Re: [clamav-users] GTUBE message detection
On Mon, 2013-04-08 at 22:06 +, Christian Salway wrote: > I concur. GTUBE shouldn't be included. > > However, the question should be asked as to why the request was > orginally requested? >From what I can see in the original request, there was no pressing requirement to include it [1]. It was more of a "shouldn't this be included" enquiry, based on it being a test conducted by an email checking website [2]. However, the text in that website for the test states: "The third mail (3/7) is harmless spam message (GTUBE spam signature), and should be detected by every spam filter. Depending on the configuration of your spam filter, this mail may never reach you." >From that description, I would not expect ClamAV to pick it up. > Coincidentally, spamassassin can be setup to pick up gtube before it > reaches clamav. My argument is more that a user may not realise that clamav is picking it up. This was the case for me: I have been testing spamassassin for the last couple of years using GTUBE, but didn't realise until now that it was actually clamav picking the message up, rather than spamassassin. So in actual fact spamassassin may not have been working. Careless on my part, I know, but I'm sure I'm not the only one! Andy [1] http://lurker.clamav.net/message/20090924.234610.57310ea1.en.html [2] http://www.emailsecuritycheck.net/index.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] GTUBE message detection
On 4/8/13 1:40 PM, "Andrew Beverley" wrote: > Some time ago there was a discussion that resulted in the GTUBE test > spam message being added to the Clamav signatures[1]. > ... > [1] http://lurker.clamav.net/message/20090924.234610.57310ea1.en.html According to the second message in your footnoted reference, it was added to the Sanesecurity unofficial signature database, not ClamAV's. Every time it comes up I have tried to test it and it always fails. Now I know why. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] GTUBE message detection
I concur. GTUBE shouldn't be included. However, the question should be asked as to why the request was orginally requested? Coincidentally, spamassassin can be setup to pick up gtube before it reaches clamav. Xian -Original Message- From: Andrew Beverley Sender: clamav-users-boun...@lists.clamav.net Date: Mon, 08 Apr 2013 21:40:14 To: Reply-To: ClamAV users ML Subject: [clamav-users] GTUBE message detection Some time ago there was a discussion that resulted in the GTUBE test spam message being added to the Clamav signatures[1]. The problem with this is that it is hard to test an anti-spam solution (such as Spamassassin) on the same server, as ClamAV may reject a message before Spamassassin gets a chance to look at it. This could result in the false assumption that Spamassassin is working correctly when in actual fact it is not. Given that there is the Eicar message for testing AV software, and the Gtube for testing Spam software, could Gtube be removed from ClamAV please? Thanks, Andy [1] http://lurker.clamav.net/message/20090924.234610.57310ea1.en.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] GTUBE message detection
Some time ago there was a discussion that resulted in the GTUBE test spam message being added to the Clamav signatures[1]. The problem with this is that it is hard to test an anti-spam solution (such as Spamassassin) on the same server, as ClamAV may reject a message before Spamassassin gets a chance to look at it. This could result in the false assumption that Spamassassin is working correctly when in actual fact it is not. Given that there is the Eicar message for testing AV software, and the Gtube for testing Spam software, could Gtube be removed from ClamAV please? Thanks, Andy [1] http://lurker.clamav.net/message/20090924.234610.57310ea1.en.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] W32/Autorun.worm.aaeh not found in ClamAV ?
> Al, > > Just now I restored and submitted autorun.inf as well to "submit > malware" in clamav.net > From sigtool I got this MD5 signature; > 3b19da4562e3729854ae6b3fe127:1123:Autorun.inf It's also worth submitting the malware to: https://www.virustotal.com/en/ Currently the Autorun hash you have isn't in it's database. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] W32/Autorun.worm.aaeh not found in ClamAV ?
Al, Just now I restored and submitted autorun.inf as well to "submit malware" in clamav.net From sigtool I got this MD5 signature; 3b19da4562e3729854ae6b3fe127:1123:Autorun.inf Regards, Zvi On 08/04/13 11:51, A K Varnell wrote: I'm sure it would help the team if you could provide the file name and MD5 hash of what you submitted. -Al- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] W32/Autorun.worm.aaeh not found in ClamAV ?
Sorry. I see now from McAfee link that it is low risk - http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1607456 The file is autorun.inf and it creates few other programs like: Secret.exe , Sexy.exe , Porn.exe I sent the file Sexy.exe just now under "Submit malware" in clamav.net menu. (autorun.inf disappeared - perhaps by my ESET) I hope it can help you. Regards, Zvi On 08/04/13 11:51, A K Varnell wrote: I'm sure it would help the team if you could provide the file name and MD5 hash of what you submitted. -Al- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] W32/Autorun.worm.aaeh not found in ClamAV ?
I'm sure it would help the team if you could provide the file name and MD5 hash of what you submitted. -Al- -- Al Varnell Mountain View, CA On Apr 8, 2013, at 1:45 AM, Zvi Kave wrote: > > Hi, > > I can not understand why the dangerous virus called W32/Autorun.worm.aaeh by > McAfee > can not be detected by ClamAV. > http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1607456 > > I tried to scan it also from free Immunet 3.0 but without detection. > I submitted this virus to ClamAV a month ago! > Am I doing something wrong? > > Regards, > > Zvi ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] W32/Autorun.worm.aaeh not found in ClamAV ?
Hi, I can not understand why the dangerous virus called W32/Autorun.worm.aaeh by McAfee can not be detected by ClamAV. http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1607456 I tried to scan it also from free Immunet 3.0 but without detection. I submitted this virus to ClamAV a month ago! Am I doing something wrong? Regards, Zvi ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml