Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
-Original message- From: Tomasz Kojm Sent: Wed 08-02-2012 22:25 Subject:Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: ClamAV users ML ; > On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment wrote: > > > I have manually patched 0.97.3, re-compiled, re-installed and restarted > clamd, but the ign2 file is still being ignored. > > > > [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 > > BC.Exploit.CVE_2011_3412 > > The entry is not complete. The correct one is: > > BC.Exploit.CVE_2011_3412.{CVE_2011_3412} > Thanks for that. I was using the virus name reported by mimedefang. I must remember sigtool to give me the correct name. The fix does work. Cheers Bill Maidment IT Consultant to Elgas Ltd Phone: 02 4294 3649 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False Positve rule set of Snort-2.9.2.1 on clamd-0.97.3-3
On Feb 8, 2012, at 10:09 AM, Joel Esler wrote: > We're looking into a solution for this. Oh, sure...when this issue was first noticed, anti-virus providers started doing things like obfuscating or encrypting the malware signatures. However, since malware generally also tries to conceal itself, anti-virus software tries to un-obfuscate stuff (with varying degrees of success). It's a circumstance where you can chicken-and-egg indefinitely. Or you can simply decide to not quarantine or delete filesystem locations containing malware signatures. Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False Positve rule set of Snort-2.9.2.1 on clamd-0.97.3-3
We're looking into a solution for this. On Wed, Feb 8, 2012 at 10:51 AM, Chuck Swiger wrote: > On Feb 8, 2012, at 7:25 AM, Yoshihara Takao wrote: > > Hi all, > > > > Now I use Snort-2.9.2.1 and clamd-0.97.3-3 on the same OS, Scientific > Linux > > 6.1 (i686). > > Since around a month ago, whenever daily clamscan is finished, the same > > following False Positive has been detected and the files have been > > mandatorily deleted: > > > > /etc/snort/rules/web-client.rules: CVE_2005_1342 FOUND > > /etc/snort/rules/shellcode.rules: Exploit.Alpha_Upper FOUND > > /etc/snort/rules/web-activex.rules: CVE_2011_3397-6 FOUND > > > > I thought this issue was FP and reported it to the site below, but it has > > still been detected even if I update the .cvd file and no fix has not > seemed > > to be provided. > > Snort includes rules which look for malware in network traffic. These > rules contain patterns which another scanner like ClamAV will correctly > associate with malware. This isn't a false positive, it's a legitimate > match. > > > I temporarily exclude "/etc/snort/rules" directory from the target one of > > clamscan. What should I do later? > > You should continue to exclude snort's rules from clamscan / clamdscan. > > What you're doing is effectively the same thing as installing two > different virus scanners on the same box. If you don't make an effort to > exclude one scanner's virus database location from being scanned by the > other scanner, and vice-versa, then you will end up with them trying to > quarantine or delete each other's malware database files. > > Regards, > -- > -Chuck > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > -- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False Positve rule set of Snort-2.9.2.1 on clamd-0.97.3-3
On Feb 8, 2012, at 7:25 AM, Yoshihara Takao wrote: > Hi all, > > Now I use Snort-2.9.2.1 and clamd-0.97.3-3 on the same OS, Scientific Linux > 6.1 (i686). > Since around a month ago, whenever daily clamscan is finished, the same > following False Positive has been detected and the files have been > mandatorily deleted: > > /etc/snort/rules/web-client.rules: CVE_2005_1342 FOUND > /etc/snort/rules/shellcode.rules: Exploit.Alpha_Upper FOUND > /etc/snort/rules/web-activex.rules: CVE_2011_3397-6 FOUND > > I thought this issue was FP and reported it to the site below, but it has > still been detected even if I update the .cvd file and no fix has not seemed > to be provided. Snort includes rules which look for malware in network traffic. These rules contain patterns which another scanner like ClamAV will correctly associate with malware. This isn't a false positive, it's a legitimate match. > I temporarily exclude "/etc/snort/rules" directory from the target one of > clamscan. What should I do later? You should continue to exclude snort's rules from clamscan / clamdscan. What you're doing is effectively the same thing as installing two different virus scanners on the same box. If you don't make an effort to exclude one scanner's virus database location from being scanned by the other scanner, and vice-versa, then you will end up with them trying to quarantine or delete each other's malware database files. Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] False Positve rule set of Snort-2.9.2.1 on clamd-0.97.3-3
Hi all, Now I use Snort-2.9.2.1 and clamd-0.97.3-3 on the same OS, Scientific Linux 6.1 (i686). Since around a month ago, whenever daily clamscan is finished, the same following False Positive has been detected and the files have been mandatorily deleted: /etc/snort/rules/web-client.rules: CVE_2005_1342 FOUND /etc/snort/rules/shellcode.rules: Exploit.Alpha_Upper FOUND /etc/snort/rules/web-activex.rules: CVE_2011_3397-6 FOUND I thought this issue was FP and reported it to the site below, but it has still been detected even if I update the .cvd file and no fix has not seemed to be provided. http://www.clamav.net/lang/en/sendvirus/submit-fp/ I temporarily exclude "/etc/snort/rules" directory from the target one of clamscan. What should I do later? Regards, Yoshii ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
On Wed, 8 Feb 2012 14:03:18 +0100 Ralf Hildebrandt wrote: > * Tomasz Kojm : >> On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment wrote: >> >>> I have manually patched 0.97.3, re-compiled, re-installed and restarted >>> clamd, but the ign2 file is still being ignored. >>> >>> [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 >>> BC.Exploit.CVE_2011_3412 >> >> The entry is not complete. The correct one is: >> >> BC.Exploit.CVE_2011_3412.{CVE_2011_3412} > > After applying your fix, correct? Correct. It won't work without the fix. -- oo. Tomasz Kojm (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 8 15:06:01 CET 2012 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Tomasz Kojm : > On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment wrote: > > > I have manually patched 0.97.3, re-compiled, re-installed and restarted > > clamd, but the ign2 file is still being ignored. > > > > [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 > > BC.Exploit.CVE_2011_3412 > > The entry is not complete. The correct one is: > > BC.Exploit.CVE_2011_3412.{CVE_2011_3412} After applying your fix, correct? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Untit Testing
Hi there, On Wed, 8 Feb 2012, Dave Reynolds wrote: As to why I would install ClamAV, it is an IA requirement that we scan for viruses on remote file transfers that go thru this system and there aren't too many options that will run under IRIX. IA = "Inspection Authority"? Does the IA know what it is that it's inspecting? Does the virus scanning engine need to reside on the trusted system? -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment wrote: > I have manually patched 0.97.3, re-compiled, re-installed and restarted > clamd, but the ign2 file is still being ignored. > > [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 > BC.Exploit.CVE_2011_3412 The entry is not complete. The correct one is: BC.Exploit.CVE_2011_3412.{CVE_2011_3412} HTH, -- oo. Tomasz Kojm (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 8 12:23:16 CET 2012 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml