Re: [clamav-users] Virus Signature Submitted on 17/10/2016

[bitfuzzy]

Actually it appears that only "part" of AVG detects it.

Virustotal indicates that AVG cleared the file as being "clean" however 
the second site (garyshood.com) seemed to use AVG "command line"


Given the reputation of some of the scanners referenced by Virustotal, 
not to mention the sheer number of negative results for the file, I'd 
have to question the legitimacy of garyshood.com in general



On 11/07/2016 02:10 PM, Al Varnell wrote:

So it seems to me if only one scanner detects this “test” file then it’s far 
from being the universal industry standard test file that EICAR is.  Maybe I’m 
missing something, but your penetration testers would appear to be a fraud or 
shill for AVG or both?  I’m not sure why the Cisco/ClamAV folks would be 
interested in it without a more persuasive argument.

-Al-

On Mon, Nov 07, 2016 at 08:26 AM, Richard McCombie wrote:

Thanks Al.

virustotal.com doesn't show any problems with the file, but a site called
Gary's Hood does:

https://www.virustotal.com/en/file/14b2420f7490e612b9f0c65af180268b2ad41c3ec209b42f4d085aacb8ef973f/analysis/1478535605/

http://www.garyshood.com/virus/results.php?r=13710b10bf25b727cbf32c29d9ba3a56


The penetration testers use the file (MD5 #:
13710b10bf25b727cbf32c29d9ba3a56) as part of their AV testing.


R

On 7 November 2016 at 16:12, Al Varnell  wrote:


Try uploading it to  and give us the link to
the analysis page.  I don’t find that anything with that MD5 has been
uploaded.

-Al-

On Mon, Nov 07, 2016 at 07:25 AM, Richard McCombie wrote:

I uploaded a small ASCII-format file, which, like the EICAR test file, is
supposed to trigger a warning from AV software. I'd be happy to email

this

to the appropriate address, but I won't do that until someone can confirm
which address I can use without breaking any rules.

Thank you for your help.

On 7 November 2016 at 15:21, Al Varnell wrote:


I’m a bit confused by this. Did you send a virus signature or did you
upload malware? Those are not at all the same thing.

-Al-

On Mon, Nov 07, 2016 at 06:05 AM, Richard McCombie wrote:

Thanks Joel.

I have subscribed to community-sigs; the welcome message informs me

that

virus samples are not to be sent to the list:

Welcome to the community-s...@lists.clamav.net mailing list! DO NOT
SEND VIRUS SAMPLES HERE!!! Send them through our web interface at
http://www.clamav.net/sendvirus

On 7 November 2016 at 14:01, Joel Esler (jesler) wrote:


The processing that comes in through the website is largely automated.
Submitting signatures should be done through the community-sigs list,
until
we make a submission method through the website.

Sent from my iPad

On Nov 7, 2016, at 6:45 AM, Richard McCombie wrote:

Good morning,

I submitted a virus signature (at http://www.clamav.net/reports/
malware
)
on 17th October. I used the name Richard McCombie for this.

It would be great if you could incorporate this virus sample into

your

database of virus signatures. I am working on helping a client pass
their
penetration test; they are currently failing the test, because this
virus
sample, which is detected as a virus by other scanners, passes the
ClamAV
scan undetected.

The MD5 hash of the file I submitted is:

13710b10bf25b727cbf32c29d9ba3a

56

If you want me to resubmit this file, that is no problem.

Many thanks, in advance,


Richard

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [Clamav-users] custom signatures not working

[BitFuzzy]

Tomasz Kojm wrote:

Your signature will only match Dear Paypal Members\n (0a == new 
line) and


not Dear Paypal Members.


Thanks for the reply.

I knew that when I set it up. I figured if I can't get a simple word 
match to work, trying to get complex with it wouldn't be much use.

But alas, It doesn't work.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Fwd: Re: [Clamav-users] custom signatures not working]

[BitFuzzy]

I decoded the hex string and it actually matches Dear PayPal Member\n
(PayPal instead of Paypal)

 


Yea, I caught that, it doesn't make any difference
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] custom signatures not working

[BitFuzzy]

I'm trying to add a couple of custom phishing signatures using .ndb 
files within clamav's database directory


For testing purposes I've used a simple phrase Dear Paypal Members and 
created a hex key for it


Email.Phishing.Paypal.Test.0227001:0:*:446561722050617950616c204d656d6265720a
I've also tried 
Email.Phishing.Paypal.Test.0227001:446561722050617950616c204d656d6265720a


Both with no success, all test email messages pass undetected.

I'm running clamav with the default db directory (/usr/local/shar/clamav)

Email is scanned using trashscan via procmail using /usr/local/bin/clamscan


Any suggestions would be greatly appreciated
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] DNS record older than 3 hours - happening since yesterday?

[BitFuzzy]

I've been seeing this on a lot of servers as well but the time/date on
the servers are correct. Many of them are even timing out trying to grab
the dns record occasionally. Anyone else seeing this?
 

Here too, and server time is correct though the log entries seem to 
point to DNS issues.


Im my case current.cvd.clamav.net and db.us.clamav.net seem to have 
intermittent problems perhaps related to traffic?

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Spoofing IP Address?

[BitFuzzy]

Derek Lamparty wrote:


I didn't know that was possible. Huh? Doesn't that really make RBLs

pointless?
 


No, it makes reporting based only on headers pointless.
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Virus Alias Database

[BitFuzzy]

Anyone happen to know what happened to http://www.rainingfrogs.co.uk ?
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Is ClamAV in the black or red ?

[BitFuzzy]

Joanna Roman wrote:


ClamAV team, I wonder how your finance is going ? Are
you guys in the black or red right now ? I think you
are great guys. I just hate to see this great project
gets interrupted because of financial issue. John
 


If you're concerned, feel free to make a donation ;) and support the effort.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Arrogance toward well-meaning participants

[BitFuzzy]

Bart Silverstrim wrote:



It was.  It was an insult.  I think it is understandable given that to 
me it was provoked, and not necessarily aimed personally at you but 
instead to all on the list that were giving a virtual flick-off.  As 
an observer the response he got wasn't really well deserved and it 
appears that now everyone is being overly defensive instead of 
stopping to say, You know, you're right, I was kind of out of line 
and I'm sorry.  What can we do to resolve the issue and keep it from 
happening again in the future?


It would be nice to see, but don't hold your breath. There seem to be 
allot of ego's that need (or feel they need) a solid rubbing every 10-20 
min. Even if they need to Proxy in on someone elses.


But what do I know.  I'm just a user of ClamAV on some obscure small 
mail server out here on the Internet observing the beginnings of a 
flamefest on a mailing list.


The person screwed up. Big deal! I guarantee everybody (yes everybody) 
on this list at one time or another did the same thing (ie screwing up 
by not paying attention to details or reading directions before 
compiling that new script to have it fail miserably etc etc).


I've seen the mention of this list being elite. While there may be a 
few in the member ranks that do indeed qualify I guarantee they're not 
involved in this boorish mess.


At one time I belonged to 27 various lists. This number is now down to 
2. The reasons vary but for the most part the decision to drop them was 
due to content and BS such as this. This list has been a valuable source 
of information, and at times humor. But situations like this do make me 
wonder if it's useful anymore.


These lists are meant to allow users to communicate freely between each 
other, and (hopefully) with the developers paying attention to issues 
being brought up.
WE can make Clam-AV better, but only by working together, not by 
blasting some poor schmuck because he fouled something up, or tarnished 
a members sense of how things should be done, or what should be included.


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Outdated warning

[BitFuzzy]

List wrote:

Have you restarted the clamd processes?

I had the machine rebooted after I upgraded clamav
Just updated 2 boxes w/ no problem on my end..
?? I'm assuming you remembered to run make install ??
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Can phishing be considered one kind of spam ?

[BitFuzzy]

Bart Silverstrim wrote:
Please no...please please no
___
http://lurker.clamav.net/list/clamav-users.html
LMAO!
That was exactly what I was thinking when I opened the question ;)
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] false hits

[BitFuzzy]

Bart Silverstrim wrote:
I had a number of hits showing up within the Windows/system directory.  
Heh, didn't Norton detect windows as a virus at one time?
A subsequent scan with a standalone utility from an AV vendor showed 
no sign of the viruses in that directory.
This doesn't necessarily mean anything.
What I would do is do a online scan (I highly recommend 
http://housecall.trendmicro.com)
If you are indeed compromised, there's a chance your AV may be as well

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] false hits

[BitFuzzy]

Bart Silverstrim wrote:
I was just wondering if anyone else had resources to try running the 
scan via a bootable Linux CD (like the INSERT CD) and scan a Windows 
system to see if they were getting oddball false hits.
I've got Knoppix lying around.
Either tonight or tomorrow morning I'll load it, install ClamAV and see 
what happens.

I'd do it today, but for some ungodly reason, today's looking more like 
a 'Monday Re-Loaded'

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

[BitFuzzy]

Bart Silverstrim wrote:
Personally, my gripe is that the product is called ClamAV.  If it's 
expanding it's mission to protect people from everything called 
malware, I'd change the name to something that indicates it's a 
malware detector and not a virus detector.  Phishing scams are *not* 
viruses.  Maybe change it's name to ClaMal.  It'll make the O'Reilly 
book cover look interesting, too.

But this would probably never happen.  *shrug*
___
http://lurker.clamav.net/list/clamav-users.html
I can't believe this is still going on! This got old fast the last 
time it was discussed.

This isn't about detecting messages concerning Viagra, or getting 
27,000,000 by helping some yutz in Nigeria.

The way I see it, any item regardless of it's delivery method that has 
the potential to do harm financially or otherwise should be stopped 
(IMHO) by the AV.
These messages are running out of control. They are clever, and when 
used in conjunction with their associated websites are very hard to 
identify it from the real thing.

ClamAV isn't the only agent that detects Phishing attempts. Mcafee, 
PcCillin, etc detect these attempts why would anyone expect ClamAV to do 
less

I may be thinking of something else here, but if memory serves the dev 
team will be providing a method for you (or anyone) not wanting these 
detected, to disable it.

and with that the debate should be ended.
BF
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

[BitFuzzy]

Julian Mehnle wrote:
I can't believe you still didn't get the point.
This is NOT about removing ClamAV's capacity for detecting phishing
attacks, little yellow rubber ducks in PNG images, or whatever else.  This
is about making it _optional_, for those people who don't want certain
types of malware to be scanned for.
___
http://lurker.clamav.net/list/clamav-users.html
 

And they're adding it. So why is the issue festering?
I understand people want to post their views (as they should). But this 
topic in particular has and will end up in a never ending loop, that 
tends to be worse than Linux vs Windows debates.

It died out once, and I hope it does so again, quickly

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Report Phishing attacks?

[BitFuzzy]

[EMAIL PROTECTED] wrote:
um, reread what you just wrote. 'any item regardless of it's delivery 
method that  has the potential to do harm financially or otherwise'. 
let's see, little old ladies emailing their bank account information 
to MRS. MIRIAM SESE SEKO, LATE OF THE CHIEF PETROLEUM RESERVES OFFICE 
OF NIGERIA, doesn't pose the potential to do harm financially? How 
about V1c0d1n, a prescription drug, that if you order it from spam, 
chances are you'll never get it, because who in their right mind would 
file a complaint that they didn't get a prescription drug they ordered 
illegally over the net? No risk of financial harm there? what about a 
spam message for porn, and the poor yutz clicks the link and is sent 
instead to a kiddie porn site, and later his IP address is swept up by 
law enforcement and he goes to jail as a pedophile - doesn't fit your 
criteria?

your argument isn't consistent.
You're right it isn't consistent, that's because the issue isn't black 
and white, it's a clammy shade of gray.

The difference between what's being detected as phishing attempts is 
that they are crafted to make you believe you are at 
http://www.your-bank.com, ebay.com, paypal.com, etc. They are in most 
cases very convincing, thus not only the foolish can fall prey.  (I know 
very savvy people who fell for these)

The other forms, mentioned.do pose the exact same threat, however there 
is a big difference the victim here was just being gullible.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: How to Filter Spam Mails

[BitFuzzy]

hai
Does any one know how to filter mails using clamAV milter using with
sendmail
I don't want to use spamassassin it will only mark as junk I don't want to
send
it to users i want to move it to a perticular mail box
thanks
   

This is rather simple with spamassassin err I should say spamassassin w/ 
procmail

simply add:
:0:
* ^X-Spam-Status: Yes
/directory/path/to/filename
to a procmail profile. (either global /etc/procmailrc, or per user 
/home/user_name/.procmailrc)

Hope this helps
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Clamav Home Page Problem

[BitFuzzy]

On Tue, 22 Feb 2005 09:38:20 -0600 (CST)
Ken Jones [EMAIL PROTECTED] wrote:
 

When I go to the address http://www.clamav.net/ the latest version is
still .82.
   

0.83 is listed under stable downloads, as it should be.
I may be wrong here, but I believe 0.83 was more or less just a bug fix, 
which explains why you're not seeing it among the release notifications 
on the website.

___
http://lurker.clamav.net/list/clamav-users.html

Re: AW: [Clamav-users] Re: not updating clam

[BitFuzzy]

Frank Elsner wrote:
On Tue, 15 Feb 2005 08:54:09 -0500 akshat wrote:
 

Why not possible, earlier it was updated
automatically. An entry is made in
crontab. 
   

Don't mix up a) update of database
b) update of the software (binaries)
 

This appears to be a common misconception, that's perhaps carried over 
from the world of Windows.
I've been using Linux since '99' and I even asked this question the 
first time I saw the listing in the update log.

I'm not big on making suggestions, especially in a situation where the 
development team appears to have everything under control. But perhaps 
it might be a good idea to include a little behind the scenes tutorial 
about what happens when a update notification occurs and what specific 
messages that may be found in the log files mean.

Granted the above is rather simple to figure out, and out of 100 users 
perhaps 2 will actually read the darn thing but if it lowers the number 
of these type of questions sent to the support teams email, or various 
support lists wouldn't it be worth it?

As I said just a thought.
Keep up the great work guys!!
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: AW: [Clamav-users] Re: not updating clam

[BitFuzzy]

[EMAIL PROTECTED] wrote:
easier:
change the text from:
WARNING: Your ClamAV installation is OUTDATED - please update 
immediately!
WARNING: Local version: 0.81 Recommended version: 0.82

to
WARNING: A new version of the ClamAV program is available! Your 
version: 0.82
WARNING: New version available for download: 0.83 See 
http://www.clamav.net  for details.

or something like that. greater clarity in the warning message will go 
a long way to clearing this up. 'update' is easily misunderstood to 
mean virus definition updates.

Paul Theodoropoulos
http://www.anastrophe.com
http://www.smileglobal.com
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Works for me ;)
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: AW: [Clamav-users] Re: not updating clam

[BitFuzzy]

Tomasz Papszun wrote:
http://www.clamav.net/faq.html#pagestart
Surprise, surprise ;-) .
 

LOL
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Phishing Questions

[BitFuzzy]

You know, this gets old real quick!
Back when this debate first started (around November or so) I never 
thought it would stop.
In November I decided to do 2 things 1 log what virus's were being 
caught, where they were going, and what virus was detected.
Out of 446 detected viruses, 167 were phishing attempts.
How can stopping 167 attempts to defraud be looked at as a bad thing 
regardless of what stopped it.

ClamAV detects them, and I for one am very happy that it does.
Keep up the great work guys!!
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clamav as HTTP scanner?

[BitFuzzy]

Is this a joke? licensed under the GPL  not free for commercial
use.
 

As far as I can tell there is nothing wrong with this. In fact I've seen 
this quite alot.
The GPL does not prevent anyone from making money.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks

[BitFuzzy]

Joe Maimon wrote:
I'm certainly *very* happy that ClamAV team have added more phishing
detections (thanks Trog et all).
Yes, you're correct it's social engineering but it doesn't stop 
users clicking on the links
and downloading the keylogging trojan, from the remote site that the 
phish email takes them to.

I don't personally think we need a --no-phishing option in ClamAV 
but someone might ;)

I'd like to add that there are too many users that tend to click or 
provide information without authenticating the request is legitimate.
Paypal, Ebay, and Credit Card users are open targets.

Identity theft, and Credit Card fraud can be directly linked to 
phishing. In fact other anti virus companies have started detecting this 
as well .
Note: pccillin-HTML_CITIFRAUD.H

Censorship worries me as well, but there has to be a line drawn to 
protect users from themselves.
For users who for what ever reason want the message, they have the 
ability to login to a webmail client and view the original email.

Sending a informational email to users explaining why certain emails are 
blocked (for their protection) usually is good for brownie points with
the end users.

Everybody knows legitimate companies don't usually send emails 
requesting account verification as it's usually done by mail, phone, or 
when the user logs into their account. So blocking this can only be seen 
as a good thing.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] foto From: Rse rse@engelschall.com To: Modssl-users modssl-users@modssl.org

[BitFuzzy]

Jo Mills wrote:
On Wed, Sep 01, 2004 at 02:20:37PM +0200, Maurizio Marini wrote:
 

as subscriber to Modssl-users, i'm receiving by yestarday many copies of an
email with subject: foto
coming from engelschall
i think some of them have received it , too
   

In my opinion the modssl users list has been made useless.
heh you can't even get off the darn thing.
Due to virus and spam being sent through the list, I ended up having to 
black list the list.
Emails to the maintainer don't even get answered.

I am very happy to find that the clamav list has nothing in common ;)
Regards
KC
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users