Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-08 Thread Bill Maidment 
-Original message-
From:   Tomasz Kojm 
Sent:   Wed 08-02-2012 22:25
Subject:Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
To: ClamAV users ML ; 
> On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment  wrote:
> 
> > I have manually patched 0.97.3, re-compiled, re-installed and restarted 
> clamd, but the ign2 file is still being ignored.
> > 
> > [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 
> > BC.Exploit.CVE_2011_3412
> 
> The entry is not complete. The correct one is:
> 
> BC.Exploit.CVE_2011_3412.{CVE_2011_3412}
> 

Thanks for that. I was using the virus name reported by mimedefang. I must 
remember sigtool to give me the correct name.
The fix does work.


Cheers
Bill Maidment
IT Consultant to Elgas Ltd
Phone: 02 4294 3649
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] False Positve rule set of Snort-2.9.2.1 on clamd-0.97.3-3

2012-02-08 Thread Chuck Swiger 
On Feb 8, 2012, at 10:09 AM, Joel Esler wrote:
> We're looking into a solution for this.

Oh, sure...when this issue was first noticed, anti-virus providers started 
doing things like obfuscating or encrypting the malware signatures.  However, 
since malware generally also tries to conceal itself, anti-virus software tries 
to un-obfuscate stuff (with varying degrees of success).  It's a circumstance 
where you can chicken-and-egg indefinitely.

Or you can simply decide to not quarantine or delete filesystem locations 
containing malware signatures.

Regards,
-- 
-Chuck

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] False Positve rule set of Snort-2.9.2.1 on clamd-0.97.3-3

2012-02-08 Thread Joel Esler 
We're looking into a solution for this.

On Wed, Feb 8, 2012 at 10:51 AM, Chuck Swiger  wrote:

> On Feb 8, 2012, at 7:25 AM, Yoshihara Takao wrote:
> > Hi all,
> >
> > Now I use Snort-2.9.2.1 and clamd-0.97.3-3 on the same OS, Scientific
> Linux
> > 6.1 (i686).
> > Since around a month ago, whenever daily clamscan is finished, the same
> > following False Positive has been detected and the files have been
> > mandatorily deleted:
> >
> > /etc/snort/rules/web-client.rules: CVE_2005_1342 FOUND
> > /etc/snort/rules/shellcode.rules: Exploit.Alpha_Upper FOUND
> > /etc/snort/rules/web-activex.rules: CVE_2011_3397-6 FOUND
> >
> > I thought this issue was FP and reported it to the site below, but it has
> > still been detected even if I update the .cvd file and no fix has not
> seemed
> > to be provided.
>
> Snort includes rules which look for malware in network traffic.  These
> rules contain patterns which another scanner like ClamAV will correctly
> associate with malware.  This isn't a false positive, it's a legitimate
> match.
>
> > I temporarily exclude "/etc/snort/rules" directory from the target one of
> > clamscan.  What should I do later?
>
> You should continue to exclude snort's rules from clamscan / clamdscan.
>
> What you're doing is effectively the same thing as installing two
> different virus scanners on the same box.  If you don't make an effort to
> exclude one scanner's virus database location from being scanned by the
> other scanner, and vice-versa, then you will end up with them trying to
> quarantine or delete each other's malware database files.
>
> Regards,
> --
> -Chuck
>
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>



-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] False Positve rule set of Snort-2.9.2.1 on clamd-0.97.3-3

2012-02-08 Thread Chuck Swiger 
On Feb 8, 2012, at 7:25 AM, Yoshihara Takao wrote:
> Hi all, 
> 
> Now I use Snort-2.9.2.1 and clamd-0.97.3-3 on the same OS, Scientific Linux
> 6.1 (i686). 
> Since around a month ago, whenever daily clamscan is finished, the same
> following False Positive has been detected and the files have been
> mandatorily deleted:
> 
> /etc/snort/rules/web-client.rules: CVE_2005_1342 FOUND
> /etc/snort/rules/shellcode.rules: Exploit.Alpha_Upper FOUND
> /etc/snort/rules/web-activex.rules: CVE_2011_3397-6 FOUND 
> 
> I thought this issue was FP and reported it to the site below, but it has
> still been detected even if I update the .cvd file and no fix has not seemed
> to be provided. 

Snort includes rules which look for malware in network traffic.  These rules 
contain patterns which another scanner like ClamAV will correctly associate 
with malware.  This isn't a false positive, it's a legitimate match.

> I temporarily exclude "/etc/snort/rules" directory from the target one of
> clamscan.  What should I do later? 

You should continue to exclude snort's rules from clamscan / clamdscan.

What you're doing is effectively the same thing as installing two different 
virus scanners on the same box.  If you don't make an effort to exclude one 
scanner's virus database location from being scanned by the other scanner, and 
vice-versa, then you will end up with them trying to quarantine or delete each 
other's malware database files.

Regards,
-- 
-Chuck

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] False Positve rule set of Snort-2.9.2.1 on clamd-0.97.3-3

2012-02-08 Thread Yoshihara Takao 
Hi all, 

Now I use Snort-2.9.2.1 and clamd-0.97.3-3 on the same OS, Scientific Linux
6.1 (i686). 
Since around a month ago, whenever daily clamscan is finished, the same
following False Positive has been detected and the files have been
mandatorily deleted:

/etc/snort/rules/web-client.rules: CVE_2005_1342 FOUND
/etc/snort/rules/shellcode.rules: Exploit.Alpha_Upper FOUND
/etc/snort/rules/web-activex.rules: CVE_2011_3397-6 FOUND 

I thought this issue was FP and reported it to the site below, but it has
still been detected even if I update the .cvd file and no fix has not seemed
to be provided. 

http://www.clamav.net/lang/en/sendvirus/submit-fp/ 

I temporarily exclude "/etc/snort/rules" directory from the target one of
clamscan. 
What should I do later? 

Regards,
Yoshii

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-08 Thread Tomasz Kojm 
On Wed, 8 Feb 2012 14:03:18 +0100 Ralf Hildebrandt
 wrote:
> * Tomasz Kojm :
>> On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment  wrote:
>>
>>> I have manually patched 0.97.3, re-compiled, re-installed and restarted 
>>> clamd, but the ign2 file is still being ignored.
>>>
>>> [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 
>>> BC.Exploit.CVE_2011_3412
>>
>> The entry is not complete. The correct one is:
>>
>> BC.Exploit.CVE_2011_3412.{CVE_2011_3412}
> 
> After applying your fix, correct?

Correct. It won't work without the fix.

-- 
   oo. Tomasz Kojm 
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Wed Feb  8 15:06:01 CET 2012
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-08 Thread Ralf Hildebrandt 
* Tomasz Kojm :
> On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment  wrote:
> 
> > I have manually patched 0.97.3, re-compiled, re-installed and restarted 
> > clamd, but the ign2 file is still being ignored.
> > 
> > [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 
> > BC.Exploit.CVE_2011_3412
> 
> The entry is not complete. The correct one is:
> 
> BC.Exploit.CVE_2011_3412.{CVE_2011_3412}

After applying your fix, correct?

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Untit Testing

2012-02-08 Thread G.W. Haywood 

Hi there,

On Wed, 8 Feb 2012, Dave Reynolds wrote:


As to why I would install ClamAV, it is an IA requirement that we
scan for viruses on remote file transfers that go thru this system
and there aren't too many options that will run under IRIX.


IA = "Inspection Authority"?

Does the IA know what it is that it's inspecting?

Does the virus scanning engine need to reside on the trusted system?

--

73,
Ged.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-08 Thread Tomasz Kojm 
On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment  wrote:

> I have manually patched 0.97.3, re-compiled, re-installed and restarted 
> clamd, but the ign2 file is still being ignored.
> 
> [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 
> BC.Exploit.CVE_2011_3412

The entry is not complete. The correct one is:

BC.Exploit.CVE_2011_3412.{CVE_2011_3412}

HTH,

-- 
   oo. Tomasz Kojm 
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Wed Feb  8 12:23:16 CET 2012
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml