Re: [clamav-users] What does TargetType 10 for a signature mean ?

[Steven Morgan]

Hi,

Could you please open a bug report at bugzilla.clamav.net? Please attach
the sample(s) and signatures(s) that you are using.

I'd like to make sure this is tracked for investigation and possible code
and documentation improvements. Sounds like there are some things to sort
out here...

Thanks,
Steve

On Sun, Feb 28, 2016 at 9:20 AM, David Shrimpton 
wrote:

> Hi,
>
> I wrote a signature against one of the temporary files clamav
> pulled out of a pdf when --scan-pdf=yes.
>
> (The signature does not hit when --scan-pdf=no.)
>
> If the signature is TargetType 10 = PDF it was not hit.
>
> If it was type 0 = any file, it was hit.   But it would also be hit
> by other files not related to the pdf  eg text or html,
> which I don't want.  I only want to match
> files pulled out of a pdf by --scan-pdf.
>
> (clamav --debug reports the file from the pdf as ascii , but Target Type 7
> for normalized ascii file does not work.)
>
> This is similar confusion to what type 2 means.
>
> signatures.pdf says type 2 is file inside an OLE2 container but it actually
> appears to denote an OLE2 container itself and not a file inside one
> unless that file is itself an OLE2 container.
>
> It seems to me that having additional types may be helpful: eg any file
> inside an OLE2  or any 'file' inside a pdf in addition to type 2 and 10.
>
>
> PS it appears -z does not work when there is a hit on a 'file' inside a
> PDF.  Other signatures that match the pdf itself are not reported as being
> hit.  This is a similar problem to -z not working when there are hits on
> macros
> inside OLE2 or a hit on Heuristics.OLE2.ContainsMacros.
>
> --
> David Shrimpton
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Add virus databases and signatures from third-party vendors

[Walter H.]

On 29.02.2016 10:46, Groach wrote:



On 29/02/2016 10:14, Al Varnell wrote:

On Sun, Feb 28, 2016 at 05:26 AM, Theodore Alcapotaxis wrote:
It's industry practice that a third-party vendor, e.g. Symantec, 
discovers a new virus, it has to share it with other vendors such as 
Eset, Kapersky, McAfee…
Yes, it is Industry practice to share malware samples when doing so 
is in both vendor’s mutual interest, but some are better than others 
and Symantec is one I’ve heard is on the stingy side.  There is 
nothing that says they have to share.  For instance, Symantec doesn't 
participate in VirusTotal.  But that’s not really the point.  Samples 
are a totally different ball game from signatures.  They are found 
in-the-wild, making them public property not really belonging to the 
vendor that happens to finds them.


But turning those samples into a signature requires an expenditure on 
the part of the vendor so those signatures along with the code that 
allows them to be used for scanning is protected by intellectual 
property and copyright laws.  As far as I know, ClamAV is the only 
vendor to publicly release it’s signature formats:
.  
And I’m totally unaware of any of the other vendors sharing their 
signature databases.



-Al-

And I will also add this thought to reinforce the point

Why would Symantec, Kaspersky, McAfee etc spend thousands on systems 
and employing staff to identify and create signatures just to release 
them for users to get then use them for free by using them with Clam 
(thus avoiding the need to buy their product)?


NO antivirus vendor "has to share" anything.  "Choosing" to and 
"having" to are totally different things. 


when I look at the last few mails of signature database updates then 
there is something quite strange ...

and I would ask if it only me that sees it like this:

e.g.

Submission-ID: xx
Sender: IKARUS Security Software GmbH
Submission notes: Same as in Submission-ID x
Added: No

or

Submission-ID: xxx
Sender: Virus Total
Sender: Anonymous
Sender: IKARUS Security Software GmbH
Added: any name

whenever I see IKARUS Security Software GmbH as the only sender of the 
submission
it is not added because it was done before,
but when I see this company together with other senders it is added;
this looks quite strange to me;

IKARUS Security Software GmbH is a vendor of Anti-Virus software in Austria;
and they provide the so called T3scan
http://updates.ikarus.at/updates/update.html
for free;
but you can also have a Anti-Virus software from this company
like the one from Kaspersky, McAfee (now Intel), ...
as payware; this has been my Anti-Virus for the last 10 years;

IKARUS was the first company in the whole world that offered
Anti-Virus software ...
the first releases go back to the early 1990s





smime.p7s
Description: S/MIME Cryptographic Signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] LogClean yes

[Ian Eiloart]

Hi,

I’ve just switched from using sockets to using TCP, so that I can make 
Exim/ClamAV more resilient. The idea is that when Exim has access denied 
because clamd is re-reading the database, it can select another clam server.

When testing the new service, I noticed that "LogClean yes" doesn’t seem to 
have any effect. Is that expected?

If so, could we get a note in the default config to say so. Or even a fix, so 
that "LogClean yes" works.

If not, what might I be doing wrong?

It is logging FOUND malware, but I don’t get much of that on my MSA service, so 
I had to watch the logs for quite a while before I could convince myself that 
the new service was actually working.

-- 
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] heuristic-scan-precedence is broken

[Steven Morgan]

David,

Thanks for your report. Tracking here:

https://bugzilla.clamav.net/show_bug.cgi?id=11512

Steve


On Sun, Feb 28, 2016 at 6:10 AM, David Shrimpton 
wrote:

> Hi,
>
> --heuristic-scan-precedence=no is broken in clamav-0.99
>
> eg  create a test encrypted zip /tmp/abcdef.zip
>
> clamscan -z --database=/tmp/test.ndb  --block-encrypted=yes /tmp/abcdef.zip
> /tmp/abcdef.zip: Heuristics.Encrypted.Zip FOUND
>
> clamscan -z --database=/tmp/test.ndb --block-encrypted=no /tmp/abcdef.zip
> /tmp/abcdef.zip: testsig.1.UNOFFICIAL FOUND
> /tmp/abcdef.zip: testsig.1.UNOFFICIAL FOUND
>
> clamscan -z --database=/tmp/test.ndb --block-encrypted=yes
> --heuristic-scan-precedence=no /tmp/abcdef.zip
> /tmp/abcdef.zip: Heuristics.Encrypted.Zip FOUND
>
>
>
> With --heuristic-scan-precedence=no  testsig.1.UNOFFICIAL should have been
> returned and not Heuristics.Encrypted.Zip .
>
> With -z --heuristic-scan-precedence=no , both testsig.1.UNOFFICIAL
> and Heuristics.Encrypted.Zip should have been returned.
>
> This is same problem as occurs with clamdscan and OLE2BlockMacros yes.
> Heuristics.OLE2.ContainsMacros gets returned and not any real sigs that
> also might match.
>
> I suspect --heuristic-scan-precedence=no might not work for any heuristic
> detection.
>
> If heuristic-scan-precedence=no worked , you could parse the returned
> virus name and treat files that only matched Heuristics sig eg
> pdf or encrypted zip or ole2 with macros, differently to files that matched
> a real sig.  eg do logging only instead of discarding.
>
> --
> David Shrimpton
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Add virus databases and signatures from third-party vendors

[Joel Esler (jesler)]

--
Joel Esler
Manager, Talos Group




On Feb 28, 2016, at 8:26 AM, Theodore Alcapotaxis 
mailto:summercas...@dcemail.com>> wrote:



--- alvarn...@mac.com wrote:

From: Al Varnell mailto:alvarn...@mac.com>>
To: ClamAV users ML 
mailto:clamav-users@lists.clamav.net>>
Subject: Re: [clamav-users] Add virus databases and signatures from third-party 
vendors
Date: Sat, 27 Feb 2016 23:58:15 -0800

I can’t imagine why the competition would ever be willing to share their 
signature databases with >anybody.

It's industry practice that a third-party vendor, e.g. Symantec, discovers a 
new virus, it has to share it with other vendors such as Eset, Kapersky, McAfee…

We share with others, and lots of people share with us.  But we do not exchange 
Definitions.


Why would a user invest in a commercial A-V software package if they could get 
the same scanning >protection for free?

I disagree. Scan engines differ by vendor. Annually at ZDnet there's a rundown 
of which antivirus and malware software offers the best protection such as the 
ability to detect and clean the most number of viruses, trojans and malware, 
the fastest scan, etc.

_
Washington DC's Largest FREE Email service. ---> 
http://www.DCemail.com ---> A Washington Online 
Community Member --->
http://www.DCpages.com
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Add virus databases and signatures from third-party vendors

[Al Varnell]

On Sun, Feb 28, 2016 at 05:26 AM, Theodore Alcapotaxis wrote:
> 
> It's industry practice that a third-party vendor, e.g. Symantec, discovers a 
> new virus, it has to share it with other vendors such as Eset, Kapersky, 
> McAfee…

Yes, it is Industry practice to share malware samples when doing so is in both 
vendor’s mutual interest, but some are better than others and Symantec is one 
I’ve heard is on the stingy side.  There is nothing that says they have to 
share.  For instance, Symantec doesn't participate in VirusTotal.  But that’s 
not really the point.  Samples are a totally different ball game from 
signatures.  They are found in-the-wild, making them public property not really 
belonging to the vendor that happens to finds them.  

But turning those samples into a signature requires an expenditure on the part 
of the vendor so those signatures along with the code that allows them to be 
used for scanning is protected by intellectual property and copyright laws.  As 
far as I know, ClamAV is the only vendor to publicly release it’s signature 
formats: 
.  
And I’m totally unaware of any of the other vendors sharing their signature 
databases.


-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml