Re: [clamav-users] FP-Report: Email.Trojan-417
On Tue, May 13, 2014 at 05:38 PM, Benny Pedersen wrote: > > Sending the jpg file is not an option without puting it in a zip archive > first? > > It does not pay of to compress jpg without jpg tools, that sayed if it just > to get single attachment on mail it still make sense to use zip for a > container file My impression is that this is not at all about a real .jpg file. Rather it’s a malicious executable disguised to make you thing it’s just a .jpg in order to get you to open it. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] FP-Report: Email.Trojan-417
Sending the jpg file is not an option without puting it in a zip archive first? It does not pay of to compress jpg without jpg tools, that sayed if it just to get single attachment on mail it still make sense to use zip for a container file Dont know a solution else -- Sendt fra min Android telefon med K-9 Mail. Undskyld hvis jeg er lidt kortfattet. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format
Am 08/05/14 22:52, schrieb Alexander Tampermeier: Dave, thank you for your detailed response. First, I tried to configure with option "--disable-xml" as you suggested but this attempt led to further problems: CC libclamav_internal_utils_la-regerror.lo CC libclamav_internal_utils_la-regexec.lo CC libclamav_internal_utils_la-regfree.lo CCLD libclamav_internal_utils.la CCLD libclamav.la /usr/bin/ld: skipping incompatible /usr/lib/libz.so when searching for -lz /usr/bin/ld: skipping incompatible /usr/lib/libz.a when searching for -lz /usr/bin/ld: skipping incompatible /usr/lib/libbz2.so when searching for -lbz2 /usr/bin/ld: skipping incompatible /usr/lib/libbz2.a when searching for -lbz2 /usr/lib/libltdl.so: error adding symbols: File in wrong format collect2: error: ld returned 1 exit status Similar errors with clamav-0.98.3 here with an older SuSE 12.1: /usr/lib64/gcc/x86_64-suse-linux/4.6/../../../../x86_64-suse-linux/bin/ld: skipping incompatible /usr/lib/libz.so when searching for -lz /usr/lib/libltdl.so: could not read symbols: File in wrong format collect2: ld returned 1 exit status make[4]: *** [libclamav.la] Error 1 clamav-0.98.1 just compiles fine. First time that I have compile problems with clamav afair. Any solution for this? BR Markus ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] HTML.Exploit.Heap-2 False Positive?
A ClamXav user complained of having a Google Chrome extension “WebGL Inspector” which he has used since 2012 was said to be infected with HTML.Exploit.Heap-2. I was able to obtain a later version of that extension and verified that the gli.all.js file in that extension scans as infected. I was not able to locate when this signature was added on the clamav-virusdb list. I was able to easily confirm that the file contains all elements of the signature (four ascii strings separated by “any strings” of varying length. I haven’t found any clues on what an actual infected file might be. I submitted it to VirusTotal where only ClamAV® detected it < https://www.virustotal.com/en/file/36fd57cce150c5e8ea26168823e84b19e109592c6586496b605306cbb482d982/analysis/1399908003/ > I successfully uploaded to you using your "Submit a false positive" form. MD5 = 6968c0d2ad15e68b33bb30074ddbb7a6 -Al- -- Al Varnell Mountain View, CA - Al, Sorry, I didn't have the original email that was sent to the list. After further analysis, I've modified the signature so that it shouldn't generate as many false positives. Thank you, Shaun Hurley ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] FP-Report: Email.Trojan-417
Julian, I didn't see this in the false positive queue, but did see this email. I just completed a review of the original sample. It turns out that the original sample is being detected by another signature and that this one is not adding anything. I've scheduled the signature to be dropped out of the daily.cvd. Thank you, Shaun Hurley On Tue, May 13, 2014 at 4:12 AM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Tue, May 13, 2014 8:27 am, Julian Hansmann wrote: > > > Regardless of its content (even if it's empty) a mail which has a file > > with the suffix ".JPG.zip" (case sensitive) attached will be detected as > > "Email.Trojan-417". > > > Hi Julian, > > I'm guessing the orignal offical signature was to catch something like > this: > > > http://techhelplist.com/index.php/spam-list/421-do-you-think-i-m-attractive-virus > > You can whitelist in your setup, while you wait for an offical response: > > printf "Email.Trojan-417" > ignore.ign2 > copy the ignore.ign2 file into your clamav database directory > restart clamd > > > Cheers, > > Steve > Sanesecurity > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Version 0.98.3 fails on Solaris
On 13/05/2014 09:24, Al Varnell wrote: On Tue, May 13, 2014 at 01:04 AM, James Lee wrote: (Please don't top post.) Please leave moderation functions to the moderators. There could possibly be a rule preventing it, but I’m unaware of any and there are examples in this thread of Sourcefire contributors top posting. For technical lists, it’s often preferred in order to retain all details. OK, so what is the question? James. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Version 0.98.3 fails on Solaris
On Tue, May 13, 2014 at 01:04 AM, James Lee wrote: > > (Please don't top post.) Please leave moderation functions to the moderators. There could possibly be a rule preventing it, but I’m unaware of any and there are examples in this thread of Sourcefire contributors top posting. For technical lists, it’s often preferred in order to retain all details. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] FP-Report: Email.Trojan-417
On Tue, May 13, 2014 8:27 am, Julian Hansmann wrote: > Regardless of its content (even if it's empty) a mail which has a file > with the suffix ".JPG.zip" (case sensitive) attached will be detected as > "Email.Trojan-417". > Hi Julian, I'm guessing the orignal offical signature was to catch something like this: http://techhelplist.com/index.php/spam-list/421-do-you-think-i-m-attractive-virus You can whitelist in your setup, while you wait for an offical response: printf "Email.Trojan-417" > ignore.ign2 copy the ignore.ign2 file into your clamav database directory restart clamd Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Version 0.98.3 fails on Solaris
On 12/05/2014 21:33, Lawrence K. Chen, P.Eng. wrote: So, what's the definitive answer. To what question? (Please don't top post.) The OP's question relating to "Can't allocate memory" has been answered. James. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] FP-Report: Email.Trojan-417
Julian, Looking at the signature, I see your point, but it must also contain: > Content-Transfer-Encoding: base64 > Content-Disposition: attachment That would seem to be a given for almost any attachment, as well. I have no idea what the actual sample was, but there must be something much more unique that could have been used. Looks to have been added to the database on 2012-12-13 (daily: 15772). -Al- On Tue, May 13, 2014 at 12:27 AM, Julian Hansmann wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Dear ClamAV-Users and Developers, > > some time ago I reported a FP on the homepage on ClamAV. Unfortunately > I haven't received a response nor has the signature in question be > removed from the official database. So I'd like to ask what else can I > do to get this fixed? > > This is the FP in question: > > Regardless of its content (even if it's empty) a mail which has a file > with the suffix ".JPG.zip" (case sensitive) attached will be detected > as "Email.Trojan-417". > > Since this can be easily reproduced I won't include a sample to avoid > further FPs. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] FP-Report: Email.Trojan-417
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear ClamAV-Users and Developers, some time ago I reported a FP on the homepage on ClamAV. Unfortunately I haven't received a response nor has the signature in question be removed from the official database. So I'd like to ask what else can I do to get this fixed? This is the FP in question: Regardless of its content (even if it's empty) a mail which has a file with the suffix ".JPG.zip" (case sensitive) attached will be detected as "Email.Trojan-417". Since this can be easily reproduced I won't include a sample to avoid further FPs. Kind regards, - -- Julian Hansmann 1&1 Mail & Media GmbH Mail Application Security -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTccl7AAoJEHVYMAtA/pVmbS8H/29xsbIheTANGufIhE2Dz2D3 CixbD6fuwbcQaX6gJFqDzVeDBbNxcMwEAO1zKEMQN/ezb8Vm954M0dpa6ARIpREy 6lqYUkqjc+MYnj+Y0/Vn9mEzI8V2tYcI2xwz/CgtUSE4qEn+y3agyYyNeplgCf4q Pfh3EQMmJUlCWfNf3Oa4jl/JxqrrMBTy1lpxEiwuGzmOYVC7pdWiiKSaoXxuOdT3 +EE5EmMpyjaOG0NRRXL7RtI1DdkpnBMIAlPboHeADqDgenincgjAqjGCnNHSyNY+ lj4BcCl+5y5MeddDpW+1ymC/Ca8MDhcXrMVG5O41TdLiTQTekC1ja5MBZdeoEbY= =l0Iq -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
