsHostID disabled StatsEnabled disabled StatsPEDisabled disabled StatsTimeout disabled LogFileUnlock disabled LogFileMaxSize = "10485760" LogTime = "yes" LogClean disabled LogSyslog = "yes" LogFacility = "LOG_LOCAL6" LogVerbose disabled LogRotate disabled ExtendedDetectionInfo disabled PidFile = "/var/run/clamav/clamd.pid" TemporaryDirectory disabled DatabaseDirectory = "/var/lib/clamav" OfficialDatabaseOnly disabled LocalSocket = "/var/run/clamav/clamd.sock" LocalSocketGroup disabled LocalSocketMode disabled FixStaleSocket = "yes" TCPSocket disabled TCPAddr disabled MaxConnectionQueueLength = "30" StreamMaxLength = "26214400" StreamMinPort = "1024" StreamMaxPort = "2048" MaxThreads = "50" ReadTimeout = "300" CommandReadTimeout = "5" SendBufTimeout = "500" MaxQueue = "100" IdleTimeout = "30" ExcludePath disabled MaxDirectoryRecursion = "15" FollowDirectorySymlinks disabled FollowFileSymlinks disabled CrossFilesystems = "yes" SelfCheck = "600" DisableCache disabled VirusEvent disabled ExitOnOOM disabled AllowAllMatchScan = "yes" Foreground disabled Debug disabled LeaveTemporaryFiles disabled User = "clamav" AllowSupplementaryGroups = "yes" Bytecode = "yes" BytecodeSecurity = "TrustSigned" BytecodeTimeout = "5000" BytecodeUnsigned disabled BytecodeMode = "Auto" DetectPUA = "yes" ExcludePUA = "PWTool", "Spam" IncludePUA disabled AlgorithmicDetection = "yes" ScanPE = "yes" ScanELF = "yes" DetectBrokenExecutables = "yes" ScanMail = "yes" ScanPartialMessages disabled PhishingSignatures = "yes" PhishingScanURLs = "yes" PhishingAlwaysBlockCloak disabled PhishingAlwaysBlockSSLMismatch disabled PartitionIntersection disabled HeuristicScanPrecedence = "yes" StructuredDataDetection disabled StructuredMinCreditCardCount = "3" StructuredMinSSNCount = "3" StructuredSSNFormatNormal = "yes" StructuredSSNFormatStripped disabled ScanHTML = "yes" ScanOLE2 = "yes" OLE2BlockMacros = "yes" ScanPDF = "yes" ScanSWF = "yes" ScanArchive = "yes" ArchiveBlockEncrypted disabled ForceToDisk disabled MaxScanSize = "104857600" MaxFileSize = "52428800" MaxRecursion = "16" MaxFiles = "10000" MaxEmbeddedPE = "10485760" MaxHTMLNormalize = "10485760" MaxHTMLNoTags = "2097152" MaxScriptNormalize = "5242880" MaxZipTypeRcg = "1048576" MaxPartitions = "50" MaxIconsPE = "100" ScanOnAccess disabled OnAccessIncludePath disabled OnAccessExcludePath disabled OnAccessExcludeUID disabled OnAccessMaxFileSize = "5242880" DevACOnly disabled DevACDepth disabled DevPerformance disabled DevLiblog disabled DisableCertCheck disabled Config file: freshclam.conf --------------------------- StatsHostID disabled StatsEnabled disabled StatsTimeout disabled LogFileMaxSize = "1048576" LogTime = "yes" LogSyslog disabled LogFacility = "LOG_LOCAL6" LogVerbose disabled LogRotate disabled PidFile = "/var/run/clamav/freshclam.pid" DatabaseDirectory = "/var/lib/clamav" Foreground disabled Debug disabled AllowSupplementaryGroups = "yes" UpdateLogFile = "/var/log/clamav/freshclam.log" DatabaseOwner = "clamav" Checks = "24" DNSDatabaseInfo = "current.cvd.clamav.net" DatabaseMirror = "database.clamav.net" PrivateMirror disabled MaxAttempts = "5" ScriptedUpdates = "yes" TestDatabases = "yes" CompressLocalDatabase disabled ExtraDatabase disabled DatabaseCustomURL disabled HTTPProxyServer disabled HTTPProxyPort disabled HTTPProxyUsername disabled HTTPProxyPassword disabled HTTPUserAgent disabled NotifyClamd = "/etc/clamd.conf" OnUpdateExecute disabled OnErrorExecute disabled OnOutdatedExecute disabled LocalIPAddress disabled ConnectTimeout = "60" ReceiveTimeout = "60" SubmitDetectionStats disabled DetectionStatsCountry disabled DetectionStatsHostID disabled SafeBrowsing disabled Bytecode = "yes" clamav-milter.conf not found Software settings ----------------- Version: 0.98.7 Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 ICONV RAR JIT Database information -------------------- Database directory: /var/lib/clamav [3rd Party] javascript.ndb: 37216 sigs daily.cld: version 21472, sigs: 83894, built on Thu Mar 24 14:24:50 2016 main.cvd: version 57, sigs: 4218790, built on Wed Mar 16 23:17:06 2016 bytecode.cvd: version 275, sigs: 45, built on Mon Mar 14 18:51:14 2016 [3rd Party] securiteinfo.hdb: 1804601 sigs [3rd Party] securiteinfoascii.hdb: 89692 sigs [3rd Party] securiteinfohtml.hdb: 49224 sigs [3rd Party] custom-sigs.hdb: 1603 sigs Total number of signatures: 6285065 Platform information -------------------- uname: Linux 4.1.12-gentoo #1 SMP Fri Jan 8 14:56:47 UTC 2016 x86_64 OS: linux-gnu, ARCH: x86_64, CPU: x86_64 zlib version: 1.2.8 (1.2.8), compile flags: a9 Triple: x86_64-pc-linux-gnu CPU: i686, Little-endian Build information ----------------- GNU C: 4.9.3 (4.9.3) GNU C++: 4.9.3 (4.9.3) CPPFLAGS: CFLAGS: -O2 -pipe -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE CXXFLAGS: -O2 -pipe LDFLAGS: -Wl,-O1 -Wl,--as-needed Configure: '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' '--disable-silent-rules' '--libdir=/usr/lib64' '--disable-experimental' '--disable-fanotify' '--enable-id-check' '--with-dbdir=/var/lib/clamav' '--with-system-tommath' '--with-zlib=/usr' '--enable-bzip2' '--disable-clamdtop' '--disable-ipv6' '--disable-milter' '--disable-static' '--with-iconv' '--without-libjson' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-O2 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' sizeof(void*) = 8 Engine flevel: 80, dconf: 80