Re: [clamav-users] clamav error
Hello, Following is disk space status. It appears no issue with disk space. /dev/sda375G 50G 22G 71% / With Regards Jigar Raval On Thu, Jun 17, 2021 at 9:06 AM Gary R. Schmidt wrote: > > On 17/06/2021 13:30, Jigar via clamav-users wrote: > > Hello, > > > > Suddenly, we are getting the following error in clamd.log file > > > > Thu Jun 17 08:52:49 2021 -> > > /var/amavis/tmp/amavis-20210617T083549-04876-63FaXGZk/parts/p001: > > Can't create new file ERROR > > Thu Jun 17 08:52:49 2021 -> > > /var/amavis/tmp/amavis-20210617T083549-04876-63FaXGZk/parts/p002: > > Can't open file or directory ERROR > > > > We have checked up all the permission and ownership. There is no change in > > it. > > > > We still have the old version of clamav - 0.99 on our mail server. We > > are in the process of upgrading with a new server. Meanwhile, we need > > to run the > > server without any issue. We request kind help. > > > Have you checked that whatever file system contains > "/var/amavis/tmp/amavis-20210617T083549-04876-63FaXGZk/parts" has not > run out of space? > > Cheers, > GaryB-) > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamav error
Hello, Suddenly, we are getting the following error in clamd.log file Thu Jun 17 08:52:49 2021 -> /var/amavis/tmp/amavis-20210617T083549-04876-63FaXGZk/parts/p001: Can't create new file ERROR Thu Jun 17 08:52:49 2021 -> /var/amavis/tmp/amavis-20210617T083549-04876-63FaXGZk/parts/p002: Can't open file or directory ERROR We have checked up all the permission and ownership. There is no change in it. We still have the old version of clamav - 0.99 on our mail server. We are in the process of upgrading with a new server. Meanwhile, we need to run the server without any issue. We request kind help. With Regards Jigar Raval ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] signature for cve2017-11882
Hello, Thank you.. I agree with you and also aware about it as old vulnerability and to use of latest/patched software. However, my intention was to detect it before it get deliver to user. Especially when other AV could detect it and block it. I will wait for response from clamav team. With Regards Jigar On Sat, Apr 3, 2021, 22:26 G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi there, > > On Sat, 3 Apr 2021, Jigar via clamav-users wrote: > > > Any update w.r.t. submitted infected file and signature?. > > This vulnerability was patched by Microsoft more than three years ago. > > For example, see > > https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882 > > There should be no vulnerable versions of the software running now. > > As this is such an old threat, and mitigated a long time ago, you seem > to me to be more concerned about it than I would expect anyone to be. > > Is there any particular reason for that? > > If you supplied your email address to the ClamAV signature team when > you reported the malware samples you will get an email in due course > if a new signature is developed. OTOH I should not expect them to be > putting this one at the front of their schedule. > > If you are using vulnerable software, patch it. > > -- > > 73, > Ged. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] signature for cve2017-11882
Hello, Any update w.r.t. submitted infected file and signature?. With Regards Jigar On Thu, Apr 1, 2021, 09:26 Jigar wrote: > Hello, > > With reference to uploaded infected file and generated signature on > 30/March/2021, we hope the clamav team is further checking. > > Meanwhile, for ready reference, we have enabled the signature on the > mail server and have not found any false positive till today. > > With Regards > > Jigar Raval > > > > > On Tue, Mar 30, 2021 at 9:22 AM Jigar wrote: > > > > Hello, > > > > I have uploaded the infected file in clamav malware report submission. > > Kindly look into it. I have also herewith attached > > signature generated using it. > > > > With Regards > > > > Jigar Raval > > > > > > > > > > On Sun, Mar 28, 2021 at 1:26 PM G.W. Haywood via clamav-users > > wrote: > > > > > > Hello again, > > > > > > On Sun, 28 Mar 2021, Jigar via clamav-users wrote: > > > > On Sat, Mar 27, 2021 at 11:28 PM G.W. Haywood via clamav-users wrote: > > > >> > > > >> This is a rather old CVE, what databases do you use for your ClamAV > > > >> installation? Perhaps what you have seen recently is a new threat > > > >> which has been engineered to avoid some of the existing signatures. > > > > > > > > ... > > > > We have also scannws using the latest clamav signature, porcupine, > > > > etc. but could not detect it. ... > > > > > > Can you give full details? To tell us 'etc.' does not help. > > > > > > This is the address to use for reporting malware to the ClamAV team: > > > > > > https://www.clamav.net/reports/malware > > > > > > Did you use it? If so, you probably don't need to do more, but you > > > may need to be patient. The signature team is small and busy. > > > > > > If you would place an encrypted archive of the malicious file(s) > > > somewhere on the Web so that I can download it, I can take a look. > > > > > > -- > > > > > > 73, > > > Ged. > > > > > > ___ > > > > > > clamav-users mailing list > > > clamav-users@lists.clamav.net > > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > > > > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] signature for cve2017-11882
Hello, With reference to uploaded infected file and generated signature on 30/March/2021, we hope the clamav team is further checking. Meanwhile, for ready reference, we have enabled the signature on the mail server and have not found any false positive till today. With Regards Jigar Raval On Tue, Mar 30, 2021 at 9:22 AM Jigar wrote: > > Hello, > > I have uploaded the infected file in clamav malware report submission. > Kindly look into it. I have also herewith attached > signature generated using it. > > With Regards > > Jigar Raval > > > > > On Sun, Mar 28, 2021 at 1:26 PM G.W. Haywood via clamav-users > wrote: > > > > Hello again, > > > > On Sun, 28 Mar 2021, Jigar via clamav-users wrote: > > > On Sat, Mar 27, 2021 at 11:28 PM G.W. Haywood via clamav-users wrote: > > >> > > >> This is a rather old CVE, what databases do you use for your ClamAV > > >> installation? Perhaps what you have seen recently is a new threat > > >> which has been engineered to avoid some of the existing signatures. > > > > > > ... > > > We have also scannws using the latest clamav signature, porcupine, > > > etc. but could not detect it. ... > > > > Can you give full details? To tell us 'etc.' does not help. > > > > This is the address to use for reporting malware to the ClamAV team: > > > > https://www.clamav.net/reports/malware > > > > Did you use it? If so, you probably don't need to do more, but you > > may need to be patient. The signature team is small and busy. > > > > If you would place an encrypted archive of the malicious file(s) > > somewhere on the Web so that I can download it, I can take a look. > > > > -- > > > > 73, > > Ged. > > > > ___ > > > > clamav-users mailing list > > clamav-users@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] signature for cve2017-11882
Hello, I have uploaded the infected file in clamav malware report submission. Kindly look into it. I have also herewith attached signature generated using it. With Regards Jigar Raval On Sun, Mar 28, 2021 at 1:26 PM G.W. Haywood via clamav-users wrote: > > Hello again, > > On Sun, 28 Mar 2021, Jigar via clamav-users wrote: > > On Sat, Mar 27, 2021 at 11:28 PM G.W. Haywood via clamav-users wrote: > >> > >> This is a rather old CVE, what databases do you use for your ClamAV > >> installation? Perhaps what you have seen recently is a new threat > >> which has been engineered to avoid some of the existing signatures. > > > > ... > > We have also scannws using the latest clamav signature, porcupine, > > etc. but could not detect it. ... > > Can you give full details? To tell us 'etc.' does not help. > > This is the address to use for reporting malware to the ClamAV team: > > https://www.clamav.net/reports/malware > > Did you use it? If so, you probably don't need to do more, but you > may need to be patient. The signature team is small and busy. > > If you would place an encrypted archive of the malicious file(s) > somewhere on the Web so that I can download it, I can take a look. > > -- > > 73, > Ged. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml modified-sig26march2021.hdb Description: Binary data ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] signature for cve2017-11882
Hello, I just tried using the following command but it is not detecting it. clamscan -d javascript.ndb Receipt.xlsx I feel it is different varient in cve 2017-11882. On Sun, Mar 28, 2021, 15:19 Arnaud Jacques wrote: > Hello Jigar, > > > > > clam clam 312952834 Mar 9 10:48 securiteinfoold.hdb > > clam clam 16405860 Mar 26 09:36 securiteinfo.hdb > > clam clam 7203325 Mar 26 09:36 securiteinfohtml.hdb > > clam clam 8421132 Mar 26 13:32 securiteinfoascii.hdb > > Why you do not have javascript.ndb ??? > It can detect some cve2017-11882. > > > -- > Cordialement / Best regards, > > Arnaud Jacques > Gérant de SecuriteInfo.com > > Téléphone : +33-(0)3.60.47.09.81 > E-mail : a...@securiteinfo.com > Site web : https://www.securiteinfo.com > Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 > Twitter : @SecuriteInfoCom > Signatures for ClamAV antivirus : http://ow.ly/LqfdL > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] signature for cve2017-11882
Hello, Thank you for valuable inputs. We have herewith attached a screenshot of eset detection as cve2017-11882. This may further help. We have also scannws using the latest clamav signature, porcupine, etc. but could not detect it. So, we tried to prepare it using the malicious file. Brief Analysis: Microsoft Equation Editor, which is a Microsoft Office component, contains a stack buffer overflow vulnerability that enables remote code execution on a vulnerable system. The vulnerability is caused by the Equation Editor which fails to properly handle OLE objects in memory. This can allow an attacker to cause remote code execution on the system using specially crafted files. The files attempt to exploit the CVE-2017-11882 vulnerability to trigger code execution which downloads additional malware to take control of the system. IOC: HASH: SHA-256 99ce15e2fc458d02db44d648a4b88bfff0043131b392475ad314a1f3dd72245f HTTP Requests http://18.184.225.160/win/marxlo.exe ... With Regards Jigar Raval On Sat, Mar 27, 2021 at 11:28 PM G.W. Haywood via clamav-users wrote: > > Hi there, > > On Sat, 27 Mar 2021, Jigar via clamav-users wrote: > > > In the first week of March 2021, multiple users had received email > > with xlsx attachment having exploit for CVE-2017-11882. The clamav > > could not detect it but other antivirus like eScan and ESET could > > detect it as malware threat. > > Signatures exist for at least some exploits of CVE-2017-11882. Looking > at the signatures in my current ClamAV database: > > $ grep -as CVE-2017-11882 * | cut -d';' -f1 > MiscreantPunch099-Low.ldb:MiscreantPunch.RTF.EvilRTF.CVE-2017-11882.M2 > MiscreantPunch099-Low.ldb:MiscreantPunch.RTF.EvilRTF.CVE-2017-11882.M3 > MiscreantPunch099-Low.ldb:MisreantPunch.EvilDoc.CVE-2017-11882.M9 > MiscreantPunch099-Low.ldb:MiscreantPunch.EvilDoc.CVE-2017-11882.M10 > MiscreantPunch099-Low.ldb:MiscreantPunch.EvilDoc.RTF-CVE-2017-11882.Template.180412.M2 > porcupine.hsb:58cbe7516369d9e79660bda6e576cffd:2738688:Porcupine.Win32.Exploit.CVE-2017-11882.C.99928:73 > porcupine.hsb:5cc0bfe9a8528b1deb2dcaa7691b1794:2621952:Porcupine.Win32.Exploit.CVE-2017-11882.C.100063:73 > porcupine.hsb:140aade63d9cd5cb747845101df9ff85:2395136:Porcupine.Win32.Exploit.CVE-2017-11882.C.100065:73 > porcupine.hsb:0db8aceb5fdf7f22bc31682726c5b071:883200:Porcupine.Win32.Exploit.CVE-2017-11882.C.99936:73 > porcupine.hsb:652fa43a2f71cab80126efc843a98d84:84891:Porcupine.Win32.Exploit.CVE-2017-11882.C.99924:73 > > This is a rather old CVE, what databases do you use for your ClamAV > installation? Perhaps what you have seen recently is a new threat > which has been engineered to avoid some of the existing signatures. > > > We also need guidance: > > > > 1. How to identify the correct file to generate the generic signature, > > especially if files with different name but same exploit has been sent. > > I do not understand the question, but ClamAV looks at a stream of data > or at the contents of files. Except for the purposes of reporting to > you the results of scanning the files, the names of those files are of > no significance to ClamAV. > > -- > > 73, > Ged. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] signature for cve2017-11882
Hello, In the first week of March 2021, multiple users had received email with xlsx attachment having exploit for CVE-2017-11882. The clamav could not detect it but other antivirus like eScan and ESET could detect it as malware threat. With our first time effort, we tried to build the signature and could do it with the help of existing infected file. The same was submitted in clamav for multiple time as there were some issue in signature generation. However, after few more efforts using debug of tmp file, we could generate signature. The same has been attached for testing and help. So, other clamav user can be benefited. We also need guidance: 1. How to identify the correct file to generate the generic signature, especially if files with different name but same exploit has been sent. With Regards Jigar Raval sig.hdb Description: Binary data ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
