[clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

[Hajo Locke]

Hello List,

i think i found an fp in incoming mail.  I cant submit mail as FP on 
website, because it contains private data.

I can provide debug output which leads to match:

LibClamAV debug: Phishcheck:URL after cleanup: 
https://sellercentral-europe.amazon.com->http://www.amazon.de
LibClamAV debug: Phishing: looking up in whitelist: 
https://sellercentral-europe.amazon.com:http://www.amazon.de; host-only:0
LibClamAV debug: Looking up in regex_list: 
https://sellercentral-europe.amazon.com:http://www.amazon.de/

LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck:host:.www.amazon.de
LibClamAV debug: Looking up in regex_list: www.amazon.de/
LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 
"http://www.amazon.de","www.amazon.de/";

LibClamAV debug: calc_pos_with_skip:
LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 
"http://www.amazon.de","www.amazon.de/";

LibClamAV debug: calc_pos_with_skip:amazon.de
LibClamAV debug: Got a match: www.amazon.de/ with /ed.nozama
LibClamAV debug: Before inserting .: .www.amazon.de
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com
LibClamAV debug: Phishing: looking up in whitelist: 
.sellercentral-europe.amazon.com:.www.amazon.de; host-only:1
LibClamAV debug: Looking up in regex_list: 
sellercentral-europe.amazon.com:www.amazon.de/

LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too 
different
LibClamAV debug: found Possibly Unwanted: 
Heuristics.Phishing.Email.SpoofedDomain


Mail contains a link 
https://sellercentral-europe.amazon.com/nms/redirect. which 
redirects to http://www.amazon.de/gp/help/survey?p
These are default links from amazon to rate seller/product and should be 
an allowed combination of redirects.

It is possible to do a global update of this combination within heuristics?
Otherwise i had to whitelist by wdb file:

X:.+sellercentral-europe\.amazon\.com:.+amazon\.de

Thanks,
Hajo


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

[Al Varnell]

I'm not very good at regex, but I'm surprised that this current X record 
doesn't already take care of this:

X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?

-Al-

On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote:
> Hello List,
> 
> i think i found an fp in incoming mail.  I cant submit mail as FP on website, 
> because it contains private data.
> I can provide debug output which leads to match:
> 
> LibClamAV debug: Phishcheck:URL after cleanup: 
> https://sellercentral-europe.amazon.com- 
> >http://www.amazon.de 
> 
> LibClamAV debug: Phishing: looking up in whitelist: 
> https://sellercentral-europe.amazon.com:http://www.amazon.de 
> ; host-only:0
> LibClamAV debug: Looking up in regex_list: 
> https://sellercentral-europe.amazon.com:http://www.amazon.de/ 
> 
> LibClamAV debug: Lookup result: not in regex list
> LibClamAV debug: Phishcheck:host:.www.amazon.de 
> LibClamAV debug: Looking up in regex_list: www.amazon.de/ 
> 
> LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de 
> ","www.amazon.de/ "
> LibClamAV debug: calc_pos_with_skip:
> LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de 
> ","www.amazon.de/ "
> LibClamAV debug: calc_pos_with_skip:amazon.de 
> LibClamAV debug: Got a match: www.amazon.de/  with 
> /ed.nozama
> LibClamAV debug: Before inserting .: .www.amazon.de 
> LibClamAV debug: Lookup result: in regex list
> LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com 
> 
> LibClamAV debug: Phishing: looking up in whitelist: 
> .sellercentral-europe.amazon.com 
> :.www.amazon.de 
> ; host-only:1
> LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com 
> :www.amazon.de/ 
> 
> LibClamAV debug: Lookup result: not in regex list
> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
> LibClamAV debug: found Possibly Unwanted: 
> Heuristics.Phishing.Email.SpoofedDomain
> 
> Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect 
> . which redirects 
> to http://www.amazon.de/gp/help/survey?p 
> 
> These are default links from amazon to rate seller/product and should be an 
> allowed combination of redirects.
> It is possible to do a global update of this combination within heuristics?
> Otherwise i had to whitelist by wdb file:
> 
> X:.+sellercentral-europe\.amazon\.com:.+amazon\.de
> 
> Thanks,
> Hajo


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

[Hajo Locke]

Hello,


Am 14.11.2017 um 10:44 schrieb Al Varnell:

I'm not very good at regex, but I'm surprised that this current X record 
doesn't already take care of this:

X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?

me too. in which file is this regex located?


-Al-

On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote:

Hello List,

i think i found an fp in incoming mail.  I cant submit mail as FP on website, 
because it contains private data.
I can provide debug output which leads to match:

LibClamAV debug: Phishcheck:URL after cleanup: https://sellercentral-europe.amazon.com- 
>http://www.amazon.de 

LibClamAV debug: Phishing: looking up in whitelist: 
https://sellercentral-europe.amazon.com:http://www.amazon.de 
; host-only:0
LibClamAV debug: Looking up in regex_list: 
https://sellercentral-europe.amazon.com:http://www.amazon.de/ 

LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck:host:.www.amazon.de 
LibClamAV debug: Looking up in regex_list: www.amazon.de/ 

LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de 
","www.amazon.de/ "
LibClamAV debug: calc_pos_with_skip:
LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de 
","www.amazon.de/ "
LibClamAV debug: calc_pos_with_skip:amazon.de 
LibClamAV debug: Got a match: www.amazon.de/  with 
/ed.nozama
LibClamAV debug: Before inserting .: .www.amazon.de 
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com 

LibClamAV debug: Phishing: looking up in whitelist: .sellercentral-europe.amazon.com 
:.www.amazon.de 
; host-only:1
LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com 
:www.amazon.de/ 
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted: 
Heuristics.Phishing.Email.SpoofedDomain

Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect 
. which redirects to 
http://www.amazon.de/gp/help/survey?p 
These are default links from amazon to rate seller/product and should be an 
allowed combination of redirects.
It is possible to do a global update of this combination within heuristics?
Otherwise i had to whitelist by wdb file:

X:.+sellercentral-europe\.amazon\.com:.+amazon\.de

Thanks,
Hajo


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

[Al Varnell]

On Tue, Nov 14, 2017 at 01:48 AM, Hajo Locke wrote:
> Hello,
> 
> 
> Am 14.11.2017 um 10:44 schrieb Al Varnell:
>> I'm not very good at regex, but I'm surprised that this current X record 
>> doesn't already take care of this:
>> 
>> X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?
> me too. in which file is this regex located?

daily.cld / .cvd

-Al-

>> 
>> -Al-
>> 
>> On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote:
>>> Hello List,
>>> 
>>> i think i found an fp in incoming mail.  I cant submit mail as FP on 
>>> website, because it contains private data.
>>> I can provide debug output which leads to match:
>>> 
>>> LibClamAV debug: Phishcheck:URL after cleanup: 
>>> https://sellercentral-europe.amazon.com- 
>>>  
>>> >> >>http://www.amazon.de 
>>>  >
>>> LibClamAV debug: Phishing: looking up in whitelist: 
>>> https://sellercentral-europe.amazon.com:http://www.amazon.de 
>>>  
>>> >> >; host-only:0
>>> LibClamAV debug: Looking up in regex_list: 
>>> https://sellercentral-europe.amazon.com:http://www.amazon.de/ 
>>>  
>>> >> >
>>> LibClamAV debug: Lookup result: not in regex list
>>> LibClamAV debug: Phishcheck:host:.www.amazon.de  
>>> >
>>> LibClamAV debug: Looking up in regex_list: www.amazon.de/ 
>>>  >
>>> LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de 
>>>  >> >","www.amazon.de/  
>>> >"
>>> LibClamAV debug: calc_pos_with_skip:
>>> LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de 
>>>  >> >","www.amazon.de/  
>>> >"
>>> LibClamAV debug: calc_pos_with_skip:amazon.de  
>>> >
>>> LibClamAV debug: Got a match: www.amazon.de/  
>>> > with /ed.nozama
>>> LibClamAV debug: Before inserting .: .www.amazon.de  
>>> >
>>> LibClamAV debug: Lookup result: in regex list
>>> LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com 
>>>  
>>> >> >
>>> LibClamAV debug: Phishing: looking up in whitelist: 
>>> .sellercentral-europe.amazon.com  
>>> >> >:.www.amazon.de 
>>>  >; 
>>> host-only:1
>>> LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com 
>>>  
>>> >> >:www.amazon.de/ 
>>>  >
>>> LibClamAV debug: Lookup result: not in regex list
>>> LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too 
>>> different
>>> LibClamAV debug: found Possibly Unwanted: 
>>> Heuristics.Phishing.Email.SpoofedDomain
>>> 
>>> Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect 
>>>  
>>> >> >. which 
>>> redirects to http://www.amazon.de/gp/help/survey?p 
>>>  
>>> >> >
>>> These are default links from amazon to rate seller/product and should be an 
>>> allowed combination of redirects.
>>> It is possible to do a global update of this combination within heuristics?
>>> Otherwise i had to whitelist by wdb file:
>>> 
>>> X:.+sellercentral-europe\.amazon\.com:.+amazon\.de
>>> 
>>> Thanks,
>>> Hajo
>>> 
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net 

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

[Hajo Locke]

Hello,

based on my working whitelist regex i would say the 2nd part should not 
look only for amazon\.com



If i understood it the correct way it should be something like:

X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.(com|de)([/?].*)?

Using this regex shows a clean mail. May be more extensions are needed 
on right side, dependent on amazon changes/uses on different domains.


Thanks,
Hajo

Am 14.11.2017 um 10:50 schrieb Al Varnell:

On Tue, Nov 14, 2017 at 01:48 AM, Hajo Locke wrote:

Hello,


Am 14.11.2017 um 10:44 schrieb Al Varnell:

I'm not very good at regex, but I'm surprised that this current X record 
doesn't already take care of this:

X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?

me too. in which file is this regex located?

daily.cld / .cvd

-Al-


-Al-

On Tue, Nov 14, 2017 at 01:19 AM, Hajo Locke wrote:

Hello List,

i think i found an fp in incoming mail.  I cant submit mail as FP on website, 
because it contains private data.
I can provide debug output which leads to match:

LibClamAV debug: Phishcheck:URL after cleanup: https://sellercentral-europe.amazon.com- 
 >>http://www.amazon.de  
>
LibClamAV debug: Phishing: looking up in whitelist: 
https://sellercentral-europe.amazon.com:http://www.amazon.de 
 
>; host-only:0
LibClamAV debug: Looking up in regex_list: 
https://sellercentral-europe.amazon.com:http://www.amazon.de/ 
 
>
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck:host:.www.amazon.de  
>
LibClamAV debug: Looking up in regex_list: www.amazon.de/  
>
LibClamAV debug: calc_pos_with_skip: skip:15, 7 - 20 "http://www.amazon.de  >","www.amazon.de/  >"
LibClamAV debug: calc_pos_with_skip:
LibClamAV debug: calc_pos_with_skip: skip:4, 7 - 20 "http://www.amazon.de  >","www.amazon.de/  >"
LibClamAV debug: calc_pos_with_skip:amazon.de  >
LibClamAV debug: Got a match: www.amazon.de/  
> with /ed.nozama
LibClamAV debug: Before inserting .: .www.amazon.de  
>
LibClamAV debug: Lookup result: in regex list
LibClamAV debug: Phishcheck:host:.sellercentral-europe.amazon.com 
 >
LibClamAV debug: Phishing: looking up in whitelist: .sellercentral-europe.amazon.com 
 >:.www.amazon.de  
>; host-only:1
LibClamAV debug: Looking up in regex_list: sellercentral-europe.amazon.com 
 >:www.amazon.de/  
>
LibClamAV debug: Lookup result: not in regex list
LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too different
LibClamAV debug: found Possibly Unwanted: 
Heuristics.Phishing.Email.SpoofedDomain

Mail contains a link https://sellercentral-europe.amazon.com/nms/redirect 
 
>. which redirects to 
http://www.amazon.de/gp/help/survey?p  
>
These are default links from amazon to rate seller/product and should be an 
allowed combination of redirects.
It is possible to do a global update of this combination within heuristics?
Otherwise i had to whitelist by wdb file:

X:.+sellercentral-europe\.amazon\.com:.+amazon\.de

Thanks,
Hajo


__

[clamav-users] Virus Malvare not detected

[Emanuel]

Hello,

I received two docs files in a email with the Subject "Invoice". The 
attachment is a malware virus, clamav not detected this.


Scan with kaspersky


Scan result
File is infected
Detected threats
Trojan-Downloader.MSWord.Agent.bqx
File size
144.95 KB
File type
OOXML/DOCUMENT
Scan date
Nov 14 2017 08:15:42
Databases release date
Nov 14 2017 10:36:04 UTC
MD5
70bdc39f8f57e090bebc4616924cdadc
SHA1
ecf414f8523627a0d5d6637041f6e1e3bbcee62e
SHA256
142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf

it's possible to add manually this virus to the clamav database?

--
envialosimple.com   
Emanuel Gonzalez
Deliverability Specialist
emanuel.gonza...@donweb.com 
www.envialosimple.com 
by donweb 

Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La 
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com 
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por 
favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised 
use or dissemination is prohibited by DonWeb.com.

DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem 
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais 
ela foi endereçada, por favor destrua-a e a todos os seus eventuais 
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de 
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, 
retornando-a para o autor.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Malvare not detected

[Joel Esler (jesler)]

Please submit malware samples to ClamAV.net

Sent from my iPhone

On Nov 14, 2017, at 6:36 AM, Emanuel 
mailto:emanuel.gonza...@donweb.com>> wrote:

Hello,

I received two docs files in a email with the Subject "Invoice". The attachment 
is a malware virus, clamav not detected this.

Scan with kaspersky


Scan result
File is infected
Detected threats
Trojan-Downloader.MSWord.Agent.bqx
File size
144.95 KB
File type
OOXML/DOCUMENT
Scan date
Nov 14 2017 08:15:42
Databases release date
Nov 14 2017 10:36:04 UTC
MD5
70bdc39f8f57e090bebc4616924cdadc
SHA1
ecf414f8523627a0d5d6637041f6e1e3bbcee62e
SHA256
142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf

it's possible to add manually this virus to the clamav database?

--
envialosimple.com 
Emanuel Gonzalez
Deliverability Specialist
emanuel.gonza...@donweb.com 

www.envialosimple.com 

by donweb 

Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación 
y/o uso del mismo sin autorización por parte de DonWeb.com 
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la 
falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, 
notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised use or 
dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered 
or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter 
dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi 
endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias 
realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer 
informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a 
para o autor.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Malvare not detected

[Al Varnell]

According to VirusTotal, ClamAV does detect it as Doc.Dropper.Agent-6369707-0
>

but go ahead and try to submit it anyway.

-Al-

On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote:
> Hello,
> 
> I received two docs files in a email with the Subject "Invoice". The 
> attachment is a malware virus, clamav not detected this.
> 
> Scan with kaspersky
> 
> 
> Scan result
> File is infected
> Detected threats
> Trojan-Downloader.MSWord.Agent.bqx
> File size
> 144.95 KB
> File type
> OOXML/DOCUMENT
> Scan date
> Nov 14 2017 08:15:42
> Databases release date
> Nov 14 2017 10:36:04 UTC
> MD5
> 70bdc39f8f57e090bebc4616924cdadc
> SHA1
> ecf414f8523627a0d5d6637041f6e1e3bbcee62e
> SHA256
> 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf
> 
> it's possible to add manually this virus to the clamav database?

-Al-
-- 
Al Varnell
Mountain View, CA







smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Malvare not detected

[Emanuel]

Please see

https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/


El 14/11/17 a las 09:00, Al Varnell escribió:

According to VirusTotal, ClamAV does detect it as Doc.Dropper.Agent-6369707-0
>

but go ahead and try to submit it anyway.

-Al-

On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote:

Hello,

I received two docs files in a email with the Subject "Invoice". The attachment 
is a malware virus, clamav not detected this.

Scan with kaspersky


Scan result
File is infected
Detected threats
Trojan-Downloader.MSWord.Agent.bqx
File size
144.95 KB
File type
OOXML/DOCUMENT
Scan date
Nov 14 2017 08:15:42
Databases release date
Nov 14 2017 10:36:04 UTC
MD5
70bdc39f8f57e090bebc4616924cdadc
SHA1
ecf414f8523627a0d5d6637041f6e1e3bbcee62e
SHA256
142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf

it's possible to add manually this virus to the clamav database?

-Al-


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


--
envialosimple.com   
Emanuel Gonzalez
Deliverability Specialist
emanuel.gonza...@donweb.com 
www.envialosimple.com 
by donweb 

Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La 
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com 
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por 
favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised 
use or dissemination is prohibited by DonWeb.com.

DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem 
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais 
ela foi endereçada, por favor destrua-a e a todos os seus eventuais 
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de 
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, 
retornando-a para o autor.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Malvare not detected

[Al Varnell]

That's not the same file you showed before. The SHA256 is different.

-Al-

On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
> Please see
> 
> https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/
>  
> 
> 
> 
> El 14/11/17 a las 09:00, Al Varnell escribió:
>> According to VirusTotal, ClamAV does detect it as Doc.Dropper.Agent-6369707-0
>> >  
>> >
>> 
>> but go ahead and try to submit it anyway.
>> 
>> -Al-
>> 
>> On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote:
>>> Hello,
>>> 
>>> I received two docs files in a email with the Subject "Invoice". The 
>>> attachment is a malware virus, clamav not detected this.
>>> 
>>> Scan with kaspersky
>>> 
>>> 
>>> Scan result
>>> File is infected
>>> Detected threats
>>> Trojan-Downloader.MSWord.Agent.bqx
>>> File size
>>> 144.95 KB
>>> File type
>>> OOXML/DOCUMENT
>>> Scan date
>>> Nov 14 2017 08:15:42
>>> Databases release date
>>> Nov 14 2017 10:36:04 UTC
>>> MD5
>>> 70bdc39f8f57e090bebc4616924cdadc
>>> SHA1
>>> ecf414f8523627a0d5d6637041f6e1e3bbcee62e
>>> SHA256
>>> 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf
>>> 
>>> it's possible to add manually this virus to the clamav database?




smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Malvare not detected

[Emanuel]

the first scan is with kaspersky online


El 14/11/17 a las 09:31, Al Varnell escribió:

That's not the same file you showed before. The SHA256 is different.

-Al-

On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:

Please see

https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/
 



El 14/11/17 a las 09:00, Al Varnell escribió:

According to VirusTotal, ClamAV does detect it as Doc.Dropper.Agent-6369707-0
>

but go ahead and try to submit it anyway.

-Al-

On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote:

Hello,

I received two docs files in a email with the Subject "Invoice". The attachment 
is a malware virus, clamav not detected this.

Scan with kaspersky


Scan result
File is infected
Detected threats
Trojan-Downloader.MSWord.Agent.bqx
File size
144.95 KB
File type
OOXML/DOCUMENT
Scan date
Nov 14 2017 08:15:42
Databases release date
Nov 14 2017 10:36:04 UTC
MD5
70bdc39f8f57e090bebc4616924cdadc
SHA1
ecf414f8523627a0d5d6637041f6e1e3bbcee62e
SHA256
142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf

it's possible to add manually this virus to the clamav database?




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


--
envialosimple.com   
Emanuel Gonzalez
Deliverability Specialist
emanuel.gonza...@donweb.com 
www.envialosimple.com 
by donweb 

Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La 
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com 
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por 
favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised 
use or dissemination is prohibited by DonWeb.com.

DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem 
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais 
ela foi endereçada, por favor destrua-a e a todos os seus eventuais 
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de 
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, 
retornando-a para o autor.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Malvare not detected

[Al Varnell]

You mentioned two attachments. Kaspersky and ClamXAV appear to catch the first 
one, but neither catch the second one you showed us. The SHA246 for a file is 
the same no matter what scanner is used.

-Al-

On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:
> the first scan is with kaspersky online
> 
> 
> El 14/11/17 a las 09:31, Al Varnell escribió:
>> That's not the same file you showed before. The SHA256 is different.
>> 
>> -Al-
>> 
>> On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
>>> Please see
>>> 
>>> https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/
>>>  
>>> 
>>>  
>>> >>  
>>> >
>>> 
>>> 
>>> El 14/11/17 a las 09:00, Al Varnell escribió:
 According to VirusTotal, ClamAV does detect it as 
 Doc.Dropper.Agent-6369707-0
 
  
 >>
 
 but go ahead and try to submit it anyway.
 
 -Al-
 
 On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote:
> Hello,
> 
> I received two docs files in a email with the Subject "Invoice". The 
> attachment is a malware virus, clamav not detected this.
> 
> Scan with kaspersky
> 
> 
> Scan result
> File is infected
> Detected threats
> Trojan-Downloader.MSWord.Agent.bqx
> File size
> 144.95 KB
> File type
> OOXML/DOCUMENT
> Scan date
> Nov 14 2017 08:15:42
> Databases release date
> Nov 14 2017 10:36:04 UTC
> MD5
> 70bdc39f8f57e090bebc4616924cdadc
> SHA1
> ecf414f8523627a0d5d6637041f6e1e3bbcee62e
> SHA256
> 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf
> 
> it's possible to add manually this virus to the clamav database?
>> 
>> 
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net 
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA







smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Malvare not detected

[Emanuel]

Scan the attachment, clamav not detect this file.


El 14/11/17 a las 09:51, Al Varnell escribió:

You mentioned two attachments. Kaspersky and ClamXAV appear to catch the first 
one, but neither catch the second one you showed us. The SHA246 for a file is 
the same no matter what scanner is used.

-Al-

On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:

the first scan is with kaspersky online


El 14/11/17 a las 09:31, Al Varnell escribió:

That's not the same file you showed before. The SHA256 is different.

-Al-

On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:

Please see

https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/
 

 
>


El 14/11/17 a las 09:00, Al Varnell escribió:

According to VirusTotal, ClamAV does detect it as Doc.Dropper.Agent-6369707-0

 
>>

but go ahead and try to submit it anyway.

-Al-

On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote:

Hello,

I received two docs files in a email with the Subject "Invoice". The attachment 
is a malware virus, clamav not detected this.

Scan with kaspersky


Scan result
File is infected
Detected threats
Trojan-Downloader.MSWord.Agent.bqx
File size
144.95 KB
File type
OOXML/DOCUMENT
Scan date
Nov 14 2017 08:15:42
Databases release date
Nov 14 2017 10:36:04 UTC
MD5
70bdc39f8f57e090bebc4616924cdadc
SHA1
ecf414f8523627a0d5d6637041f6e1e3bbcee62e
SHA256
142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf

it's possible to add manually this virus to the clamav database?



___
clamav-users mailing list
clamav-users@lists.clamav.net 
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


--
envialosimple.com   
Emanuel Gonzalez
Deliverability Specialist
emanuel.gonza...@donweb.com 
www.envialosimple.com 
by donweb 

Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La 
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com 
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por 
favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised 
use or dissemination is prohibited by DonWeb.com.

DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem 
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais 
ela foi endereçada, por favor destrua-a e a todos os seus eventuais 
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de 
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, 
retornando-a para o autor.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] password protected encrypted .docx files

[Mark Foley]

I found this older message in the archives. I'm receiving a lot of fake
"Invoice" messages with attached encrypted .doc files that run VB scripts and
execute .exe files.

I'd like to block encrypted Word documents.  Interestingly, as Reindl Harald
says, ".docx files *are* zip files", but lately I've been getting .doc files
which are really .docx file.  KDE Dolphin isn't deceived and opens the
attachment as an archive, but Word in WIN7 goes ahead and opens it as a
document.  If I rename the document to .docx, then Dolphin opens it in
LibreOffice. 

So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav smart
enough to look beyond the extension?

Will ArchiveblockEncrypted block *ALL* encrypted archives including zip?

Finally, Dino Edwards wrote:

> Yes, it is - you can turn ArchiveBlockEncrypted off in clamd.conf (it's off 
> by default)

Is that a typeo? Did he mean "you can turn ArchiveBlockEncrypted on in
clamd.conf"? Seems like turning this "off" would NOT block encrypted files.

THX --Mark

-Original Message-
> Date: Wed, 5 Apr 2017 21:19:47 +0200
> From: Reindl Harald 
>
> technically .docx *are* zip files
>
> Am 05.04.2017 um 21:08 schrieb Dino Edwards:
> > Didn't realize the ArchiveblockEncrypted included MS Word files. I thought 
> > it would be for password protected zip rar and such
> >
> > -Original Message-
> > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf 
> > Of Benny Pedersen
> > Sent: Wednesday, April 5, 2017 11:22 AM
> > To: clamav-users@lists.clamav.net
> > Subject: Re: [clamav-users] password protected encrypted .docx files
> >
> > Dino Edwards skrev den 2017-04-05 16:48:
> >> Any way to get clamav to block password protected Microsoft word files?
> >
> > Yes, it is - you can turn ArchiveBlockEncrypted off in clamd.conf (it's off 
> > by default)
> >
> > if not working pastebin your clamconf (clamav section only) 
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] RHEL 6 Clam AV Installation

[Walker, Jason T]

Hello,

I'm trying to install your product on a RHEL 6.9 PC.   Your documentation 
refers to the yum repository as a source of the RPM file, however yum replies 
that the RPMs do not exist for the following packages:


1)  Epel-release

2)  Clamav

Any assistance on this installation is appreciated.

Regards
Jason

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] RHEL 6 Clam AV Installation

[Thomas McCourt (tmccourt)]

Hello Jason,

Using Yum, I can do the following command and download both Epel-release and 
clamav. This of course, downloads 99.2 (not the beta version).

yum install -y epel-release
yum install -y clamav


Duck]# yum install -y epel-release
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: distro.ibiblio.org
 * extras: mirror.umd.edu
 * updates: mirror.cs.vt.edu
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:6-8 will be installed
--> Finished Dependency Resolution

Dependencies Resolved


 PackageArch Version RepositorySize

Installing:
 epel-release   noarch   6-8 extras14 k

Transaction Summary

Install   1 Package(s)

Total download size: 14 k
Installed size: 22 k
Downloading Packages:
epel-release-6-8.noarch.rpm  |  14 kB 00:00 
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : epel-release-6-8.noarch  1/1 
  Verifying  : epel-release-6-8.noarch  1/1 

Installed:
  epel-release.noarch 0:6-8 






I am wondering if it is because you capitalized the ‘E’ in epel-release. Try it 
by lowercasing it, to see if it works.
Double checking- capitalizing the ‘e’ in epel-release finds no results.


Thank you,


Tom McCourt





On 11/14/17, 2:07 PM, "clamav-users on behalf of Walker, Jason T" 
 
wrote:

>Hello,
>
>I'm trying to install your product on a RHEL 6.9 PC.   Your documentation 
>refers to the yum repository as a source of the RPM file, however yum replies 
>that the RPMs do not exist for the following packages:
>
>
>1)  Epel-release
>
>2)  Clamav
>
>Any assistance on this installation is appreciated.
>
>Regards
>Jason
>
>___
>clamav-users mailing list
>clamav-users@lists.clamav.net
>http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
>
>http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] RHEL 6 Clam AV Installation

[Reindl Harald]

Am 14.11.2017 um 20:07 schrieb Walker, Jason T:

I'm trying to install your product on a RHEL 6.9 PC.   Your documentation 
refers to the yum repository as a source of the RPM file, however yum replies 
that the RPMs do not exist for the following packages:


1)  Epel-release

2)  Clamav

Any assistance on this installation is appreciated


you hardly can install a yum repo itself via yum and hence here you go: 
https://fedoraproject.org/wiki/EPEL - however, why installing RHEL6 in 2017?

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml