Re: [clamav-users] Win.Exploit.CVE_2017 in user32.dll

2017-10-30 Thread Joel Esler (jesler) 
These have been fixed.


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Oct 30, 2017, at 7:59 AM, JD Ackle 
> wrote:

Hello,

A clamscan running from Linux on a Windows disk (mounted on /mnt )
produced the following results:

/mnt/Windows/System32/user32.dll: Win.Exploit.CVE_2017_8689-6336853-0 FOUND
/mnt/Windows/SysWOW64/user32.dll: Win.Exploit.CVE_2017_8689-6336853-0 FOUND


There were other occurrences of the same signature in
/mnt/Windows/WinSxS/Backup/ and /mnt/Windows/WinSxS/Temp/ but on a
reboot to Windows and running Windows Defender, then back to Linux
rerunning the clamscan, these seem to come and go, on different
occurrences of user32.dll, in these backup/temporary folders. The
occurrences in the two first folders I mentioned above do however persist.


I also got these two other persistent detections:

/mnt/Windows/WinSxS/FileMaps/$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms:
Win.Trojan.Emotet-6340301-0 FOUND
/mnt/Windows/WinSxS/FileMaps/$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms:
Win.Trojan.Emotet-6340301-0 FOUND


Given what I read on the list about Win.Exploit.CVE_2017 being (mostly?)
an Excel file infection and deemed a couple of times as a false
positive, as well as with those two trojan detections in files which
names seem related to the above Win.Exploit.CVE_2017 files' detections
(system32 and syswow64), I'm not sure what do make of any of these
detections.

Your help would be appreciated.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter error

2017-10-30 Thread Reindl Harald 



Am 30.10.2017 um 17:24 schrieb Emanuel:

Hello,

I install clamav, but i see this error.

[root@vps-1419393-x ~] # systemctl start clamd@scan
Failed to start clamd@scan.service: Unit is masked.

● clamd@scan.service
    Loaded: masked (/dev/null; bad)
    Active: inactive (dead)


sorry, but these are all not clamav questions and i suggest read manuals 
how to operate with services and systemd



El 27/10/17 a las 12:38, Reindl Harald escribió:



Am 27.10.2017 um 17:28 schrieb Emanuel:

Oh man.! the service is not running:


"well, yes, install clamd, start clamd and configure the milter to use 
the clamd socket you defined or the clamd instance over TCP" should 
have been pretty clear



# clamdscan --reload
ERROR: Could not lookup : Servname not supported for ai_socktype

any ideas?


yes, start to provide basic informations and don't rely that much of 
handholding


what says "systemctl status clamd"

http://www.catb.org/esr/faqs/smart-questions.html#beprecise

since you answered 3 posts after i pointed out that you need to have 
clamd running "Oh man.! the service is not running" i am still not 
sure if you did start it because "clamdscan --reload" won't do 
magically and if you don't know how to start it please refrain from 
build up servers



El 27/10/17 a las 11:45, Michael D. escribió:


You didn't tell us if you indeed have Clamd running - please verify 
by running: 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter error

2017-10-30 Thread Emanuel 

Hello,

I install clamav, but i see this error.

[root@vps-1419393-x ~] # systemctl start clamd@scan
Failed to start clamd@scan.service: Unit is masked.

● clamd@scan.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)


El 27/10/17 a las 12:38, Reindl Harald escribió:



Am 27.10.2017 um 17:28 schrieb Emanuel:

Oh man.! the service is not running:


"well, yes, install clamd, start clamd and configure the milter to use 
the clamd socket you defined or the clamd instance over TCP" should 
have been pretty clear



# clamdscan --reload
ERROR: Could not lookup : Servname not supported for ai_socktype

any ideas?


yes, start to provide basic informations and don't rely that much of 
handholding


what says "systemctl status clamd"

http://www.catb.org/esr/faqs/smart-questions.html#beprecise

since you answered 3 posts after i pointed out that you need to have 
clamd running "Oh man.! the service is not running" i am still not 
sure if you did start it because "clamdscan --reload" won't do 
magically and if you don't know how to start it please refrain from 
build up servers



El 27/10/17 a las 11:45, Michael D. escribió:


You didn't tell us if you indeed have Clamd running - please verify 
by running: 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


--
envialosimple.com   
Emanuel Gonzalez
Deliverability Specialist
emanuel.gonza...@donweb.com 
www.envialosimple.com 
by donweb 

Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La 
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com 
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por 
favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised 
use or dissemination is prohibited by DonWeb.com.

DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem 
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais 
ela foi endereçada, por favor destrua-a e a todos os seus eventuais 
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de 
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, 
retornando-a para o autor.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Win.Exploit.CVE_2017 in user32.dll

2017-10-30 Thread JD Ackle 
Hello,

A clamscan running from Linux on a Windows disk (mounted on /mnt )
produced the following results:

/mnt/Windows/System32/user32.dll: Win.Exploit.CVE_2017_8689-6336853-0 FOUND
/mnt/Windows/SysWOW64/user32.dll: Win.Exploit.CVE_2017_8689-6336853-0 FOUND


There were other occurrences of the same signature in
/mnt/Windows/WinSxS/Backup/ and /mnt/Windows/WinSxS/Temp/ but on a
reboot to Windows and running Windows Defender, then back to Linux
rerunning the clamscan, these seem to come and go, on different
occurrences of user32.dll, in these backup/temporary folders. The
occurrences in the two first folders I mentioned above do however persist.


I also got these two other persistent detections:

/mnt/Windows/WinSxS/FileMaps/$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms:
Win.Trojan.Emotet-6340301-0 FOUND
/mnt/Windows/WinSxS/FileMaps/$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms:
Win.Trojan.Emotet-6340301-0 FOUND


Given what I read on the list about Win.Exploit.CVE_2017 being (mostly?)
an Excel file infection and deemed a couple of times as a false
positive, as well as with those two trojan detections in files which
names seem related to the above Win.Exploit.CVE_2017 files' detections
(system32 and syswow64), I'm not sure what do make of any of these
detections.

Your help would be appreciated.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml