Re: [clamav-users] Signature update timeliness

2017-05-05 Thread Al Varnell 
On Fri, May 05, 2017 at 10:14 AM, Mark Foley wrote:
> I have a question about the timeliness of signature updates. I am running a
> clamav-milter to check email when received by the MDA -- this rarely finds
> anything. I also have clamscan running multiple times a day checking all the
> Maildir folders. 
> 
> Yesterday, the Maildir folder scan found Js.Downloader.Nemucod.  But, this
> message was recieved on April 26th -- 8 days before the malware was detected 
> by
> clamscan.  Doing a quick google search, I find that the JS.Nemucod trojan has
> been around since at least December 2015. 

In various forms, but obviously with a variety of signatures.

> So, was the clamav signature for this malware just added to the list on May 
> 4th?

Without the complete signature name, I can't give you a definitive answer, but 
signatures that start with Js.Downloader.Nemucod. were added on the following 
dates:
Mar 29 Fourteen Js.Downloader.Nemucod-61720xx-x added
Apr 3 Js.Downloader.Nemucod-6198135-0
Apr 5 Js.Downloader.Nemucod-6210215-0
Apr 7 Js.Downloader.Nemucod-6210215-1 dropped: Js.Downloader.Nemucod-6210215-0
Apr 26 Js.Downloader.Nemucod-6297599-0
May 3 Js.Downloader.Nemucod-6305809-0

> If so, why does it take so long to include a malware that's been around for
> years? If it was added earlier, why did clamscan not find it for 8 days?
> Mutation?

Probably because nobody had submitted a sample of it to ClamAV for several days.

-Al-





smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Signature update timeliness

2017-05-05 Thread Mark Foley 
I have a question about the timeliness of signature updates. I am running a
clamav-milter to check email when received by the MDA -- this rarely finds
anything. I also have clamscan running multiple times a day checking all the
Maildir folders. 

Yesterday, the Maildir folder scan found Js.Downloader.Nemucod.  But, this
message was recieved on April 26th -- 8 days before the malware was detected by
clamscan.  Doing a quick google search, I find that the JS.Nemucod trojan has
been around since at least December 2015. 

So, was the clamav signature for this malware just added to the list on May 4th?
If so, why does it take so long to include a malware that's been around for
years? If it was added earlier, why did clamscan not find it for 8 days?
Mutation?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Artificial Intelligence Based Anti-Virus

2017-05-05 Thread Matthew Molyett 
Heuristic signatures, such as Js.File.MaliciousHeuristic-6249621-1,
signature on likely malicious traits but are not tight enough to associate
with a given family or could be more FP prone.

Consider: *Js.File.MaliciousHeuristic-6249621-1*

Js.File.MaliciousHeuristic-6249621-1;Engine:51-255,Target:7;0>1&1>5&2;6576616c28;66756e6374696f6e20;2772272b2765272b2770272b276c272b2761272b2763272b276527
VIRUS NAME: Js.File.MaliciousHeuristic-6249621-1
TDB: Engine:51-255,Target:7
LOGICAL EXPRESSION: 0>1&1>5&2
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
eval(
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
function
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
'r'+'е'+'p'+'l'+'a'+'c'+'e'

This hits one any normalized text file that contains "eval(" and "function",
which helps make it likely that the file is .JS which will treat a
deobfuscated string variable as executable javascript.
The Malicious heuristic part is looking for at least 5 "function"s and
looking for "'r'+'е'+'p'+'l'+'a'+'c'+'e'".

This is attempting to identify JavaScript code that is using
concatenation as a step in string based code obfuscation to defeat
signature based detection. Note that there is noting *inherently* malicious
about this signature. No network IOCs and no evil code, but based on
previously observed JavaScript files and typical coding patterns there is a
high likelihood that the obfuscation is indicative of malicious intent.

In general, Clam AV provides static signature detection, which does contain
some static signatures that fire on things that are probably malicious and
are denoted with Heuristic in the name. True, runtime calculated,
probabilistic heuristic signatures are possible, in a limited way, through
the Clam AV bytecode engine, although the potential of the bytecode engine
has not been widely utilized in the current official signature set.

On Fri, May 5, 2017 at 5:45 AM, Al Varnell  wrote:

> On Fri, May 05, 2017 at 02:17 AM, crazy thinker wrote:
> > @AI Varnell
> > Does Clam AV provides Heuristics  signatures in their official db?
>
> There's a heuristics engine that uses data from the .pdb and .sfp sections
> of the database to detect messages from selected financial institutions
> that appear to be phishing attempts.
>
> Recently there have been a variety of additional signatures that contain
> "Heuristic" in the infection name, but it isn't clear why they are so
> labeled.
>
> > I heard
> > that  clamAV uses md5, sha1,sha256 based virus signatures in their
> > database?
>
> Among others. If you are interested in knowing about all the other types
> you should read signatures.pdf
>  >.
>
> -Al-


PS: Sharp eyed readers may have noticed the Unicode homoglyphs being used
in the decoded signature and discussion. That was done to prevent the text
of these email from becoming a FP under the signature I was discussing.

-- 

Matthew Molyett
Malware Researcher

mmoly...@cisco.com
Phone:  (410) 309-4834
Mobile: (410) 674-2049

Cisco.com - http://www.cisco.com

This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender by
reply email and delete all copies of this message.

For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Information on Signature

2017-05-05 Thread Al Varnell 
It was dropped from the database in daily - 23331 on Apr 25, so ignore it.

-Al-

On Fri, May 05, 2017 at 03:49 AM, Stephan Fourie wrote:
> 
> Hi everyone,
> 
> Can anyone give me more information about what the following ClamAV signature 
> looks for:  Email.Phishing.VOF2-6295380-0
> 
> I've tried searching Google for an answer, but have not been able to find 
> more information. I assume from the name, that it has something to do with 
> phish detection but I'm wanting to know what exactly it looks for. I have a 
> false positive detection that I am investigating.
> 
> Thanks!
> Stephan


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Information on Signature

2017-05-05 Thread Stephan Fourie 

Hi everyone,

Can anyone give me more information about what the following ClamAV 
signature looks for:  Email.Phishing.VOF2-6295380-0


I've tried searching Google for an answer, but have not been able to 
find more information. I assume from the name, that it has something to 
do with phish detection but I'm wanting to know what exactly it looks 
for. I have a false positive detection that I am investigating.


Thanks!
Stephan
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV UnOfficial Database

2017-05-05 Thread Benny Pedersen 

Joel Esler (jesler) skrev den 2017-05-05 01:39:

We have some ideas here Benny, but nothing in the pipeline today.


+1, thats stable software :)


If we incorporated SaneSecurity’s sigs (we need permission to do so
from Steve), then we could ingest them, and de-dupe any hash-based
sigs that we have that other types of sigs alert on (we do this today
for our own internal sigs)  The hash based sigs are a method for us to
automatically get sigs out right now instead of later.  As we all have
other things we are doing.


why not just permit sig creatators to sign there own sigs ?, so it can 
be used entirely as a freshclam update ?, why would that be bad ?


atleast if sig creators could sign sigs digitaly, it wont hurt to drop 
bash updates that use gpg, i can make clu database files now, but still 
not sign it, with imho is bad that this is not yet possible :(


the dedupe is appricated, and thats is a very good reason to make sigs 
centraly, but that can be ensured in other ways imho


how to list pua catagorys ?, what about clam stats used as a sig 
catagory change rule for sigs that are not in the wild, so if users not 
using all catagorys will not load all sigs, but users that want to use 
all sigs can do so ?


or it could be make another cvd called archived, with contains all sigs 
that are considered very old and not usefull, not hitting in long time


doing nothing is not a problem for stable software, but it not makeing 
it better even


lets hear Steve why he not just send sigs to sig creators maillists, i 
know its a big work done even if he did not send it

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Artificial Intelligence Based Anti-Virus

2017-05-05 Thread Al Varnell 
On Fri, May 05, 2017 at 02:17 AM, crazy thinker wrote:
> @AI Varnell
> Does Clam AV provides Heuristics  signatures in their official db?

There's a heuristics engine that uses data from the .pdb and .sfp sections of 
the database to detect messages from selected financial institutions that 
appear to be phishing attempts.

Recently there have been a variety of additional signatures that contain 
"Heuristic" in the infection name, but it isn't clear why they are so labeled.

> I heard
> that  clamAV uses md5, sha1,sha256 based virus signatures in their
> database?

Among others. If you are interested in knowing about all the other types you 
should read signatures.pdf 
.

-Al-

> On 5 May 2017 at 14:31, Al Varnell  wrote:
>> All of the "Heuristics" signatures could be considered AI.
>> 
>> -Al-
>> 
>> On Fri, May 05, 2017 at 01:37 AM, crazy thinker wrote:
>>> 
>>> Hi ClamAV Developers, Users,
>>> 
>>> I have heard that Artificial Intellgience Based Anti-Virus provides more
>>> security than others.. is it really true? is there any AI based free
>>> Desktop AV? did  ClamAV uses AI techniques to threat prevention and
>>> detection?
>>> 
>>> Thanks,
>>> Crazy Thinker Inc


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Custom database

2017-05-05 Thread Abdullah AL-Mutairy 

Arnaud thanks for your help man, it worked!

I much appreciate your help :)
. . . . . 

> On May 5, 2017, at 11:56 AM, Arnaud Jacques / SecuriteInfo.com 
>  wrote:
> 
> Hello,
> 
>> $ sigtool --mdb * > home/test/Documents/CustomDB.mdb
>> 
>> But when i do clamscan and let clam use this database it does not detect any
>> malware sample! I did the following:
>> 
>> /Downloads/exe$ clamscan -r -d /home/teat/Documents/CustomDB.mdb
> 
> You make different errors, including typo errors.
> Please try this :
> 
> $ sigtool --md5 * > /home/test/Documents/CustomDB.hdb
> 
> Then
> 
> /Downloads/exe$ clamscan -r -d /home/test/Documents/CustomDB.hdb
> 
> -- 
> Best regards,
> 
> Arnaud Jacques
> SecuriteInfo.com
> 
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Artificial Intelligence Based Anti-Virus

2017-05-05 Thread crazy thinker 
@AI Varnell
Does Clam AV provides Heuristics  signatures in their official db?  I heard
that  clamAV uses md5, sha1,sha256 based virus signatures in their
database?

On 5 May 2017 at 14:31, Al Varnell  wrote:

> All of the "Heuristics" signatures could be considered AI.
>
> -Al-
>
> On Fri, May 05, 2017 at 01:37 AM, crazy thinker wrote:
> >
> > Hi ClamAV Developers, Users,
> >
> > I have heard that Artificial Intellgience Based Anti-Virus provides more
> > security than others.. is it really true? is there any AI based free
> > Desktop AV? did  ClamAV uses AI techniques to threat prevention and
> > detection?
> >
> > Thanks,
> > Crazy Thinker Inc
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Artificial Intelligence Based Anti-Virus

2017-05-05 Thread Al Varnell 
All of the "Heuristics" signatures could be considered AI.

-Al-

On Fri, May 05, 2017 at 01:37 AM, crazy thinker wrote:
> 
> Hi ClamAV Developers, Users,
> 
> I have heard that Artificial Intellgience Based Anti-Virus provides more
> security than others.. is it really true? is there any AI based free
> Desktop AV? did  ClamAV uses AI techniques to threat prevention and
> detection?
> 
> Thanks,
> Crazy Thinker Inc


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Custom database

2017-05-05 Thread Arnaud Jacques / SecuriteInfo.com 
Hello,

> $ sigtool --mdb * > home/test/Documents/CustomDB.mdb
> 
> But when i do clamscan and let clam use this database it does not detect any
> malware sample! I did the following:
> 
> /Downloads/exe$ clamscan -r -d /home/teat/Documents/CustomDB.mdb

You make different errors, including typo errors.
Please try this :

$ sigtool --md5 * > /home/test/Documents/CustomDB.hdb

Then

/Downloads/exe$ clamscan -r -d /home/test/Documents/CustomDB.hdb

-- 
Best regards,

Arnaud Jacques
SecuriteInfo.com

Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Artificial Intelligence Based Anti-Virus

2017-05-05 Thread crazy thinker 
Hi ClamAV Developers, Users,

I have heard that Artificial Intellgience Based Anti-Virus provides more
security than others.. is it really true? is there any AI based free
Desktop AV? did  ClamAV uses AI techniques to threat prevention and
detection?

Thanks,
Crazy Thinker Inc
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Custom database

2017-05-05 Thread Al Varnell 
From "signatures.pdf" para 3.1.3:

> The easiest way to generate MD5 based section signatures is to extract target 
> PE sections into separate files and then run sigtool with the option --mdb

-Al-

On Fri, May 05, 2017 at 12:47 AM, Abdullah AL-Mutairy wrote:
> 
> Hello everyone!
> 
> I'm having a trouble with custom databases.
> I have 600 malware samples stored in "/Downloads/exe" and used sigtool to 
> create a signature database that only contain signatures of those 600 malware 
> samples, so i navigated the  command line to point to /Downloads/exe and then 
> did this:
> 
> $ sigtool --mdb * > home/test/Documents/CustomDB.mdb
> 
> But when i do clamscan and let clam use this database it does not detect any 
> malware sample! I did the following:
> 
> /Downloads/exe$ clamscan -r -d /home/teat/Documents/CustomDB.mdb
> 
> Clamav did not identify any thing! I don't know why! 


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Custom database

2017-05-05 Thread Abdullah AL-Mutairy 
Hello everyone!

I'm having a trouble with custom databases.
I have 600 malware samples stored in "/Downloads/exe" and used sigtool to 
create a signature database that only contain signatures of those 600 malware 
samples, so i navigated the  command line to point to /Downloads/exe and then 
did this:

$ sigtool --mdb * > home/test/Documents/CustomDB.mdb

But when i do clamscan and let clam use this database it does not detect any 
malware sample! I did the following:

/Downloads/exe$ clamscan -r -d /home/teat/Documents/CustomDB.mdb

Clamav did not identify any thing! I don't know why! 

Please help

Thanks in advance



. . . . . 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml