Re: [Clamav-users] Word Vulnerability
On 5/24/06, Kevin W. Gagel [EMAIL PROTECTED] wrote: - Original Message - Can someone clarify whether(and I'm hoping *grin*) that the latest Word vulnerability is detectable by ClamAV? Or better yet, can someone point out what the other AV companies named this type of rootkit/trojan? Sans has this info on it with links to eye and ms sites with more info, I don't see any av references though. The diary over the weekend did contain links to various AV vendors details on it. See: http://isc.sans.org/diary.php?storyid=1346 -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] XF.Sic.L def is causing tons of false positives
On Tue, 2006-05-23 at 11:36 -0600, Alex Georgopoulos wrote: First I would like to say I've submitted files via the web interface with the false positive using the method from the FAQ. I have a bunch of excel files that won't get through because clam thinks it has this W97 macro virus. We have had 3 commercial AV vendors analyze this file and they said it is not a macro virus but I cannot get any response from the clam devs as to why they think it is one. Anybody out there seeing this too? This is causing a serious issue with our customer and if I can't get any feedback I am going to be forced to abandon the product which is something I don't want to do. They aren't false positives. The files contain virus remnants in hidden sheets. They have been incorrectly cleaned by a commercial AV. You can check this for yourself, if you look, you'll see that the file contains the following string: Add New Workbook, Infect It, Save It As Book1. I'd guess it unlikely that a legitimate spreadsheet would try and infect a Workbook. -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Warning while update
Hi everybody, Im having the next warning on freshclam.log file all updates I launch ARNING: Invalid DNS reply. Falling back to HTTP mode. main.cvd is up to date (version: 38, sigs: 51206, f-level: 7, builder: tkojm) daily.cvd is up to date (version: 1479, sigs: 5261, f-level: 8, builder: ccordes) -- -- freshclam daemon 0.88.2 (OS: linux-gnu, ARCH: i386, CPU: i386) ClamAV update process started at Wed May 24 18:40:39 2006 WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. Falling back to HTTP mode. main.cvd is up to date (version: 38, sigs: 51206, f-level: 7, builder: tkojm) daily.cvd is up to date (version: 1479, sigs: 5261, f-level: 8, builder: ccordes) -- -- freshclam daemon 0.88.2 (OS: linux-gnu, ARCH: i386, CPU: i386) ClamAV update process started at Wed May 24 18:52:12 2006 WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. Falling back to HTTP mode. main.cvd is up to date (version: 38, sigs: 51206, f-level: 7, builder: tkojm) daily.cvd is up to date (version: 1479, sigs: 5261, f-level: 8, builder: ccordes) -- Im quite worried about that because in FAQ tells if it happens only once to ignore it but when it happens often what should I do? I use my isp dns servers so no dns caching or something like that Please ask me this a proxy smtp production server Thank you Egoitz Aurrekoetxea Dpto.técnico Infobiok C.B. 94 - 674 37 21 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] XF.Sic.L def is causing tons of false positives
Alex Georgopoulos wrote: First I would like to say I've submitted files via the web interface with the false positive using the method from the FAQ. I have a bunch of excel files that won't get through because clam thinks it has this W97 macro virus. We have had 3 commercial AV vendors analyze this file and they said it is not a macro virus but I cannot get any response from the clam devs as to why they think it is one. Anybody out there seeing this too? This is causing a serious issue with our customer and if I can't get any feedback I am going to be forced to abandon the product which is something I don't want to do. ___ http://lurker.clamav.net/list/clamav-users.html Hello Alex, The file you've submitted was likely badly cleaned by some AV software. I can confirm the file itself doesn't contain any active malicious code, but, due to the partial cleaning, some part of it are still inside it. You can check that yourself through a simple: strings FILENAME.xls | grep '^\*\*' Also, yours was the first false positive report in more than one year. Sorry, but to me it makes no sense to remove such a signature. Regards, -aCaB ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] XF.Sic.L def is causing tons of false positives
Trog wrote: I'd guess it unlikely that a legitimate spreadsheet would try and infect a Workbook. -trog Sorry Trog, Didn't notice you had already replied. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] XF.Sic.L def is causing tons of false positives
On 5/24/06, aCaB [EMAIL PROTECTED] wrote: Trog wrote: I'd guess it unlikely that a legitimate spreadsheet would try and infect a Workbook. -trog Sorry Trog, Didn't notice you had already replied. ___ http://lurker.clamav.net/list/clamav-users.html I needed something to bring back to the customer and that will do it. It doesn't suprise me the commercial AV guys missed it. This will hopefully make our customer be more wary of trusting commercial av and realize that clam is better :) Thanks for all your help! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Warning while update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, May 24, 2006 at 11:33:31AM +0200, Egoitz Aurrekoetxea wrote: Im quite worried about that because in FAQ tells if it happens only once to ignore it but when it happens often what should I do? I use my isp dns servers so no dns caching or something like that One of two things is probably happening: 1) The particular DNS server this DNS request is going to has stale information. For example, the process that transfers the zone information is failing or is being blocked. There is nothing that you can do about this particular case. 2) Your ISP is cacheing the replies for a period of time longer than the zone record says it should be. Non-compliant DNS servers do this, I have no way of knowing what DNS server your ISP runs. Again, there is nothing that you can do about this particular case. If you want to fix this, you need to experiment and try a few things: 1) Use a different name server than your ISP's. 2) Run a local caching-only name server. By default it will go to the root servers instead of through your ISP's name servers. Just make sure to change /etc/resolv.conf so that it uses 127.0.0.1 instead of your ISP's name servers. Good luck! - -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.12-18mdksmp 2 users, load average: 0.09, 0.12, 0.11 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEdMAjY2VBGxIDMLwRAsMwAJ9m1oBlNB1JhPeehXvv0QhEGmKmiwCghWiH v1S2ojfEx+1PM0eimhrfodA= =axvj -END PGP SIGNATURE- ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] OT: police state
Todd Lyons wrote: (signature quote) We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG He was probably paraphrasing the 1958 movie Touch of Evil, where Charlton Heston's character says: A policeman's job is only easy in a police state. http://www.imdb.com/title/tt0052311/quotes -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamstats script
I've downloaded a script that is supposed to output stats on virus's that clamav detects. Needless to say its not working correctly and I'm soliciting some help since I know nothing about perl. I'm sort of getting output however it doesn't show any virus's detected. I'd attach the script but I don't know how the listowner is about attachments. If some kind soul would like to take a look at it I'll email it to them or if its permissable to attach it here I'll do that. Output from command /usr/local/bin/clamstats.pl .. ClamAV Statistics cpollock clamd last started Sat May 20 16:07:28 2006 Statistics since Last Database UpdateWed May 24 16:13:29 2006 Total viruses detected 0 Total Database Signatures 56,471 1 FreshClam errors, last on Thu May 11 01:11:40 2006: Can't query current.cvd.clamav.net 0 Virus Types Detected -- 0 File Extensions Used -- By Date ( . = 1 viruses ) -- By Hour ( . = 1 viruses ) -- By Month ( . = 1 viruses ) - By Year ( . = 1 viruses ) -- Thanks Chris -- Chris Registered Linux User 283774 http://counter.li.org 17:44:43 up 10 days, 5:44, 1 user, load average: 0.06, 0.09, 0.14 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk pgpMt5BQfYyx4.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamstats script
Chris wrote: I've downloaded a script that is supposed to output stats on virus's that clamav detects. Needless to say its not working correctly and I'm soliciting some help since I know nothing about perl. I'm sort of getting output however it doesn't show any virus's detected. I'd attach the script but I don't know how the listowner is about attachments. If some kind soul would like to take a look at it I'll email it to them or if its permissable to attach it here I'll do that. What mailer are you running ? I developed this http://newmail.axess.com/virus/ But it's only currently for Qmail/simscan (until someone wants to write a backend for another scanner). Regards, Rick ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamstats script
On Wednesday 24 May 2006 5:54 pm, Rick Macdougall wrote: Chris wrote: I've downloaded a script that is supposed to output stats on virus's that clamav detects. Needless to say its not working correctly and I'm soliciting some help since I know nothing about perl. I'm sort of getting output however it doesn't show any virus's detected. I'd attach the script but I don't know how the listowner is about attachments. If some kind soul would like to take a look at it I'll email it to them or if its permissable to attach it here I'll do that. What mailer are you running ? I developed this http://newmail.axess.com/virus/ But it's only currently for Qmail/simscan (until someone wants to write a backend for another scanner). Regards, Rick Kmail, however, its called via a plug-in for Spamassassin. -- Chris Registered Linux User 283774 http://counter.li.org 18:52:40 up 10 days, 6:52, 1 user, load average: 0.41, 0.27, 0.15 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk pgppxp07wiOUo.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamstats script
Chris wrote: On Wednesday 24 May 2006 5:54 pm, Rick Macdougall wrote: I developed this http://newmail.axess.com/virus/ But it's only currently for Qmail/simscan (until someone wants to write a backend for another scanner). Kmail, however, its called via a plug-in for Spamassassin. I believe kmail is an email client not an MTU, what is your MTU (ie sendmail, exim, qmail, postfix etc) As well, SpamAssassin finds spam, not viruses. Regards, RIck ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamstats script
On Wednesday 24 May 2006 7:05 pm, Rick Macdougall wrote: Chris wrote: On Wednesday 24 May 2006 5:54 pm, Rick Macdougall wrote: I developed this http://newmail.axess.com/virus/ But it's only currently for Qmail/simscan (until someone wants to write a backend for another scanner). Kmail, however, its called via a plug-in for Spamassassin. I believe kmail is an email client not an MTU, what is your MTU (ie sendmail, exim, qmail, postfix etc) As well, SpamAssassin finds spam, not viruses. Regards, My mistake, mail is picked up via fetchmail, run through procmail where spamassasin is called. There is a clamav plugin for SA: loadplugin ClamAV clamav.pm fullCLAMAV eval:check_clamav() describeCLAMAV Clam AntiVirus detected a virus score CLAMAV 10.00 Which I'm using. There is a clamd.log and a freshclam.log in /var/log/clamav. Clamav is detecting virus's: Wed May 24 18:33:49 2006 - Accepted connection on port 1451, fd 8 Wed May 24 18:33:49 2006 - stream: Html.Phishing.Bank.Gen503.Sanesecurity.06042004 FOUND Wed May 24 18:33:52 2006 - Accepted connection on port 1995, fd 8 Wed May 24 18:33:52 2006 - stream: Html.Phishing.Bank.Gen503.Sanesecurity.06042004 FOUND Wed May 24 18:50:26 2006 - SelfCheck: Database status OK. Wed May 24 18:50:26 2006 - Accepted connection on port 1141, fd 8 Wed May 24 18:50:26 2006 - stream: Html.Phishing.Bank.Sanesecurity.06032100 FOUND One thing that was pointed out to me by someone else who looked at the script, but doesn't run clamv is this: I'm really not that familar with clamav log files, but the script is looking for patterns in the log that it is not finding. This regular expression test on line 96 is never true: if (/(\w+)\s(\w+)\s{1,2}(\d{1,2})\s(\d+:\d+:\d+)\s(\d+). +mdefang-(\w+)\/Work\/msg-\d+-\d+\.(\w+):\s+(.+)\sFOUND/) { so it never picks up anything. Why it's looking for these specific strings, I don't know. because I don't know clamav Chris -- Chris Registered Linux User 283774 http://counter.li.org 19:09:36 up 10 days, 7:09, 1 user, load average: 0.33, 0.31, 0.23 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk pgpfpSxcXof53.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html