Re: [clamav-users] FP: CloudCompare-2.5.0.dmg

[Al Varnell]

On Tue, Apr 08, 2014 at 06:38 PM, Gene Heskett wrote:
 
 On Tuesday 08 April 2014 21:36:21 Gene Heskett did opine:
 
 On Tuesday 08 April 2014 21:08:34 Al Varnell did opine:
 A ClamXav user contacted me today that the software he developed,
 packaged and posted as a .dmg image file had been falsely identified
 as Osx.Trojan.Genieo. I believe he had already submitted it to you a
 few days ago, but I took the time to verify and upload it again just
 be be certain. The file name is CloudCompare-2.5.0.dmg with
 MD5=b26d6ac32713795bcdb5f36bb52607a1.
 
 This is one of several .dmg files that have been found recently that
 were falsely identify an infection where the signature is based on
 patterns found in an XML section of the .dmg. I believe this section
 to be overhead information associated with the .dmg itself, unrelated
 to the contents of the mounted image. In examining the XML I notice
 that they are all very similar in both format and content,
 prominently filled with the letter “A”. I believe all the signatures
 to have been produced by the new automated system used with OSX
 samples a couple of months ago. It’s probably too early to conclude
 that the automated process is inadequate to handle .dmg files, but
 suggest that it be looked at. Signature writing is not something I
 can claim any experience with, just an observation on my part.
 
 
 -Al-
 
 I believe this to be an FP, my daily run identified that as being part
 of both the 1.3.8 and 1.4.0 versions of rkhunter.tar.gz.  Those 2
 archives have been sitting on my drive for yonks/years, but this
 morning is the first time it was triggered.

The CloudCompare issue was apparently cleared up this afternoon by the removal 
of that signature from the ClamAC® database.

 I was mistaken because the names were so similar, it was:
 /home/gene/Download/rkhunter-1.4.0.tar.gz: Osx.Worm.Inqtana-3 FOUND
 
 which was also reported for the tarball.gz of 1.3.8 in that same directory

I see why. rkhunter has tests for OSX Inqtana and Variants A  B look for the 
same two ASCII strings as the ClamAV® signature you mentioned.
I’m going to obfuscate them slightly to prevent this message from being 
identified, but they are:
worms.love.apples
worm-support

Just substitute “0” for “o” in worm.

-Al-
-- 
Al Varnell
Mountain View, CA





___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Block all EXE/SRC or MS-EXE/DLL file

[Carl Brewer]

On 13/02/2014 8:48 PM, Sim wrote:

Hello!
In the last weeks/months the unrecognized virus are increasingly exponentially
(not only for Clamav but for all antivirus).
My idea is block all EXE/SRC (also into ZIP/RAR).
Executing clamscan --debug filename I can see:

- LibClamAV debug: Recognized MS-EXE/DLL file
- Section contains executable code

Which is the best solution/way to block all EXE/executable files?


If it's on a mail server, why not use the MTA to block it?


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Block all EXE/SRC or MS-EXE/DLL file

[Vincent Fox]

On 4/8/2014 8:12 PM, Carl Brewer wrote:

On 13/02/2014 8:48 PM, Sim wrote:

Hello!
In the last weeks/months the unrecognized virus are increasingly 
exponentially

(not only for Clamav but for all antivirus).
My idea is block all EXE/SRC (also into ZIP/RAR).
Executing clamscan --debug filename I can see:

- LibClamAV debug: Recognized MS-EXE/DLL file
- Section contains executable code

Which is the best solution/way to block all EXE/executable files?


If it's on a mail server, why not use the MTA to block it?

We use the signature database Foxhole_all.
After a ransomware (Cryptolocker) outbreak unfortunately.
That covers most dangerous types inside ZIP, RAR.



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml