Re: [clamav-users] Blocking malicious URLs in a local database
your.local.ndb file:
"signame.1:4:*:" . bin2hex("http://bad.domain.com/path";) . "\n";
"signame.2:5:*:" . bin2hex("http://bad.domain.com/path";) . "\n";
On Mar 30, 2015, at 2:34 PM, Dave McMurtrie wrote:
> Hi,
>
> Hopefully someone here can steer me in the right direction. I'm looking for
> a simple way to be able to create a local signature such that when we become
> aware of a phishing message targeting our users that contains a malicious
> URL, I can quickly respond by configuring ClamAV to identify them so we can
> block them.
>
> After reading the phishsigs_howto, it looks like adding entries to a
> local.gdb file would accomplish what I want, but thus far that isn't working
> for me. I'm fairly certain that I have the format correct because clamdscan
> is properly detecting messages with URLs that I put in my local.gdb file.
> However, clamd is not detecting the URLs when our milter code connects to the
> clamd socket. The difference seems to be whether it's in the context of
> scanning a file or a mail message, since debug output shows me that it's
> taking a different code path. I posted to the list earlier with more
> specific questions about this, but never did track it down.
>
> My questions:
>
> 1) Is the local.gdb file even intended for this purpose?
>
> 2) Is there a better way to accomplish this?
>
> Thanks!
>
> Dave
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
[clamav-users] Blocking malicious URLs in a local database
Hi, Hopefully someone here can steer me in the right direction. I'm looking for a simple way to be able to create a local signature such that when we become aware of a phishing message targeting our users that contains a malicious URL, I can quickly respond by configuring ClamAV to identify them so we can block them. After reading the phishsigs_howto, it looks like adding entries to a local.gdb file would accomplish what I want, but thus far that isn't working for me. I'm fairly certain that I have the format correct because clamdscan is properly detecting messages with URLs that I put in my local.gdb file. However, clamd is not detecting the URLs when our milter code connects to the clamd socket. The difference seems to be whether it's in the context of scanning a file or a mail message, since debug output shows me that it's taking a different code path. I posted to the list earlier with more specific questions about this, but never did track it down. My questions: 1) Is the local.gdb file even intended for this purpose? 2) Is there a better way to accomplish this? Thanks! Dave ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Debian packaging
On Monday, March 30, 2015 06:37:52 PM Torge Husfeldt wrote: > Hi, > > sorry to warm up this _really_old_ topic. > > Am 11.02.2014 um 17:23 schrieb Jim Popovitch: > > On Tue, Feb 11, 2014 at 11:06 AM, Andrew Kelly wrote: > >> Nearly mid February 2014 now. 0.98.1 has been available for a > >> month already, and Debian is still stuck at 0.97.8. > > And one more year and one more security-related fix later still no solution. > > Welcome to Debian. ;-) If you want bleeding edge, don't use Debian > > Stable (use Debian Testing) > > In this light, it looks like "LTS" is a joke, too. > > I had to emergency-disable archive-scanning more than a month ago and > still have no solution. > Looks like, if I want to continue to protect ~10M domains in Shared > Hosting using clamav I will have to ask my employer to provide a > debian-lts-maintainer for it ... The Debian LTS is mostly managed by a small subset of Debian people that have decided to focus on it. They have published clamav updates, but are no doubt looking for help. See https://wiki.debian.org/LTS/Development . For releases supported by the Debian project, here's what's available right now: clamav | 0.98.5+dfsg-0+deb7u2 | wheezy clamav | 0.98.6+dfsg-0+deb7u1 | wheezy-p-u clamav | 0.98.6+dfsg-0+deb7u1 | wheezy-updates clamav | 0.98.6+dfsg-1| jessie clamav | 0.98.6+dfsg-1| sid (for those not up to speed on Debian specifics, what that means is the most current clamav release is available for all supported Debian releases) Scott K ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Debian packaging
Hi, sorry to warm up this _really_old_ topic. Am 11.02.2014 um 17:23 schrieb Jim Popovitch: > On Tue, Feb 11, 2014 at 11:06 AM, Andrew Kelly wrote: >> >> Nearly mid February 2014 now. 0.98.1 has been available for a >> month already, and Debian is still stuck at 0.97.8. And one more year and one more security-related fix later still no solution. > > Welcome to Debian. ;-) If you want bleeding edge, don't use Debian > Stable (use Debian Testing) In this light, it looks like "LTS" is a joke, too. I had to emergency-disable archive-scanning more than a month ago and still have no solution. Looks like, if I want to continue to protect ~10M domains in Shared Hosting using clamav I will have to ask my employer to provide a debian-lts-maintainer for it ... > >> Is there any kind of formal statement from the package maintainer, >> or is this simply an orphaned project? > > The Debian ClamAV Team *is* working on testing/packaging. The process > generally involves first solving Debian specific issues, as they > relate to ClamAV, in Debian Unstable and Testing. > > You can see that 0.98.1 is already in Testing and UnStable here: > http://packages.qa.debian.org/c/clamav.html > > On that page, you can view "todo" at the top middle to see the current > outstanding build/packaging issues. > > hth, > > -Jim P. > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > Sorry for my rambling. -- Torge Husfeldt Senior Anti-Abuse Engineer Abuse-Department 1&1 International 1&1 Internet Service GmbH | Brauerstraße 50 | 76135 Karlsruhe | Germany Phone: +49 721 91374-4795 E-Mail: torge.husfe...@1und1.de | Web: www.1und1.de Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 20141 Geschäftsführer: Frank Einhellinger, Uwe Lamnek, Jan Oetjen Member of United Internet Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte den Absender und vernichten Sie diese E-Mail. Anderen als dem bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that saving, distribution or use of the content of this e-mail in any way is prohibited. If you have received this e-mail in error, please notify the sender and delete the e-mail. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
Al, Could you please open a ticket at bugzilla.clamav.net and attach your EicarTest.dmg and also the command used to create it? We'll take a look at what's going on. Thanks, Steve On Sat, Mar 28, 2015 at 6:21 PM, Al Varnell wrote: > I sent this out last night, but it must have been rejected for length or > something, so I’ll remove the lengthy results of the third test and quotes > to see if that works. > > -Al- > == > I ran some tests after my last posting to answer just this question, but > results were mixed so I was waiting for an authoritative answer. Since we > haven’t heard yet, I’ll post my results. > > First I made my own .dmg with an eicar test file on-board. Running > clamscan —debut on the file did not detect any infection nor did it > identify the file as a DMG: > > > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) > > LibClamAV debug: Recognized binary data > > LibClamAV debug: cache_check: ff8fdbcdb89e9474452237677b5f09e9 is > negative > > LibClamAV debug: in cli_check_mydoom_log() > > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > > LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 > > LibClamAV debug: cache_add: ff8fdbcdb89e9474452237677b5f09e9 (level 0) > > /Volumes/Macintosh HD/Users/avarnell/Documents/EicarTest.dmg: OK > > LibClamAV debug: Cleaning up phishcheck > > LibClamAV debug: Freeing phishcheck struct > > LibClamAV debug: Phishcheck cleaned up > > > > --- SCAN SUMMARY --- > > Known viruses: 3778735 > > Engine version: 0.98.6 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 0 > > Data scanned: 7.62 MB > > Data read: 7.55 MB (ratio 1.01:1) > > Time: 7.553 sec (0 m 7 s) > > When I mounted the EicarTest.dmg ClamXav Sentry (real-time process using > clamd) caught it immediately. > === > Next I scanned download.dmg which was known to contained the FkCodec > adware. It detected the hash value as expected and also matched three ZIP > segments and the DMG container: > > > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) > > LibClamAV debug: Recognized binary data > > LibClamAV debug: cache_check: b4ece10d1e706b87b065523a654d48a7 is > negative > > LibClamAV debug: in cli_check_mydoom_log() > > LibClamAV debug: Matched signature for file type ZIP-SFX at 376602 > > LibClamAV debug: Matched signature for file type ZIP-SFX at 407295 > > LibClamAV debug: Matched signature for file type ZIP-SFX at 563034 > > LibClamAV debug: Matched signature for file type DMG container file at > 626691 > > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > > LibClamAV debug: Adware.OSX found > > LibClamAV debug: FP SIGNATURE: > b4ece10d1e706b87b065523a654d48a7:627203:Adware.OSX > > LibClamAV debug: cli_magic_scandesc: returning 1 at line 2470 > > /Users/avarnell/Desktop/•Download/Malware/FkCodec-A/download.dmg: > Adware.OSX FOUND > > LibClamAV debug: Cleaning up phishcheck > > LibClamAV debug: Freeing phishcheck struct > > LibClamAV debug: Phishcheck cleaned up > > > > --- SCAN SUMMARY --- > > Known viruses: 3778290 > > Engine version: 0.98.6 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 1 > > Data scanned: 0.60 MB > > Data read: 0.60 MB (ratio 1.01:1) > > Time: 7.419 sec (0 m 7 s) > > When I mounted the download.dmg Sentry caught Codec-M > Installer.app/Contents/MacOS/Installer: Osx.Trojan.Fakecodecs-1 immediately. > = > Last I scanned CleanApp 4.0.8 Mac 中文版.dmg which was known to contain the > Machook or WireLurker malware. I also knew that an unofficail has > signature was available only to ClamXav users. It detects the hash value > as expected but also was able to decompose 13 segments each with several > sections. > > > results available on request. > > When mounting CleanApp 4.0.8 Mac 中文版.dmg Sentry located: > /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/MacOS/CleanApp: > OSX.MacHook/WireLurker.UNOFFICIAL FOUND > /Volumes/CleanApp 4.0.8 Mac > 中文版/CleanApp.app/Contents/Resources/FontMap1.cfg: > OSX.MacHook/WireLurker.A.UNOFFICIAL FOUND > /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/start.sh: > OSX.MacHook/WireLurker.UNOFFICIAL FOUND > == > So three somewhat different results for the three .dmg files leads me to > believe that bursting is possible, but no evidence of being able to detect > infected files within a .dmg container. > > -Al- > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
On Mar 29, 2015, at 7:57 AM, Dennis Peterson mailto:denni...@inetnw.com>> wrote: On 3/29/15 4:55 AM, TR Shaw wrote: On Mar 29, 2015, at 1:45 AM, Dennis Peterson mailto:denni...@inetnw.com>> wrote: On 3/28/15 10:43 PM, Jinwon Lee wrote: Thanks for that. I guess ‘Hash Value’ refers to the ClamAV identifying the .dmg as a known file that contains virus/es. Jinwon That was the case too for password protected zip files. If you can't burst the contents you condemn the wrapper. Not entirely complete as you can tell ClamAV to mark encrypted zip and rar's as viruses without having a "sig". Many milters will do the same without invoking clamav, so that's of limited value. A feature is a feature to someone. Not everyone finds it useful, but for the 10 people that do, it’s the most important thing to them. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
