Re: [clamav-users] Virus not detected

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 21 Mar 2022, Christopher Marczewski wrote:


Ideally, please submit the sample via the following form:
https://www.clamav.net/reports/malware


Or you can create a signature and submit it, but see

https://lists.clamav.net/pipermail/clamav-users/2022-March/012519.html

for extra information.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus not detected

[Ralph Seichter via clamav-users]

* Jorge Bastos:

> It's just the link :P

That matters little. Some mailing list subscriber might give in to
temptation and download the virus file while not in a properly isolated
environment, and trigger the payload due to incompetence or bad luck.

> How would you be able to test then? ;)

As was already pointed out in other responses, maintainers of virus
signatures usually describe how best to submit virus samples on their
respective web sites.

> ok won't send again..

Thanks.

-Ralph

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus not detected

[Christopher Marczewski]

It's best to scrub links if they're going to be included on the mailer.
Helps prevent automatic hyperlinking by the client.

Ideally, please submit the sample via the following form:
https://www.clamav.net/reports/malware

On Mon, Mar 21, 2022 at 4:36 PM Jorge Bastos  wrote:

> It's just the link :P
> How would you be able to test then? ;)
>
> ok won't send again.. but the default virus db doesn't seems to be
> enought, is there other db's to include?
> The windows defender detected the .rar as virus imediately so i guess it's
> a known one no?
>
> Jorge
>
> On 2022-03-21 17:33, Ralph Seichter via clamav-users wrote:
>
> * Jorge Bastos:
>
> I have a virus file that came on an email, and clamav doesn't detect
> [...]
> Here's the file.
>
>
> Seriously? Do *NOT* send virus files to a public mailing list.
>
> -Ralph
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


-- 
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus not detected

[Maarten Broekman via clamav-users]

The accepted way would be to supply a link to the VirusTotal scan that
didn't detect it.

--Maarten

On Mon, Mar 21, 2022 at 4:36 PM Jorge Bastos  wrote:

> It's just the link :P
> How would you be able to test then? ;)
>
> ok won't send again.. but the default virus db doesn't seems to be
> enought, is there other db's to include?
> The windows defender detected the .rar as virus imediately so i guess it's
> a known one no?
>
> Jorge
>
> On 2022-03-21 17:33, Ralph Seichter via clamav-users wrote:
>
> * Jorge Bastos:
>
> I have a virus file that came on an email, and clamav doesn't detect
> [...]
> Here's the file.
>
>
> Seriously? Do *NOT* send virus files to a public mailing list.
>
> -Ralph
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus not detected

[Eric Tykwinski]

Jorge,

There are a lot of alternative signatures.
Sanesecurity: http://sanesecurity.com/
Malware Patrol: https://www.malwarepatrol.net/clamav-configuration-guide/
or you can use something like clamav-unofficial-sigs: 
https://github.com/extremeshok/clamav-unofficial-sigs


> On Mar 21, 2022, at 4:35 PM, Jorge Bastos  wrote:
> 
> It's just the link :P
> How would you be able to test then? ;)
> 
> ok won't send again.. but the default virus db doesn't seems to be enought, 
> is there other db's to include?
> The windows defender detected the .rar as virus imediately so i guess it's a 
> known one no?
> 
> Jorge
> 
> On 2022-03-21 17:33, Ralph Seichter via clamav-users wrote:
> 
>> * Jorge Bastos:
>> 
>>> I have a virus file that came on an email, and clamav doesn't detect
>>> [...]
>>> Here's the file.
>> 
>> Seriously? Do *NOT* send virus files to a public mailing list.
>> 
>> -Ralph
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net 
>> https://lists.clamav.net/mailman/listinfo/clamav-users 
>> 
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq 
>> 
>> 
>> http://www.clamav.net/contact.html#ml 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus not detected

[Jorge Bastos]

It's just the link :P
How would you be able to test then? ;)

ok won't send again.. but the default virus db doesn't seems to be 
enought, is there other db's to include?
The windows defender detected the .rar as virus imediately so i guess 
it's a known one no?


Jorge

On 2022-03-21 17:33, Ralph Seichter via clamav-users wrote:


* Jorge Bastos:


I have a virus file that came on an email, and clamav doesn't detect
[...]
Here's the file.


Seriously? Do *NOT* send virus files to a public mailing list.

-Ralph

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus not detected

[Ralph Seichter via clamav-users]

* Jorge Bastos:

> I have a virus file that came on an email, and clamav doesn't detect
> [...]
> Here's the file.

Seriously? Do *NOT* send virus files to a public mailing list.

-Ralph

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] human friendly signatures

[Kris Deugau]

G.W. Haywood via clamav-users wrote:

Hi there,

On Mon, 21 Mar 2022, Kris Deugau wrote:


TBH I'd prefer if Clam *did* continue, just skipping malformed rules
(and also whinging loudly in the log).


I could live with that if it didn't *also* crash.


Either would be better than just exiting (it's not a hard *crash*,
it's "just" refusing to load a file with a malformed signature -
including things like entirely blank lines).


No, Kris.  It *is* a hard crash - and it doesn't happen when it loads
the rules, it happens when it tries to scan something *after* loading
a Yara file which contains a bad rule.  Not neccessarily any bad rule,
just one with any of a number of different kinds of badness which I've
found to be problematic.  But as I said in my mail things may well be
different as a result of Micah's August PR.  TBH I really haven't been
inclined for quite some time to crash clamd on purpose. :)


Sorry, didn't see that, figured you were talking about the joy of 
finding all those subtle little rules defining a well-formed signature 
To date I haven't managed to trip whatever bug(s) bit you, although I 
*have* found relatively simple signatures that should have matched but 
didn't.


I *have* pushed out "malformed" "signatures" (AKA "signature files with 
a blank line or two at the end") that caused the production clamd 
instances to shut down...  after which I spent some time adding 
validation to the SVN commit hook, and writing a local editing wrapper 
to help make sure signatures were valid before committing.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] human friendly signatures

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 21 Mar 2022, Kris Deugau wrote:


TBH I'd prefer if Clam *did* continue, just skipping malformed rules
(and also whinging loudly in the log).


I could live with that if it didn't *also* crash.


Either would be better than just exiting (it's not a hard *crash*,
it's "just" refusing to load a file with a malformed signature -
including things like entirely blank lines).


No, Kris.  It *is* a hard crash - and it doesn't happen when it loads
the rules, it happens when it tries to scan something *after* loading
a Yara file which contains a bad rule.  Not neccessarily any bad rule,
just one with any of a number of different kinds of badness which I've
found to be problematic.  But as I said in my mail things may well be
different as a result of Micah's August PR.  TBH I really haven't been
inclined for quite some time to crash clamd on purpose. :)


Strictly speaking, four characters (the {} delimiters for hex
strings). To my reading this is part of the upstream Yara spec, and
I'd be wary of extending this particular bit without at least
requiring some blatant, obvious flag in any such rule to clearly
indicate that it's not stock Yara syntax.


Agreed it needs some thought.  Maybe a different filename extension?
Not that I'm a great fan of systems which rely on filename extensions
to control the behaviour of executables.  Or maybe persuade the folks
upstream to make some enhancements?  That would be best, I think, but
it presupposes that the ClamAV Yara engine catches up - which IMHO is
a necessity in any case.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] human friendly signatures

[Kris Deugau]

G.W. Haywood via clamav-users wrote:

Hi Micah,

On Wed, 16 Mar 2022, Micah Snyder (micasnyd) wrote:

I'm not sure what you mean here.  Can you elaborate?  If you simply
want ClamAV ignore garbage rules on load and continue with the rest
of the file (see point #4) - that's something we can easily improve
regardless of what we do. And that's how our yara rule loading logic
works right now.


I strongly feel that if it finds a problem, rather than silently load
some sub-optimal ruleset the parser should abandon the reload of the
entire ruleset.  Obviously it should warn when it does that.  I guess
this might be an issue if it's running on a machine with too little
RAM to reload while simultaneously scanning with the previous ruleset,
but something like a --test-ruleset option could probably handle that.


TBH I'd prefer if Clam *did* continue, just skipping malformed rules 
(and also whinging loudly in the log).


Either would be better than just exiting (it's not a hard *crash*, it's 
"just" refusing to load a file with a malformed signature - including 
things like entirely blank lines).




While I was looking at this I also came upon another quirk that can be
a bit of a nuisance.  AFAICT Yara strings can only be delimited by one
of two characters, either a double-quote (for a literal string) or a
forward-slash (for a regex).  It would help to be able to choose the
quote character like in Perl; if not, at least having more available
to choose from could make many expressions more readable, especially
those which target e.g. HTML and links in mail (both of which tend to
have many occurrences of double-quote or forward-slash characters).


Strictly speaking, four characters (the {} delimiters for hex strings). 
To my reading this is part of the upstream Yara spec, and I'd be wary of 
extending this particular bit without at least requiring some blatant, 
obvious flag in any such rule to clearly indicate that it's not stock 
Yara syntax.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml