Re: [clamav-users] Reference a normalized variable name without hardcoding a specific one?

[Kris Deugau via clamav-users]

Arnaud Jacques via clamav-users wrote:

Hello Kris,

[...]
 > /(n\d+).htmldomstuff;function(\1);/
 >
 > Do any of Clam's signature types support something like this?

I use :

6e3?3?3?

that matches n000, n003, n024, n781 ...


Right, and I've used that in cases where tracking a particular 
normalized variable isn't as important, but there are two problems:


1)  You can't start or end the overall pattern with this

2)  It's not matching "this specific normalized variable, for immediate 
local values of this specific normalized variable", it's matching "any 
normalized variable".


As I said in my original message, the specific sample at hand just now 
came out with n007 for the specific variable but variations in the 
scam could make that normalize to n003 or n024 or something else.  I 
only want to match that particular variable - irrespective of what 
n\d\d\d value it normalizes *to* in any specific sample file.  Which is 
why I want to capture the first case, and backreference it for further 
instances of it later in the pattern.


-kgd
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Reference a normalized variable name without hardcoding a specific one?

[Kris Deugau via clamav-users]

So, I've been creating local signatures for a variety of obfuscated 
Javascript for a while.


But I've been missing a way to more precisely target malicious actions 
based on surrounding variables.


With my latest sample, I want to match "[variable].[htmldomstuff]", 
"function([variable])", across several nearby substrings.


But I *don't* want to hardcode any one specific normalized variable name 
- this particular sample has n007, but with very little fiddling it 
could well end up as n003 or n024.  What I want is a metareference of 
some kind to use across the substrings that will only match the same 
normalized variable name in all of them.


In PCRE I would just do something like:

/(n\d+).htmldomstuff;function(\1);/

Do any of Clam's signature types support something like this?  Logical 
signatures or Yara rules seem likely, but I've had trouble getting some 
more complex signature concepts to actually work with either.


-kgd
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [ext] ClamAV and Cohesity

[Kris Deugau]

steven aldenkamp via clamav-users wrote:

Thanks.

Apparently the info I gave earlier was older.

We noticed also
ClamAV 0.103.5


This is still three minor patch releases behind the current one in the 
0.103 series, and IIRC there were some low-grade security fixes in that 
span.


It should still be receiving signature updates though.

And we haven't received much info yet from Cohesity either who are the 
primary contact for this app although it is ClamAV which runs in the 
background.


If some third party is bundling ClamAV, it's up to them to keep it 
properly up to date.


-kgd
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Anyone else having trouble reaching the ClamAV website?

[Kris Deugau]

clamav.mbou...@spamgourmet.com wrote:

Kris Deugau wrote:
I went to load a semi-bookmarked page for signature writing 
(https://docs.clamav.net/manual/Signatures.html), but it failed and 
kept reloading Cloudflare's "security check" voodoo.



ClamAV's site works for me, using SeaMonkey 2.53.14 - I'd been looking 
at those pages before sending my earlier reply.  It seems to be affected 
by Edit > Preferences > Advanced > HTTP Networking.  I usually have that 
set to just identify as SeaMonkey.  With it set to identify as SeaMonkey 
and advertise Firefox compatibility, I see the looping effect you 
describe (at least when I enable Javascript, which is usually blocked by 
NoScript).


Thanks!  I don't even recall that setting, might be worth my time to 
trawl through everything and see what's new.


*rolls eyes at browser-sniffing*  Now to see what *other* sites break 
after changing that setting...  And maybe install a browser identifier 
plugin set to $firefox-recent.  *sigh*


-kgd
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Anyone else having trouble reaching the ClamAV website?

[Kris Deugau]

I went to load a semi-bookmarked page for signature writing 
(https://docs.clamav.net/manual/Signatures.html), but it failed and kept 
reloading Cloudflare's "security check" voodoo.


(Side question to pass up the chain at Cisco/Talos - is there a knob 
that can be twisted somewhere to force that check to run exactly once, 
then stop?  I can't imagine any scenario where running it over and over 
and over has any benefit to anyone.  [And for bonus points, display an 
error message that gives some sliver of a hint what 
beyond-the-bleeding-edge headacheware the site or its security provider 
insist on relying on this week.])


I then tried to load the main site, https://www.clamav.net, which also 
went into the same loop.


I usually use Seamonkey (all-in-one Mozilla suite).  I tried Konqueror 
which seemed to load things up fine.


Since starting to write this and putting it aside, I've come across a 
small handful of other sites with the same issue, including one case 
where the base site triggered the issue but a directory under the base 
site did not.  Since I'm *not* seeing it across a large number of sites, 
it's pretty clearly some specific security option in Cloudflare causing 
the failure.


-kgd
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Fwd: exception rule - help needed

[Kris Deugau]

newcomer01 via clamav-users wrote:

no one can help me?


I think most of us have just about given up on this test, and are either 
doing without or call ClamAV in a way that allows us to handle FP-prone 
tests like this differently from other results (either by whitelisting 
mail ahead of ClamAV and avoiding calling it in the first place, or by 
pushing it out so that the ClamAV result is scored or weighted).


I got tired of trying to find working entries for the .wdb file myself, 
and rearranged parts of the mail setup to allow this test to just feed 
SpamAssassin instead of being a hard pass-fail.


What would really help is if organizations that should really know 
better would quit *sending* these dodgy links in the first place, but 
that seems to be a lost cause.




I need help to create an exception rule for my Bank e-mails.

Currently, I have a "whitelist.wbd" file in the lib folder of clamav, 
but all of my rules seems not work.
Please help me to get the expected result, and it is generally no way 
for me, to disable this checks for all.





M:facebook.com:mailing.sparkasse.de
M:https://twitter.com:mailing.sparkasse.de
M:instagram.com:mailing.sparkasse.de
M:youtube.com:mailing.sparkasse.de
M:play.google.com:mailing.sparkasse.de
M:apps.apple.com:mailing.sparkasse.de


It's been a while since I dug into this, but at a wild guess, try 
putting these in the other order, ie:


M:mailing.sparkasse.de:facebook.com

and so on.

I was never able to predictably copy-paste anything out of the libclamav 
debug output to whitelist a URI pair, I just tried combinations until 
something worked - with no guarantee that using the same pieces the same 
way would work on the next one, which is why I gave up and just use it 
in a scored configuration.  If you search the list archives I think I've 
posted more details before.


-kgd
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] LibClamAV Warning: PNG: Unexpected early end-of-file.

[Kris Deugau]

Andrew C Aitchison via clamav-users wrote:

On Mon, 12 Dec 2022, newcomer01 wrote:


Well on my PC I changed a lot because the naming was too messy for me.

I have "program" clam*d*scan for which I have a clam*d*.conf and a 
"program" clamscan for which I have a clamscan.conf. And then the 
normal "program" freshclam with the freshclam.conf.

That is logic ;-)

To feed clam*d*scan and clamscan with the same conf is stupid, because 
both programs have different options.


clamscan (no 'd') does not have a config file at all.
Which options do you want to be different ?
Many of the options are the same. At least as a default I would expect the
  --scan-* --alert-* --max-* --*-pua options to be the same.

(Ignoring the freshclam config) clamscan *does not have a config file*
so there is curently no need for an option
 --config-file=FILE

As I asked before,
which settings do you expect clamscan to read from this config ?


I don't need this myself, but if you regularly set a lot of options for 
ad-hoc use it would be handy to have a config file to set them in the 
same way you do for clamdscan (and/or clamd, option depending) rather 
than typing them out all the time or dragging a wrapper script around.


Or, just have clamscan parse and use the same options from clamd.conf, 
because they ultimately trigger the same libclamav code paths.


-kgd
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

[Kris Deugau]

joe a wrote:
To semi-hijack, I was attempting to deal with my own occasional false 
positive by using this thread as a clue.


Attempting to follow the docs, I hit a wall here:

"To help you identify what triggered a heuristic phishing alert, 
clamscan or clamd will print a message indicating the "Display URL" and 
"Real URL" involved in a heuristic phishing alert. "


I did not find such an entry in any of the "usual suspect" logs, so 
wondering if that means I must somehow submit the offending email for a 
manual scan, or if I simply do not know where to look?


It's only in the debug output.  While I was still chasing this I just 
ran clamscan --debug after the fact on the FP sample to extract the 
relevant URL bits, although it was still sometimes a bit of effort to 
then find the right .wdb entry to actually whitelist the match when scanned.


Some time ago I gave up on using this test in a hard pass/fail context, 
largely because of exactly the class of problem reported in this thread. 
 Instead I have it enabled in a clamd instance that's called by a 
filter processing component with enough smarts to balance a hit on this 
test with other criteria.


-kgd
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] clamdscan versus clamscan detection

[Kris Deugau]

Matus UHLAR - fantomas wrote:

On 31.03.22 11:02, Petr Jurášek via clamav-users wrote:

https://www.mail-archive.com/clamav-users@lists.clamav.net/msg51769.html

It's the same situation. Vir is detected, but file is "clean", you can 
see it in summary.


looks like that. I completely missed it.


[snip mix-n-match results]

*nods*  I've been trying to coherently describe the sets of interactions 
for a bug report, but it's not making a lot of sense from the outside.


From the sets of files I've come across, I've found the following.

Component files as left by clamscan --leave-temps are not always matched 
correctly.


Both hash and pattern signatures for various component files will do one of:

- Work correctly:

$ clamscan -d foo.hdb nastyfile.xls
nastyfile.xls: foosig.UNOFFICIAL FOUND
[...]
Infected files: 1

- Match/don't-match with two result lines and "Infected files: 0"
$ clamscan -d foo.hdb nastyfile.xls
nastyfile.xls: foosig.UNOFFICIAL FOUND
nastyfile.xls: OK
[...]
Infected files: 0

Most prevalent on this series of files, creating pretty much any 
signature for the component/fragment file that appears to always extract 
as e3af082cc2ec644830a69ddafe5abe31_1, and which the "file" utility tags 
as "Applesoft BASIC program data".


- Double-match with multiple result lines listing the same signature:
$ clamscan -d foo.hdb --allmatch nastyfile.xls
nastyfile.xls: foosig.UNOFFICIAL FOUND
nastyfile.xls: foosig.UNOFFICIAL FOUND
[...]
Infected files: 1

This case also covers having *multiple* different signatures - either of 
the same type or different types - that should each match different 
files from --leave-temps.


- Don't match at all:
$ clamscan -d foo.hdb nastyfile.xls
nastyfile.xls: OK
[...]
Infected files: 0

This case usually happens for signatures based on what appears to be a 
generated datastructure reference file, xlm_macros.[hash], however I'm 
pretty sure one of the other extracted files from --leave-temps did the 
same thing.


===

Blind brute-force pattern (.ndb) signatures on the raw file appear to 
match OK.


At this point I've just fallen back to brute-force pattern signatures, 
generated from multiple samples by a script that runs sigtool --hex-dump 
on each one, filters out mismatched bytes, and compacts long runs of 
mismatched bytes to {nn}.  These are grossly oversized signatures (~~1K 
characters), but they work.


-kgd


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Detection glitch on series of Excel files

[Kris Deugau]

I've been seeing a series of Excel files recently that seem to be 
triggering a bug of some kind.


These are not matched by any stock signatures (yet), so I've been using 
clamscan --leave-temps to extract components for signatures.


Most of the time I just create hashes of a component from one sample 
Excel file, and quickly confirm that all apparently related files in the 
series are detected.


However, several sets have been causing grief in both creating a 
matching signature at all, and in the test scan.


Just as an example, two recent files I submitted to virustotal.com:

904ccc07615ed320fe38252436e195f56edb0205bcf42ee90f22e2c45098bf33
04115742b211846e372301dce9bdc499fbb8749b194de81422a8e790bff055fa

Both have several extracted component files that are very similar or 
identical:


6f48510eb90b6ad5186b4461f56266ae67d705a7fece8e56eca2c4296474eb19:219257:e3af082cc2ec644830a69ddafe5abe31_1
9ab4792a6626012a5238d383f1222c8d248c385e13c067731e6b98c9e0d87a4d:18025:xlm_macros.8ccda3bd23

However, clamscan -d test.hdb on one of these files produces a result 
like this:


Invoice 251064533 QT8094914.xls: 
e3af082cc2ec644830a69ddafe5abe31_1.UNOFFICIAL FOUND

Invoice 251064533 QT8094914.xls: OK

and a summary of "0 infected files".

clamscan --allmatch produces, not the pair of distinct matches I 
expected, but:


Invoice 251064533 QT8094914.xls: 
e3af082cc2ec644830a69ddafe5abe31_1.UNOFFICIAL FOUND
Invoice 251064533 QT8094914.xls: 
e3af082cc2ec644830a69ddafe5abe31_1.UNOFFICIAL FOUND


Also, regular pattern signatures (created by a script I haven't modified 
in a long time) from either the raw files or one or another of the 
component files don't appear to match, even if I copy the component 
files out of where --leave-temps drops them into an alternate working 
directory.  (I might be misremembering that last, I've tried a lot of 
combinations of signature types, creation methods, and target files 
before starting to write this.)


After chasing various parts of the files dropped by --leave-temps, I've 
found a solution for one series (the ones I checked on virustotal) by 
hand-constructing a pattern signature from the vba_project* file, but 
not all of the broader set have macros or VBA in them.


"file" says that ole2-tmp*/e3af082cc2ec644830a69ddafe5abe31_1 file is 
"Applesoft BASIC program data", but all I really care about is that it's 
commonly invariant between apparently related .xls files, and has 
historically been a good choice for a quick hash signature.  It isn't on 
this recent set of files.


xlm_macros.* has been identical within several sets of these files, but 
none of the signatures seem to actually match it.  I don't understand 
enough about either the structure of Office document files or how ClamAV 
breaks them down for scanning to have a good idea why.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] human friendly signatures

[Kris Deugau]

G.W. Haywood via clamav-users wrote:

Hi there,

On Mon, 21 Mar 2022, Kris Deugau wrote:


TBH I'd prefer if Clam *did* continue, just skipping malformed rules
(and also whinging loudly in the log).


I could live with that if it didn't *also* crash.


Either would be better than just exiting (it's not a hard *crash*,
it's "just" refusing to load a file with a malformed signature -
including things like entirely blank lines).


No, Kris.  It *is* a hard crash - and it doesn't happen when it loads
the rules, it happens when it tries to scan something *after* loading
a Yara file which contains a bad rule.  Not neccessarily any bad rule,
just one with any of a number of different kinds of badness which I've
found to be problematic.  But as I said in my mail things may well be
different as a result of Micah's August PR.  TBH I really haven't been
inclined for quite some time to crash clamd on purpose. :)


Sorry, didn't see that, figured you were talking about the joy of 
finding all those subtle little rules defining a well-formed signature 
To date I haven't managed to trip whatever bug(s) bit you, although I 
*have* found relatively simple signatures that should have matched but 
didn't.


I *have* pushed out "malformed" "signatures" (AKA "signature files with 
a blank line or two at the end") that caused the production clamd 
instances to shut down...  after which I spent some time adding 
validation to the SVN commit hook, and writing a local editing wrapper 
to help make sure signatures were valid before committing.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] human friendly signatures

[Kris Deugau]

G.W. Haywood via clamav-users wrote:

Hi Micah,

On Wed, 16 Mar 2022, Micah Snyder (micasnyd) wrote:

I'm not sure what you mean here.  Can you elaborate?  If you simply
want ClamAV ignore garbage rules on load and continue with the rest
of the file (see point #4) - that's something we can easily improve
regardless of what we do. And that's how our yara rule loading logic
works right now.


I strongly feel that if it finds a problem, rather than silently load
some sub-optimal ruleset the parser should abandon the reload of the
entire ruleset.  Obviously it should warn when it does that.  I guess
this might be an issue if it's running on a machine with too little
RAM to reload while simultaneously scanning with the previous ruleset,
but something like a --test-ruleset option could probably handle that.


TBH I'd prefer if Clam *did* continue, just skipping malformed rules 
(and also whinging loudly in the log).


Either would be better than just exiting (it's not a hard *crash*, it's 
"just" refusing to load a file with a malformed signature - including 
things like entirely blank lines).




While I was looking at this I also came upon another quirk that can be
a bit of a nuisance.  AFAICT Yara strings can only be delimited by one
of two characters, either a double-quote (for a literal string) or a
forward-slash (for a regex).  It would help to be able to choose the
quote character like in Perl; if not, at least having more available
to choose from could make many expressions more readable, especially
those which target e.g. HTML and links in mail (both of which tend to
have many occurrences of double-quote or forward-slash characters).


Strictly speaking, four characters (the {} delimiters for hex strings). 
To my reading this is part of the upstream Yara spec, and I'd be wary of 
extending this particular bit without at least requiring some blatant, 
obvious flag in any such rule to clearly indicate that it's not stock 
Yara syntax.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] INSTREAM + eicar not well detected?

[Kris Deugau]

Jorge Elissalde via clamav-users wrote:

Thank you for your answer.
I'm using Windows clamd release 0.104.2
I have double checked with wireshark and the data sent is ok.

suppose I just send: char *eicarTest = 
"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
Result is ok: instream(local): 
Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND


then I send: char *eicarTest = 
"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*hjyhj"

(5 more characters)
Result is not ok: instream(local): OK

Perhaps Windows Clamd release works differently than Linux release?


This got me curious, because this is the canonical test "virus" (does 
this actually still run on modern Windows?) that should be detected by 
any AV software in existence.  I started wondering if the official stock 
Eicar signatures were hash signatures instead of one of the 
pattern-based types.


And so they are:

kdeugau@ele:$ sigtool --find-sigs Eicar
[daily.mdu] 45056:3ea7d00dedd30bcdf46191358c36ffa4:Eicar-Test-Signature
[daily.msb] 
45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Eicar-Test-Signature
[daily.hsb] 
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Eicar-Test-Signature
[daily.hsu] 
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Eicar-Test-Signature

[daily.hdu] 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
[daily.msu] 
45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Eicar-Test-Signature
[daily.ldb] 
Win.Dropper.Eicar-9892650-0;Engine:106-255,Target:1;0&1&2;4d535642564d{2}2e444c4c::i;56423521f01f{28}0a00{16}00f030ff080001000100;499257354f8ce4499f7d1f926dd38d28

[daily.hdb] 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
[daily.mdb] 45056:3ea7d00dedd30bcdf46191358c36ffa4:Eicar-Test-Signature
[daily.mdb] 15872:2cc59e79e957c0fd8068e1bac52137bc:Win.Trojan.Eicartest-1
[6327695.cbc BYTECODE] 
Eicar-Signature.{};Engine:56-255,Target:0;0;0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a

[main.mdb] 2560:db9db3a5cf0ba0e644ad04792e02fbcd:Win.Trojan.Eicar-1

kdeugau@ele:$ sigtool --find-sigs EICAR
[daily.ldb] 
Win.Tool.EICAR-9917185-0;Engine:51-255,Target:1;0&1&2&3&4;466f72206d6f726520736563757269747920666561747572652074657374732c20706c656173652076697369743a20687474703a2f2f772e616d74736f2e6f72672f666561747572652d73657474696e67732d636865636b2e68746d6c20;496e206361736520796f752065786563757465642074686973206170706c69636174696f6e20776974686f75742067657474696e6720616e7920616c6572742c20646574656374696f6e206f66205055412028506f74656e7469616c6c7920556e77616e746564204170706c69636174696f6e7329206973206e6f7420656e61;497320746865726520616e7920726561736f6e2c20776879206e6f7420636c6f7365207468652077696e646f773f;492077696c6c207265616c6c7920636c6f7365207468652077696e646f77206e6f772e;446f20796f752077616e7420746f20636c6f736520746869732077696e646f773f

[main.hdb] 44d88612fea8a8f36de82e1278abb02f:68:Win.Test.EICAR_HDB-1
[main.msb] 
45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Win.Test.EICAR_MSB-1

[main.mdb] 45056:3ea7d00dedd30bcdf46191358c36ffa4:Win.Test.EICAR_MDB-1
[main.hsb] 
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Win.Test.EICAR_HSB-1



There are quite the proliferation of hash signatures, but by definition 
those will only ever match the exact file - ie, a file or stream 
consisting of the exact 68 bytes in eicar.com.  The only one that would 
match within a larger file or datastream is the bytecode signature 
Eicar-Signature.{} (second from the bottom in the first set).


Check if you have bytecode signatures disabled in your Windows clamd 
instance.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Minor bug or working as intended?

[Kris Deugau]

Kris Deugau wrote:
For some types of content, just allowing a plain ASCII string instead of 
the hex-coded version of the same would be a big help.  Or an 
enhancement in the current file formats allowing embedded comments - 
I've lost track of how many times I've created something complex, and 
had to reconstruct whatever logic I used to create it to make a tweak or 
refinement - or just gave up and created a new signature - because 
there's no way to document it in-band.  Ignoring empty lines - 
especially at the end of the signature file! - instead of just claiming 
"invalid signature" would ease editing.


One other pain point I've run into fairly regularly is that there's no 
way to have a *specific signature* match on the raw file - either you 
run your entire Clam instance without all of the content unpacking and 
normalization, and *all* your signatures need to be based on the raw 
files, or you run with the content unpacking enabled and have to bend 
and contort to match a perfectly simple chunk of data that's been 
variously mangled by one or both of the unpacking and normalization.


I've just found a new case - some malware spewer has embedded a 
password-protected .zip as the base-64-encoded data attribute of an 
iframe tag in a .html attachment.  (Ow.)  One of the chunks I want to 
match on is:


(lightly obfuscated in case of someone else who's already been here), 
but the entire unpacked/normalized "nocomment.html" from clamscan 
--leave-temps is:


img0457600xlspassword is 
52266


The normalized HTML and the bit that indicates this is a .zip are in 
complete separate files in the unpacked/normalized data, so matching all 
the pieces I want to match at the same time is going to be tricky at best.


This particular sample is small enough that the message would be passed 
to SpamAssassin (the whole original message is about 26k), where I can 
match what I want to match on quite easily.  But that's not always the case.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Minor bug or working as intended?

[Kris Deugau]

Micah Snyder (micasnyd) via clamav-users wrote:

G.W. Haywood wrote:

Execution time will be important for scanning filesystems, less so for
 scanning mail (at least for scanning low-volume mail) and readability
 can be hugely important if you're writing a lot of rules.  Perhaps we
 should be asking the development team for readable LDB rules? :)


Creating a new "human readable", or "human friendly", signature language 
is something that I've brought up many times this past 6 months in our 
team meetings.  I think it's more feasible than trying to make Yara 
rules fully functional in ClamAV, or than trying to make our signatures 
look the same as Yara.


I toyed a bit with using the KDL document language 
(https://github.com/kdl-org/kdl) as a base for a new format.  My thought 
is it could be "compiled" or converted to more compact line of text 
prior to distribution, or unpacked/decompiled for readability as 
needed.  I am hoping we can spend some time these next few months 
investigating it further, once 0.105 is out.  With our Rust language 
integration working rather nicely these days, we should be able to 
leverage the language and library ecosystem for this effort making it 
far easier to implement than with C.


For some types of content, just allowing a plain ASCII string instead of 
the hex-coded version of the same would be a big help.  Or an 
enhancement in the current file formats allowing embedded comments - 
I've lost track of how many times I've created something complex, and 
had to reconstruct whatever logic I used to create it to make a tweak or 
refinement - or just gave up and created a new signature - because 
there's no way to document it in-band.  Ignoring empty lines - 
especially at the end of the signature file! - instead of just claiming 
"invalid signature" would ease editing.



A disclaimer: This is purely brainstorming, and I have no idea if we 
would continue with the KDL idea or find something else.  Here are some 
examples from my short time spent brainstorming this a few months back.


// example logical signature

[snip]

TBH that looks almost identical to the Yara rule syntax at a quick look. 
 Hard to say whether it would be better to spend time spinning up yet 
another signature format, or fixing edge cases in one that's already 
present and in use.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] allowlist/fixing false positive

[Kris Deugau]

Alex via clamav-users wrote:

Hi,

I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I
have a newsletter from ncua.gov that keeps getting blocked because it
apparently contains links.gd in the body somewhere, although I can't
find it.

How do I exclude this email from being tagged without having to bypass
the Heuristics.Phishing.Email.SpoofedDomain rule altogether?


Putting aside all of the "why are you idiots sending mail that triggers 
this test in the first place" grumpiness at the senders, I'd recommend 
redesigning your mail flow so that this is only triggered in a Clam 
instance whose results are score in SpamAssassin or some other layer 
where this particular test can be scored alongside other things.


I gave up chasing FPs on it when used as a hard pass/fail check.  Too 
many places that should really know better...  apparently don't.  :/ 
(Seriously, why are so many places using URL shorteners as the link 
targets in HTML mail?  It's not like the eleventy-gazillion characters 
of clicktracker are taking up visual space in the message...)


If you still want to press on, look up the ".wdb" signature file (seems 
to be available at 
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format 
now), and add lines similar to these:


X:.+\.accountonline\.com:.+\.citibank\.com
M:click.info4.accountonline.com:image.info9.citibank.com

I sometimes had to fiddle and guess and shorten and lengthen and swap 
the URI elements to get it to properly match and exclude the link from 
this test;  good luck.



Also, I keep deleting the main.cvd database but it keeps replacing it.
How do I configure clamav so it only updates one of the main database
types?

clamscan -v virus-20220228T143424-suCp6LTlKRG5
LibClamAV Warning: Detected duplicate databases
/var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually
remove one of them


O_o  That's a new one on me.  I don't recall ever having spontaneously 
had both regenerate, and IIRC it's been a while since I've even seen the 
.cvd on live systems I maintain.  (At a quick look, all of them seem to 
just have the .cld files.)  Maybe remove the file, and run freshclam -D 
to see if that gives any more detail about what's going on?  Maybe 
remove the .cld and see what freshclam does?  Maybe remove *ALL* files 
in the ClamAV database directory path, and let freshclam download 
complete fresh copies of everything?


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Minor bug or working as intended?

[Kris Deugau]

Laurent S. via clamav-users wrote:

Dear Kris,

I've had the same issue. In the last two years, I was regularly writing YARA 
sigs in ClamAV and finding that it behaves in strange ways... Especially the 
regex integration.

I specifically remember that counting regex wasn't possible and that I had to 
write those sigs either in strings or HEX.

After too many timeouts and strange stuff, I decided to rewrite all of the sigs 
I had written to LDB. It's not easy to read, less fun to write... but damn it's 
much more reliable and fast.

Here's what your sig could look like:

KGD.LDB.JS.SENDEMAIL;Engine:81-255,Target:3;0>3;3c73637269707420747970653d22746578742f6a617661736372697074223e66756e6374696f6e73656e64656d61696c{0-1}28297b

I took the liberty to define Target:3 (HTML). You might need to change that. 
Adding more criteria might be good too.


*nod*  I kept at it and the full Yara sig I eventually pushed live has 
10 strings, requiring layered sets of multi-hit matches.  (Finding a 
valid syntax just for those conditions alone was a bit tedious;  it's 
not clear from the upstream Yara docs or Clam's brief commentary whether 
you can nest conditions as pseudo-strings[1], but bumping the total 
match count required and just and'ing the sub-count conditions was Good 
Enough.)


-kgd

[1] Available indications say "you can't", although supposedly you can 
reference other Yara signatures - tried, couldn't get that working either


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Minor bug or working as intended?

[Kris Deugau]

Maarten Broekman via clamav-users wrote:
There's not a lot that you can do in Yara rules that you can't do in LDB 
sigs... for what it's worth, here's a logical sig that detects the same 
thing as the Yara rules...


mbroekman@lothlorien:~$ grep MJB.JS.SendEmail 
clamdb/javascript_sigs.ldb| sigtool --decode-sigs

VIRUS NAME: MJB.JS.SendEmailFunc-0
TDB: Engine:90-255,Target:0
LOGICAL EXPRESSION: 0>3
  * SUBSIG ID 0
  +-> OFFSET: ANY
  +-> SIGMOD: NOCASE
  +-> DECODED SUBSIGNATURE:
{WILDCARD_ANY_STRING(LENGTH<=1)}function{WILDCARD_ANY_STRING(LENGTH<=1)}sendemail{WILDCARD_ANY_STRING(LENGTH<=1)}(){

mbroekman@lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb
MJB.JS.SendEmailFunc-0;Engine:90-255,Target:0;0>3;3c736372697074{-1}747970653d22746578742f6a617661736372697074223e{-1}66756e6374696f6e{-1}73656e64656d61696c{-1}28297b::i


*nods*  Thanks.  As it was I kept at it until I did actually have a full 
Yara signature that matched as intended working around the broken 
repetition condition with the hex string instead of the regex.


.ldb signatures could definitely use more expansive documentation;  the 
examples in the PDF are really pretty simple.  Earlier on I had also 
tripped over (among other things) what might be the correct syntax for 
multiple regex matches triggered by the same "hey, wake up!" 
subsignature.  (I'm not sure I understand why that's needed, it seems 
rather awkward.)


I'll have to remember to try {-1} more often.  This isn't the first time 
I've wanted to match a character that may not be there, although I also 
usually also want to restrict matching to a subset of characters, not 
"any byte" (which is why I reached for the regex match in both my 
attempts at an ldb signature, and in the Yara signature).


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Minor bug or working as intended?

[Kris Deugau]

After chasing docs back and forth and trying small variations, I think 
I've found what's arguably a bug in Clam's YARA implementation.


These two YARA rules should both match exactly the same, but don't.  The 
first will only match if the condition is changed to indicate a single 
match in some variation (either "#a > 0" or just "$a" both match).


rule data1 {
  strings:
$a = 

Re: [clamav-users] Current replacement for --max-ratio?

[Kris Deugau]

G.W. Haywood via clamav-users wrote:

Hi there,

On Fri, 14 Jan 2022, Kris Deugau wrote:

I've just come across a presumed-malicious .zip file of about 500K 
that contains a ~315M ISO image, which in turn appears to contain a 
~315M executable file.


After a bit of searching and testing I see the --max-ratio option has 
been removed from clamscan, and ArchiveMaxCompressionRatio in 
clamd.conf has been deprecated.


Are there any remaining (or new?) options that might help flag 
hypercompressed files like this?


If you're using clamd, perhaps try the AlertExceedsMax option together
with the MaxScanSize and/or MaxFileSize options.  No it's not the same. :/


Hmm.  Might work for this case, I'll try some combinations.


Did this arrive in mail, Kris?


Yes.  Indications are it was sent through a cracked hosting account, 
with an envelope and reply to a GMail account.


On closer inspection, when originally received the message matched one 
of the Sanesecurity "foxhole" signatures, which could collectively be 
scored much higher on this particular receiving account (technical role 
address).  It's a hack and I'm not sure it's worth even that much effort 
since this is the first example I've seen in the wild.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Current replacement for --max-ratio?

[Kris Deugau]

I've just come across a presumed-malicious .zip file of about 500K that 
contains a ~315M ISO image, which in turn appears to contain a ~315M 
executable file.


After a bit of searching and testing I see the --max-ratio option has 
been removed from clamscan, and ArchiveMaxCompressionRatio in clamd.conf 
has been deprecated.


Are there any remaining (or new?) options that might help flag 
hypercompressed files like this?


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] what initiates freshclam? [OT]

[Kris Deugau]

G.W. Haywood via clamav-users wrote:

IMHO this is a pretty unconvincing reason to change your init system,
especially to one which is both as new as systemd, and as capable of
stupidity on a scale never before seen in any init system.  A couple
of examples here (the wanton renaming of Ethernet interfaces


IIRC most of that one can be laid at the feet of the kernel developers 
trying to make hardware enumeration more predictable, and systemd is 
just one of several places the sysadmin can try to clean up the pieces.


My understanding is about 50% "WTF?", but supposedly the change came 
about because a physical device on a known physical slot location will 
show up in the PCI hardware enumeration in a semirandom order.  The 
people having most issue with this were people using "many" multiport 
NICs to build routers, and they were apparently having real problems 
with logical interfaces semirandomly migrating from card to card to 
card.  When you're actively trying to decide where to fling packets 
around this is a Big Problem(TM).


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] what initiates freshclam?

[Kris Deugau]

novpenguincne via clamav-users wrote:

OEL = Oracle Enterprise Linux

Under /usr/lib/systemd/system, there are the four clam*.service files.  But 
since none of them are active or enabled, I don't think can be the source.  I 
scanned the entire file system for cl*.service and they are the only ones I can 
find.


The grep command will search the contents of the files;  I suggested it 
since you haven't found a match by filename.



It's not a big issue.  It's working.  I was just curious for my own knowledge.


Well, now you've got some of *us* curious, because like I said, this is 
a very strange way to call freshclam.  I really can't think of a good 
reason to wrap it up this way for most systems.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] what initiates freshclam?

[Kris Deugau]

novpenguincne via clamav-users wrote:
I'm still experimenting with Clam and I've got 103.4 installed on an OEL 
7.9 box.


What is "OEL"?  I'm guessing it's some Red Hat derivative.

  I've got freshclam configured to download new updates every 
few hours.  I can manually run freshclam and successfully receive 
updates and I can manually run clamscan successfully.


If I run a ps command, I see /usr/share/clamav/freshclam-sleep is 
running so I'm assuming that this calls freshclam on the schedule.  But 
what is launching this on startup?


There are no cronjobs configured.  When I look at my systemd services, I 
see one named clamav-freshclam but it is disabled and not running.  I 
expanded my search and found a total of 4 services with 'clam' in the 
title (clamav-freshclam, clamav-clamonacc, clamd@, and clamonacc) but 
none of them are running and they are all currently disabled.


Is it some other service that doesn't have 'clam' in the name?


"grep -r freshclam /usr/lib/systemd/ /etc/systemd/" might turn up a 
pointer to the systemd unit that manages this.  "rpm -qf 
/usr/share/clamav/freshclam-sleep" will probably tell you what package 
this file belongs to.


TBH this seems like a very odd way to manage freshclam, as systemd 
includes methods to call something like freshclam on a schedule, or 
manage it directly either in the foreground or as a traditional 
background daemon.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] main.cvd update schedule

[Kris Deugau]

Vu, Hong-Duc V. via clamav-users wrote:

Hello,

How often does the main.cvd file get updated? According to this old post 
they have seven changes in two years.


https://lists.clamav.net/pipermail/clamav-users/2014-September/000916.html

This will help me troubleshoot any issues with my freshclam 
configuration if the file isn’t getting updated in a reasonable time frame.


Recent updates have been "when daily.cvd gets too big", and have been 
announced on this list as well IIRC.  Check the list archives.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamscan tar archive

[Kris Deugau]

Hart, Steven A. via clamav-users wrote:

Hello all,


ClamAV documentation states that tar archives are supported.   I've 
created a small sample tar archive that includes an eicar sample.  
Clamscan seems to only look at the tar archive as a single file and does 
not hit on the eicar sample within.   I've tried using the "-a" and 
"--scan-archive=yes" flags with no improvements.  I would appreciate 
advice as to if clamscan can actively scan tar archives directly.


WorksForMe(TM):

kdeugau@ele:~/$ tar -c ~kdeugau/dev/eicar >testeicar.tar
tar: Removing leading `/' from member names
kdeugau@ele:~/$ clamscan
/home/kdeugau/testeicar.tar: Eicar-Signature FOUND
[...]

kdeugau@ele:~/$ clamscan -V
ClamAV 0.103.3/26393/Mon Dec 20 04:19:51 2021

(Debian package;  only Debian testing and unstable have 0.103.4 so far, 
no sign of 0.104.)


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Possible to use clamdscan to scan a file on the clamd host?

[Kris Deugau]

Choate, Nathan via clamav-users wrote:

Hello,

I’ve recently been experimenting with using the recently built ClamAV 
Docker image in a Kubernetes deployment.


We want to utilize the ClamAV container in our deployment alongside a 
basic server application running in a separate pod.


We think the ideal pattern would be to have the ClamAV container running 
clamd in its own pod with its client running in a separate pod. The idea 
would be to


 1. Mount a volume for scanning into both the ClamAV container and the
client container
 2. Package clamdscan in the Docker image for the client pod
 3. Whenever a file is uploaded to the client pod:
 1. Move that file to the mounted volume (which is mounted in both
the ClamAV container and the client container)
 2. Use clamdscan from the client container to remotely tell clamd
in the ClamAV container to scan the new file in the shared volume

At the moment, it seems that whenever I try to use clamdscan to tell 
clamd to scan the volume contents from its container, clamdscan simply 
defaults to streaming the file contents from the client container to the 
ClamAV container.


I would assume that if no mode is specified, clamdscan will default to 
streaming the file contents to the TCP port if it’s on a remote “host” 
(in this case, a separate pod).


Preferably, we would like to use clamdscan to tell clamd to scan the 
mounted volume contents from its container, not through a stream from 
the client. Is that possible?


clamdscan can either pass a file descriptor to clamd (in which case 
clamdscan must be "local" to clamd), or it can stream the file over a 
socket.


There's no mechanism I've ever seen a hint of to tell a remote clamd to 
scan some arbitrary file on its local filesystem.


Since you're using containers instead of full VMs there may be some dark 
art to allow passing a file descriptor across containers, but IMO at 
first thought that seems to defeat the whole point of using them.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamscan: permission denied on many files being used by another process

[Kris Deugau]

Michael Wang wrote:
I understand "more" is not clamscan, I was just showing that the file in 
question cannot be opened with clamscan nor with "more" as 
administrator. I also understand if clamscan cannot read a file, it 
cannot scan it. My question is how I can let clamscan to read a file, as 
I have shown that even I cannot "more" a file used by another process as 
administrator.


Welcome to Windows.  If a file is open by some process, it fundamentally 
cannot be opened by any other process (possibly depending on the first 
process' open mode), *by definition*.  This is a very low-level 
restriction imposed by the Windows filesystem API.


Conventional antivirus scanners get around this by a) hooking into 
Windows' filesystem API (~~"scan-on-access", which IIRC Clam doesn't 
support - at least not well - on Windows) or b) scanning the memory 
space of the offending process (ClamAV doesn't scan memory chunks).


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Sig writing advice - complex matching in a PDF

[Kris Deugau]

I have a phishy PDF.

I want to match a string I've extracted from one of the files left by 
clamscan --leave-temps, but ONLY if the outermost file being scanned is 
a PDF.


The string on its own is just generic enough I don't want to rely on it 
alone, so I want to limit matching to PDF files.


In theory, according to the sig-writing document, this means that this:

MySig:10:*:[pattern]

should work.

It doesn't.

MySig:0:*:[pattern] matches just fine, but it's going to match on any file.

MySig:0:0:255044462d312e350d0a*[pattern] doesn't match, because the PDF 
header lead and the phishy string are not present in the same file 
subcomponent, and the phishy string is not visible in the raw file.


Revising for a logical signature works with just the pattern:

MySig;Target:0;0;[pattern]

but not:

Mysig;Target:10;0;[pattern]
or
MySig;Container:CL_TYPE_PDF,Target:0;[pattern]
or
MySig;Target:0;0&1;255044462d312e350d0a;[pattern]
(never mind the fact that there doesn't seem to be a way to anchor 
subsig 0 to the beginning of the file, which means the whole thing can 
match other files that happen to embed a PDF header lead)


Attempts with a Yara signature fail much the same way.

Can anyone point me in the right direction?

-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam issues

[Kris Deugau]

Wayne Florence via clamav-users wrote:

Hello,

     I have recently updated my 4 ClamAV private mirrors to 
version 0.103.0 to fix issues downloading the cvd files.


     However I am still having issues  I have the servers 
setup to use freshclam via a cron once per day.


     I am still getting 403 and 429 errors often from them 
one last got the update on 4-1,  one of 4-6, one on 4-7  and the final 
at 4-9.



Querying current.cvd.clamav.nfet

WARNING: Can't query current.cvd.clamav.net


Fix this first.

If DNS lookups like this are breaking you're almost certainly going to 
continue having trouble.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics, only on or off?

[Kris Deugau]

Joe Acquisto-j4 wrote:

In log find (snipped)

". . .infected by Heuristics.OLE2.ContainsMacros.VBA"


This is enabled by the AlertOLE2Macros directive in clamd.conf


". . .infected by Heuristics.Phishing.Email.SpoofedDomain"


This is enabled by the PhishingScanURLs directive in clamd.conf.


I love the first one but loathe the second one.   Is there some secret sauce to
allow discriminating between them?


Read the man page for clamd.conf.  You may have to do some testing in a 
sandbox with some sample emails to determine exactly which combination 
of these and several apparently related settings you want enabled.


On the systems I maintain, I found that PhishingScanURLs suffered from 
too many false positives (albeit mostly on mail from senders that should 
really know better - I'm looking at you, major financial institutions), 
so I disabled it for hard pass/fail scanning.  I set up a secondary 
clamd instance with these and a number of other potentially FP-prone 
options as well as a collection of variously potentially risky third 
party and local signatures, but without the stock signatures.  This 
second instance is called from SpamAssassin for scoring instead of hard 
pass/fail.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem with private mirror and cld, inc files

[Kris Deugau]

Vangelis Katsikaros via clamav-users wrote:
Hi Joel, thanks for the quick response. We already download once every 
hour (the default ubuntu 18.04 behavior). However, we are using auto 
scaling and we might be running a large number of EC2 instances (a few 
hundreds), that could try to download simultaneously. To further scale 
without issues it seemed quite easy (and it was easy in practice) to use 
a private mirror. The system conditions and the cld & inc files is the 
only blocker to make this work :/


It sounds like you need to add a freshclam call as one of the last bits 
of spinning up new VM/container instances just before actually 
activating one.  [edit:  I saw downthread you've supposedly already done 
this;  clearly something is going wrong close by that action.]  Or 
include a reference set of signature files and let freshclam run its 
updates in the VM/container as normally configured (with PrivateMirror, 
you should be able to get away with setting freshclam's update check 
interval down to 10-15 minutes - or possibly less).




On Jan 26, 2021, at 11:46 AM, Vangelis Katsikaros via clamav-users
mailto:clamav-users@lists.clamav.net>> wrote:

Hi

I am using Ubuntu 18.04 and recently found out that downloaind
clamav files was blocked by cloudflare. Based on
https://lists.clamav.net/pipermail/clamav-users/2020-April/009482.html
I contacted Joel Esler (many thanks for the quick reply) and
inform me that we were downloading too often.



I did the following steps:
1) Created a private mirror as described in
https://www.clamav.net/documents/private-local-mirrors and
mirrored all "cvd" files.

2) Cloud-init ensures that on boot the files are downloaded from
the private mirror and are always available locally. Tthen
cloud-init restarts the clamav daemon.


Double-check this step.  If the systemd condition is failing, or clamd 
is failing to find the files, then the files aren't getting where they 
need to.



The systemd unit file has 2 ConditionPathExistsGlob that require
the additional files "main.cld", "main.inc", "daily.cld",
"daily.inc" to be available, for the service to start.
$ cat /lib/systemd/system/clamav-daemon.service
[Unit]
Description=Clam AntiVirus userspace daemon
Documentation=man:clamd(8) man:clamd.conf(5)
https://www.clamav.net/documents/
# Check for database existence
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}


Unless I misread, that means "at least one of main.cvd, main.cld, or 
main.inc, plus at least one of daily.cvd, daily.cld, or daily.inc";  you 
should not need more.  If you're using the stock signature files you'll 
usually see bytecode.(cvd|cld|inc) as well, but it's not considered 
critical.


I'm not sure about the .inc files (sounds a bit familiar, legacy 
historic files?).  The .cvd files are the compressed version of the .cld 
files - for long-running systems using the standard incremental updates 
you'll usually end up with .cld files, but I expect in your case you'll 
have .cvd files.  IIRC at one time you did actually end up with both - 
or all three - but checking several instances locally I only see the 
.cld files.


TBH, re-reading https://www.clamav.net/documents/private-local-mirrors 
it seems to me you'd be better off including a baseline set of .cvd or 
.cld files in your instance image (periodically updated to cut down the 
time for an instance to finish going live), and using option 1 - using a 
proxy server to let freshclam just do its incremental updates on your 
VPS/container instances without hitting the public mirror network each time.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is Doc.Packed available as PUA category?

[Kris Deugau]

G.W. Haywood via clamav-users wrote:

One of the reasons that malicious senders send so many malicious
password protected documents by email is that it is not always easy
to detect malware in them without knowledge of the password, so by
and large scanners like ClamAV don't attempt to do it (even though
most of the time the malicious email will include the password).

If you prevent the scanner from alerting on password protected Excel
documents, and if your users open more or less any password protected
Excel document which comes their way, then you will have a problem
because they probably receive malicious documents every day.


I deal with this class of FP by disabling the FP-causing checks in the 
primary Clam instance, and enabling them in a secondary instance with a 
different set of signatures whose results are scored in SpamAssasin 
instead of treated as an absolute go/no-go result.  (Or calling ClamAV 
from a mediating layer in the mail flow that can achieve much the same 
result.)


I don't recall coming across any hits in this particular category, but 
what pushed me into this was the stream of otherwise legitimate "You 
should really know better"-ish mail from (marketing partners of) banks 
that kept triggering Heuristics.Phishing.Email.SpoofedDomain, and the 
hassle of figuring out what URL some marketroid had inventively mangled 
*this* time.



One way to get around the problem is to educate users.  For example
you might continue to reject such documents, and suggest your users do
not use Excel password protection.  Microsoft password protection is
in many cases trivially cracked, I've done it for customers when they
have lost their passwords.  For a simple way of accessing a document
without its password, see for example

http://www.excelsupersite.com/how-to-remove-an-excel-spreadsheet-password-in-6-easy-steps/ 



which I found with a simple search and selected more or less at random.


Unfortunately that doesn't address a password-protected *document*, it 
just describes allowing changes to locked spreadsheet pages.  (IE, a 
document you can open, but to some degree can't modify.)


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

[Kris Deugau]

Orion Poplawski wrote:

Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
signature?  We're seeing following URLs trigger it:

https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt

Which seems to be the online update URLs for the urlhaus filter.  Does ClamAV
deem urlhaus a bad actor?


No, but that signature matches a line in that file.  Which should be 
expected since the Clam signature is presumably derived from the 
original source for that file.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can we consume .ldb files in ClamAV Ubuntu?

[Kris Deugau]

Sandeep Talla wrote:

Hi Mark/Kris,

Thank you for your responses. I have placed the *fireeye.ldb* file under 
the directory /var/lib/clamav/ and modified the permission to 644 and 
ownership to clamav. Then we have restarted the service 
Clamav-Deamon and then started clamscan. However, Clamscam is not 
picking up the *fireeye.ldb* file when we verify the Freshclam.log and 
clamav.log files.


Are there any configuration settings that need to add for *clamd.conf* 
or *freshclam.conf* in order to pick up the fireeye.ldb file during 
clamscan?


The only thing that comes to mind is to check for the 
"OfficialDatabaseOnly" option in the configuration;  if set to "on" or 
"yes" this only loads the official databases.


The output from clamscan -D might tell you more.

I have a couple of system using third party and local signatures without 
problem just by dropping the files beside the stock files.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can we consume .ldb files in ClamAV Ubuntu?

[Kris Deugau]

Sandeep Talla wrote:

Hi All,

We have ClamAV installed on Ubuntu. On Ubuntu, the rules can be 
specified or modified under the directory */var/lib/clamav/main.cvd*. 
However,  We are trying to consume ClamAV rules from the FireEye as 
shown below link which is*.ldb* file and we are trying to convert to 
*.cvd* format.


Could you please let us know the steps on how to convert the*.ldb* to 
*.cvd?* Or how to consume the*.ldb *file in Ubuntu?


You shouldn't need to convert the format;  just put the file in 
/var/lib/clamav and clamd or clamscan should pick it up alongside the 
stock .cvd and/or .cld files.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Kindly help in create unofficial signature

[Kris Deugau]

Dismas Axel (Thomas) via clamav-users wrote:

3) I ran the command:

cat Returned_Swift Copy,PDF.tar.xz | sigtool --hex-dump | head -c 2048  
Returned_Swift_Copy.ndb


If you don't have multiple similar but not quite identical samples, and 
you're not familiar with the structure of Windows executables, I'd 
advise against this.  It's likely to either trigger false positives, or 
match so little live traffic you'd be no better off if you had just 
created a hash signature.


Locally, I generally just create hash signatures unless I have a couple 
of samples that look to be similar.


I use the attached Perl script to read a set of files and spit out the 
hex dump with wildcards in place of the bytes that are different between 
files at that exact byte position.  Adjust the $baseoffset and 
$fromstart variables to shift the starting point forward and back 
through the file, or to work from the end of the file instead of the 
beginning.  (I originally created it to automate signature creation on 
files that had variable chunks of different data starting ~30-60 bytes 
or so in, but had big long runs of identical bytes starting from the end.)


Note that many sets of files will quickly turn into one giant wildcard, 
or a generic match on any Windows executable.  It also does no checking 
for whether the result is actually an acceptable ClamAV signature.  You 
may want to use clamscan --leave-temps to extract whatever extractable 
subsections it can, and build signatures based on those (I sometimes do 
this with sets of Office documents).


If you're looking to be more aggressive about blocking "possibely 
malicious things in archive files", I'd suggest the Sanesecurity 
"Foxhole" signatures.  They simply match on the filename extension of 
the file inside the archive or disk image.  If you're sure you'll never 
need to send or receive Windows executables or a couple of document file 
types wrapped in an archive file, they'll block a lot of 0-day junk.


-kgd
#!/usr/bin/perl
# generate clamav sigs from variant virus files

use strict;
use warnings;
use Data::Dumper;

my $trimextra = 0;
my $reffile = shift @ARGV;
my $refsig = qx { sigtool --hex-dump < "$reffile" };

my $baseoffset = 0;
# work from the front or or the back of the file?
my $fromstart = 1;

my $hs = 0;
# number of different bytes to consider the string "many" instead of "limited 
or"
my $ndiff = 1;

if ($fromstart) {
  $refsig =~ s/^.{1024}// while $hs++ < $baseoffset;
} else {
  $refsig =~ s/.{1024}$// while $hs++ < $baseoffset;
}
if ($fromstart) {
  $refsig =~ s/^(.{16384}).+/$1/;
} else {
  $refsig =~ s/.+(.{16384})$/$1/;
}

my @refbytes = ($refsig =~ /../g);

my @basesigs;
foreach my $vfile (@ARGV) {
  my $sig = qx { sigtool --hex-dump < "$vfile" };
  $hs = 0;
  if ($fromstart) {
$sig =~ s/^.{1024}// while $hs++ < $baseoffset;
  } else {
$sig =~ s/.{1024}$// while $hs++ < $baseoffset;
  }
  if ($fromstart) {
$sig =~ s/^(.{16384}).+/$1/;
  } else {
$sig =~ s/.+(.{16384})$/$1/;
  }
  my @foo = ($sig =~ /../g);
  push @basesigs, \@foo;
}

my @outsig;
for (my $i = 0; $i < 8192; $i++) {
  my @tmp;
  push @tmp, $refbytes[$i];
  no warnings qw (uninitialized);
  foreach my $b (@basesigs) {
next if !defined($b->[$i]);
next if !defined($b);
push @tmp, $b->[$i] if !grep /^$b->[$i]$/, @tmp;
  }
  if ($#tmp) {
if ($#tmp >= $ndiff) {
  push @outsig, '{1}';
} else {
  push @outsig, '('.join('|',@tmp).')';
}
  } else {
push @outsig, $tmp[0];
  }
}

my $n = 0;
my $i = 0;
foreach my $byte (@outsig) {
  next if !defined($byte);
  if ($byte eq '{1}') {
$n++;
next;
  } else {
if ($n) {
  print "{$n}" if $n > 1;
  print '??' if $n == 1;
}
print $byte;
$n = 0;
  }
}
print "\n";

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] create /var/run/clamav on reboot in Fedora, otherwise Pulseaudio errors occur

[Kris Deugau]

Robert Kudyba wrote:
Using Fedora 31, this has been happening for quite a while. After reboot 
/var/run/clamav is removed, which is expected. However, wehn ClamAV was 
installed the user created in /etc/passwd looks like this:

clamav:x:985:981::/var/run/clamav:/sbin/nologin

So Pulseaudio tries to create the following directories/files:


In my opinion the bug lies in PulseAudio in doing whatever it's doing 
that needs to create files in the clamav user's home directory at all. 
ClamAV itself has no audio components that I know of (it might be 
generally "aware" of audio file types, if there are viruses that abuse 
them), so PulseAudio should not be doing anything in the clamav user's 
home directory.  (Or any other similar system user's home directory, for 
that matter.)


Creating /var/run/clamav earlier in the boot process - by whatever means 
- just papers over the real problem of some process accessing something 
it shouldn't be touching in the first place.  Not to mention the fact 
that ~/.config is the "Latest and Most Bestest(TM)" place for various 
tools to file their per-user configuration files;  it's supposed to be 
persistent, which /var/run/clamav very intentionally isn't.


-kgd


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Multiple Streams embedded as base64 inside xml

[Kris Deugau]

G.W. Haywood via clamav-users wrote:

 It's quite possible that a scan could catch some
known problem in *any* file, no matter how compressed, containerized
and obfuscated, if there's already a signature which matches something
in the raw file (that is, before any extraction and/or decoding takes
place);


That's not entirely true, although I'd be happy to be proven wrong.

I've tried a couple of times to create signatures for Javascript malware 
(and asked for pointers on this list a couple of times), based on an 
obfuscation pattern in a series of raw files.  I have yet to find a way 
to actually match on the actual raw file in those cases.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Limits.Exceeded FOUND

[Kris Deugau]

Arjen de Korte via clamav-users wrote:

Citeren Paul Kosinski via clamav-users :



However, applying clamscan to this file (which was slightly renamed by
my download script to be more readable) results in the following output:

clamscan --alert-exceeds-max=yes --max-scantime=999 
--max-scansize=4090M --max-filesize=4090M --max-files=3 
--max-recursion=30 --pcre-match-limit=9 
--pcre-max-filesize=9    firefox-68.6.1-esr-64.tar.bz2




Before writing this whole rant, you have not considered checking which 
of the options might have triggered this? You've reduced the 
--max-scantime from the default 120 seconds to under 1 second and still 
wonder why this breaks? Really?


That option seems to be missing from the man page entirely:

$ dpkg -l clamav
ii  clamav 0.102.1+dfsg-0+deb10u2  amd64 [...]
$ zgrep scantime /usr/share/man/man1/clamscan.1.gz
$


and does not specify units in the --help text:

$ clamscan --help
[...]
--max-scantime=#nScan time longer than this 
will be skipped and assumed clean

[...]

Absent any documentation, I would reasonably assume this to be in 
seconds, not milliseconds.


I have no idea if you're wrong about this being the cause, but without 
diving into the source, Paul's use of that option looks entirely 
reasonable to me.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot install Clam AV on Ubuntu 16.04

[Kris Deugau]

Matus UHLAR - fantomas wrote:

On 30.03.20 18:09, Cheney, James via clamav-users wrote:
I did the sudo apt install clamav-daemon on a test 16.04 instance and 
it worked perfectly!


This makes me think I've overcomplicated the centos & RHEL installs 
we've done.


When I ran sudo yum install clamav-daemon on RHEL 7.7, it failed with 
"No package clamav-daemon available."


Is there a similarly easy way to install on RHEL & centos?

try

yum seach clamav

if not in base, it may appear in epel.


Also try "clamd".  On my lingering CentOS 6 machine I see:

clamav-db
clamav
clamav-milter
clamd

available plus a couple of development support packages, and i686/x86_64 
variants of most of them.


Package names are often different between RHEL and its derivatives, and 
Debian and its derivatives.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Proofpoint and Heuristics.Phishing.Email.SpoofedDomain

[Kris Deugau]

micah anderson via clamav-users wrote:


Hi,

I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain because of Proofpoint.

I really didn't want to do this, but I added a few entries to the
local.wdb to whitelist it:

  X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17-
  X:.+urldefense\.proofpoint\.com([/?].*)?:.*([/?].*)?:17-

That seemed to work for a while, but people are getting hit by it again,
it seems like the URLs changed, they used to be:

  https://urldefense.proofpoint.com/v2/url?u=;

the newer ones prepend
  https://urldefense.com/v3/__

but that regexp should match, unless I'm misreading it. Does someone
have a better solution that works for this?


I only use Heuristics.Phishing.Email.SpoofedDomain in a ClamAV instance 
that doesn't blindly pass/fail a message based only on the ClamAV result.


For outbound mail, I handle this by calling ClamAV from MIMEDefang, 
where I can do anything I like with the ClamAV result.


For inbound mail, I have a secondary clamd instance configured *without* 
the stock signatures, but with this option and a selection of riskier 
local and third-party signatures.  This is called from SpamAssassin, and 
I can score different specific signatures or signature groups differently.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV using high CPU and battery

[Kris Deugau]

Douglas Stinnette wrote:

I have been getting reports of ClamAV using high CPU during full scans.


Well  yes it's busy scanning the whole filesystem like it's been 
told to do.


Also I am getting a complaint from faculty that ClamAV is heavily using 
resources and causing loss of battery life.


If you're scanning a full system it's going to be busy for a while. 
Even regular Windows desktop AV packages usually take at least 30-40 
minutes for a full system scan.



Are these normal functions of the application?


They're not really "functions of the application", they're operational 
requirements for it to do what you've asked it to do.


They're normal for any program that does a lot of heavy processing and 
filesystem access.  On *nix systems you can reduce its impact on other 
processing by renicing (setting its priority) lower, and if you're using 
a Windows build you should be able to use Task Manager to set the 
priority low.


Very few programs I've seen will actively manage their actual CPU usage 
so that they only use eg 50% of one core - some of the distributed 
computing projects are the only ones I can think of offhand.  Otherwise 
most programs run flat-out while they're running.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter and "whitelist"

[Kris Deugau]

Gerard E. Seibert via clamav-users wrote:

On Mon, 23 Dec 2019 08:04:13 +0100, Alessandro Vesely via clamav-users
stated:

Perhaps you could try and match From:snopescom-.*@cmail20.com?


Actually, it is the "@cmail20.com" part changes also.




I've also got cmail1 and cmail2 in my ham collection, and I expect the 
rest of the range gets used in various mail flows as well.


I really wish ESPs wouldn't do this, it makes it even more difficult to 
properly whitelist senders using their services.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamd onaccess scanning NFS

[Kris Deugau]

Mark Parker via clamav-users wrote:

Hi all,
     I'm investigating clamav as a solution for a couple hundred linux 
boxes. We need onaccess scanning but I'm running into an issue. For 
clamd to do onaccess scanning it needs to be run as root to use the 
inotify components, but since we export our NFS volumes with 
root_squash, it doesn't have permissions to view a user's home directory 
contents.

     Am I missing something?


clamd needs to run as root to scan arbitrary files on the system.  Try 
scanning home directories on the NFS host instead, and exclude the home 
directory tree from scanning on the clients if you have reason to scan 
elsewhere on those systems.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Disable official database

[Kris Deugau]

G.W. Haywood via clamav-users wrote:

To find out what might work and what might not, here's what I did:

==
Using 'clamd':
8<--

1. I moved the 'main.cld' and 'daily.cld' files from my working clamav
database directory to a temporary directory, replaced them with empty
files, and by sending a message to its TCP port I told one of my clamd
daemons to reload its databases.  (By default clamd doesn't listen on
TCP, but I normally configure that anyway.)  Here's what happened:

Aug 25 08:28:01 mail6 root: PONG
Aug 25 08:28:20 mail6 ged: RELOADING
Aug 25 08:28:23 mail6 clamd[4518]: Reading databases from /etc/mail/clamav
Aug 25 08:28:23 mail6 clamd[4518]: reload db failed: Malformed database
Aug 25 08:28:23 mail6 clamd[4518]: Terminating because of a fatal error.
Aug 25 08:28:23 mail6 clamd[4518]: Pid file removed.
Aug 25 08:28:23 mail6 clamd[4518]: --- Stopped at Sun Aug 25 08:28:23 2019

The clamd daemon disliked the empty 'main' and 'daily' files and died.
I guess some folk might prefer it to carry on with the old databases,
but at least it's very clear what's happened.


From my own experience, I expect this is because they were, as per the 
error, "malformed".  ClamAV is very picky about this - too picky IMO.


If a signature database is present, it is expected to contain at least 
one signature, which is a valid signature for the database "type".  An 
empty file is not a valid signature database file.




6. The same, using a database directory containing just an empty file:

mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/
total 0
-rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2

mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d 
/etc/mail/clamav/empty clam.exe

clam.exe: OK


This is consistent with my experience;  .ign[2] is basically a list of 
signatures to ignore, and so it can reasonably be empty.  Strictly 
speaking it's not a signature database file, because it does not contain 
actual signatures - just the names of signatures to ignore/skip.


If you wanted to use *ONLY* one or more of the internal heuristic tests, 
this is probably the best option.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Disable official database

[Kris Deugau]

Joel Esler (jesler) via clamav-users wrote:

I mean, it's possible not to download the official definitions and just point 
at a custom file right?


*nod*  This works fine.  I have a secondary Clam instance set up to use 
only a selection of third-party signatures that I do not absolutely 
trust as hard black/white tests, which is called from SpamAssassin and 
scored based on the resulting signature names.


clamd will use whatever database files are in its database directory. 
It does NOT use anything in any subdirectories.


clamscan will use those, or:

1) whatever database files are in the directory you specify with the -d 
argument, or


2) whatever single database file you specify with the -d argument

The only constant is that there must be at least one signature database, 
even if it's a trivial hash database with one signature that matches on 
an empty file.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to enable llvm ?

[Kris Deugau]

Dorian ROSSE via clamav-users wrote:

Yes that doesn,’t works as Following…

*checking for llvm-config... /usr/bin/llvm-config*

*configure: Using external LLVM*

*checking for supported LLVM version... no (6.0.0)*

*configure: error: LLVM < 3.7 required, but "6.0.0"(600) found*

*configure: error: Failed to configure LLVM, and LLVM was explicitly 
requested*


Provenance : Courrier  
pour Windows 10


To rephrase Micah's message a little:

ClamAV does not currently support LLVM newer than version 3.6.  You'll 
either have to build LLVM 3.6 or older from source, and build ClamAV 
with that, or use the version bundled with ClamAV's source by using the 
--with-system-llvm=no option to ./configure.


-kgd





*De :* Micah Snyder (micasnyd) 
*Envoyé :* Friday, May 17, 2019 10:21:29 PM
*À :* ClamAV users ML
*Cc :* Dorian ROSSE
*Objet :* Re: [clamav-users] How to enable llvm ?

I will assume that you are on a Unix-like system and are building ClamAV 
from source.


ClamAV has a built-in version of LLVM that you can enable at compile 
time by configuring with these options:


./configure –enable-llvm --with-system-llvm=no

If you don’t use the “--with-system-llvm=no” option, it will try to use 
a version of LLVM installed to your system. Unfortunately, ClamAV only 
supports older versions of LLVM at this time, less than version 3.7.  
Most Linux distributions do not carry LLVM versions this old, anymore, 
so unless you build and install LLVM 3.6 from source, it will probably 
fall back to use ClamAV’s internal copy of LLVM.


If you don’t build with LLVM enabled, ClamAV will still be able to 
support the use of bytecode signatures by using its bytecode interpreter 
instead of LLVM.  The functionality for an end-user is equivalent to 
using LLVM, although the bytecode interpreter may execute more complex 
bytecode signature slower than LLVM.


Regards,

Micah



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamd using ~1GB memory on Debian Stretch

[Kris Deugau]

Avinash Sonawane via clamav-users wrote:

On Mon, 13 May 2019 16:21:15 +0200
Matus UHLAR - fantomas  wrote:
  

loading takes time, much time.


How much time are we talking about here? I suppose by 'time' we mean
loading time (load binary and signatures) + processing time (comparing
signatures).

Now, for loading time, when I start firefox within 5-6 seconds it
immediately fills up 250+ Mb memory so for 950+ Mb (clamd) loading time
shouldn't be that of an issue.


ClamAV isn't just pushing bits from disk to RAM;  it does some active 
processing to convert the signatures from their plaintext format on disk 
into data structures for its pattern matching engine(s) to work with.


On lightly-loaded higher-end modern hardware, it should run about 15 
seconds IME to load the signatures.


On older or less capable hardware, or systems with lots of other 
processing going on, it can easily hit 30s to load the signatures.


On RAM-limited VPSes, you may be hitting swap, in which case load time 
may well be several minutes at least.  (And scanning isn't going to be 
very fast either.)



Of course, at scanning time those signs/dbs need to be in memory. At
scanning time not *all the time*. e.g. I am expecting an email at 6 PM.
I don't mind clamd taking that much of a memory *at* 6 PM and then
release it. I find it absolutely inconvenient to having to forgo ~1GB
memory since the morning. As I said, a poor bargain.


For your use case it sounds like you could do without ClamAV entirely.

-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamscan/clamdscan with -z option

[Kris Deugau]

Paul wrote:

Hi

I have been looking at using the -z option on either clamdscan or 
clamscan and stumbled onto some odd behavior.


This is with version 101.1. 101.0 also behaves the same.



Take 2 paultest-010E110713-000 is constructed from test/clam.mail with 
the addition of a line of text to the text/plain part of clam.mail which 
triggers SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND


paule@larch:~# clamscan  -z /var/lib/quarantine/paultest-010E110713-000
/var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND
/var/lib/quarantine/paultest-010E110713-000: 
SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND

/var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND
/var/lib/quarantine/paultest-010E110713-000: 
SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND




Anyway to prevent the duplicate signature hits being displayed.


   -z, --allmatch
  After a match, continue scanning within the file for 
additional matches.


 don't use -z?  There's no way I know of to specify which signature 
takes precedence during a single scan, so if you're continuing after 
you've found a match, I would call it reasonable that you also want to 
know all of the signatures that matched.  If you only want to report one 
signature, then continuing to scan the file seems to be a waste.


If you want to separately report hits from subsets of signatures, you'll 
probably need to store them in different directories, and use the -d option:


   -d FILE/DIR, --database=FILE/DIR
  Load virus database from FILE or load all virus database 
files from DIR.


to run multiple, independent scans with each subset of signatures.  This 
way you can pick which set to check in which order, and skip further 
processing as desired based on the results.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Information regarding Win.Downloader.DDECmdExec-6715271-0

[Kris Deugau]

Dominique Sarrazin wrote:

Hi everyone,

On October 26^th , ClamAV’s signature database was updated with the 
addition of Win.Downloader.DDECmdExec-6715271-0, for which I cannot find 
any information despite my thorough research.


sigtool --find-sigs [sig name] |sigtool --decode-sigs will at least tell 
you what it's matching on, assuming it's an active signature.


I don't seem to have that particular signature on any system I manage, 
so either it's third-party or it was dropped at some point.


The closest matches on that sig name that I have are 
Win.Downloader.DDEObfuscatedCmdExec-6715127-0 and 
Win.Downloader.DDEObfuscatedCmdExec-6715128-0.


Since that update, ClamAV has reported that many tables in our MySQL are 
susceptible to this vulnerability. I would simply like to know the 
details of this vulnerability and how to identify it in our database.


Scanning the filesystem storage for any DBMS is almost certainly a waste 
of time and likely to lead to all kinds of bizarre false positives.


If you really need to scan the content, scan things before inserting, or 
do a periodic "retrieve-and-scan" process if you're worried about 
zero-day malware that might not have had a signature when it was inserted.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Specify more servers for clamdscan to pass for scanning

[Kris Deugau]

Brent Clark wrote:

Good day Guys

I have setup two clamd servers.

On my Webservers, I need to stream a file to the clamd for scanning.

I would like to ask, how would I specify two TCPAddr.

If I specify just one, server, everything works ok.
Ive tried various options and google does not appears to be of assists.

How does one specify more than one server for scanning?

I would like to use this a poor mans "fail over", so that if one server 
is down, clamscan will move on to the next server.


We use Linux LVM load balancing to group "many" processing nodes 
(currently two, although we've had more on older hardware in the past) 
into one logical service.  You can then point your clamdscan (or 
clamav-milter) callers to the load-balanced IP.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] About clamav's requirements for system resources

[Kris Deugau]

zhuangxiaohui wrote:

Dear guys,

Thanks to your team for providing us a such wonderful anti-virus soft.

But, I got some problems there.

I have some servers(Centos6/7). Most of them have 1GB memory, 600M
available.
But also servers with low memory. For example 512M memory, 200M available.
When I install the "clamav" on server which have 600M available memory and
start the "clamd" service,
I find that clamd's resident memory is about 500M. But on servers that have
only 200M of available memory,
the resident memory is about 100M. So I doubt if clamd will work properly on
these servers, although both
scan and database's updates are normally.

Would you please tell me the lowest clamav's requirements for system
resources especially the memory?
I've searched on your website but got nothing about this :(


I wouldn't run ClamAV with stock signatures on anything less than 1G, 
and I wouldn't run much else on that machine.  If you're running a very 
light workload with a dedicated machine, you might get away with 512M.


The total file size for the stock signatures totals about 450M between 
daily.cld and main.cld (the other files are under 1M), so you'd need at 
least that just to load the signatures.


My lightly-loaded personal server with just stock signatures looks to be 
using about 590M for clamd, and the much more active machines at work, 
with a couple hundred extra local signatures, look to be using about 
700M each.


I've recently been working with a legacy system that has multiple nodes, 
most with 1G of RAM, and they're running quite a few other things 
besides Clam.  Before moving a chunk of mail flow off these machines, 
they were regularly hitting swap, causing performance to drop pretty badly.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelisting extensions for virus scan

[Kris Deugau]

Tilman Schmidt wrote:

Am 29.10.18 um 17:33 schrieb Kris Deugau:

Tilman Schmidt wrote:

Am 26.10.18 um 15:34 schrieb Johnny Time:

For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.


Surely you meant to write "*.docx,*.xlsx,*.pdf"?
*.doc and *.xls are the old, malware-prone MS-Office filetypes.
You don't want to let those pass, at least not without rigorous
examination.


In my experience, the new ones aren't any better.


The "*m" ones (with macros) certainly aren't, but the "*x" ones (without
macros) have so far never caused any trouble at our site.
So we put mails with *.doc, *.xls, *.docm and *.xlsm attachments in
quarantine, only releasing them upon request after manual inspection,
but let *.docx and *.xlsx pass if the ClamAV scan turns up clean.


I don't care enough to dig up what the formal spec (such as may exist) 
for these files is, but I see a regular trickle of .docx and a handful 
of .xlsx files that pop up a warning in OpenOffice about macros.  I 
don't think I've seen any .docm or .xlsm for a while.


Personally I'd be quite happy to ban them all outright, but customers 
get a little grouchy when they can't send or receive documents to their 
contacts...


We scan them all, quarantine the ones that hit a signature, add local 
signatures as malicious examples get reported, use a handful of 
third-party signatures, and advise customers to make sure they keep an 
up-to-date antivirus package on their system - if only to make sure 
they're also protected against non-email malware.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelisting extensions for virus scan

[Kris Deugau]

Jerry wrote:

We have a a steady flow of "*.doc", "*.docx" "*.xlsx" and *.pdf" files
exchanged with other offices. I have not seen a virus in any of them since
2010. Seems like you might be doing business with the wrong type of people.


I work for an ISP, managing our mail filtering services.

There are certainly legitimate Office document files being sent around, 
but there are plenty of malicious ones coming in too, and the "new" 
types are no guarantee the file is safe.  I certainly wouldn't exclude 
them from scanning.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelisting extensions for virus scan

[Kris Deugau]

Tilman Schmidt wrote:

Am 26.10.18 um 15:34 schrieb Johnny Time:

For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.


Surely you meant to write "*.docx,*.xlsx,*.pdf"?
*.doc and *.xls are the old, malware-prone MS-Office filetypes.
You don't want to let those pass, at least not without rigorous examination.


In my experience, the new ones aren't any better.

-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelisting extensions for virus scan

[Kris Deugau]

Johnny Time wrote:

Hi Folks,

We use Clamav and we wonder if we can whitelist some extensions on our 
virus scan ?



For exemple, we wanted to authorize only a white list which contains 
*.doc,*.xls,*.pdf and ban the others extensions.


If you're looking to block all files except a limited set of extensions, 
this is probably better done a layer up in your mail flow.  I call Clam 
from MIMEDefang, for instance, so I would configure MIMEDefang to reject 
mail that has any other file types attached.


However, the three you've listed can all contain malware;  you really 
don't want to *skip* scanning those.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] /bin/mkdir: cannot create directory ‘/run/clamav’: File exists

[Kris Deugau]

Dino Edwards wrote:
Answering my own question on the /var/run and the /run directories. 
There is a link between the two, I just didn’t go up a level in the 
directory structure. The question about the error still remains though.


The chown and mkdir look a bit suspect to me;  I'm not seeing anything 
like that in the Debian packages (which should be mostly the same in 
Ubuntu).  What I *do* see in one of the stock files 
(/lib/systemd/system/clamav-daemon.socket) is this stanza:


[Socket]
ListenStream=/run/clamav/clamd.ctl
#ListenStream=127.0.0.1:1024
SocketUser=clamav
SocketGroup=clamav
RemoveOnStop=True

which if I understand correctly, implies that clamd on this system is 
using systemd's socket creation/handling voodoo rather than doing so itself.


Can you post:

- Output from  "dpkg -L clamav-daemon |grep system"

- Contents of any .service or .socket files from the above list

- Contents of any files in /etc/systemd/system/clamav-daemon.service.d


Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; 
vendor preset: enabled)


   Drop-In: /etc/systemd/system/clamav-daemon.service.d

    └─extend.conf


This seems to indicate that you're not using the stock systemd service 
definitions from Ubuntu/Debian upstream.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] FP on ProduKey 32-bit

[Kris Deugau]

Win.Trojan.Agent-6584188-0 is a hash matching the executable from the 
32-bit build of ProduKey.  One of our staff doing an assets audit 
triggered it by emailing the .zip to another staff member.


I've confirmed that the .zip and the files in it match a fresh download 
from the developer's site, 
https://www.nirsoft.net/utils/product_cd_key_viewer.html.


I also reported it as an FP on clamav.net.

-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Kris Deugau]

Benny Pedersen wrote:

why is https even blocked ? :(

please whitelist https signatures


There's no reason a hacked HTTPS website couldn't host malware.  And 
there's no reason a spam domain couldn't get a certificate (from Let's 
Encrypt, or somewhere else) if they carefully time their actions.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP with Heuristics.Phishing.Email.SpoofedDomain

[Kris Deugau]

Paul wrote:

Hi

I have 2 emails which have tripped 
Heuristics.Phishing.Email.SpoofedDomain (4 times in each email using 
clamscan -x option)


Is the output from clamscan -x --debug shown below indicate the 
offending url pair triggering Heuristics.Phishing.Email.SpoofedDomain?


LibClamAV debug: Phishing: looking up in whitelist: 
.clicktime.symantec.com:.www

.barclays.co.uk; host-only:1


Seems likely;  this is exactly the kind of URL mismatch it's intended to 
trigger on.


I have yet to find a guaranteed consistent way to take these entries and 
convert them to a local whitelist entry for a local .wdb file, but some 
variation of one of these should work:


M:clicktime.symantec.com:barclays.co.uk
X:\.clicktime\.symantec\.com:www\.barclays\.co\.uk/

However, locally I've also given up on having this enabled where it's an 
absolute black/white test;  I've disabled it for the main Clam instance, 
and set up a secondary one with this test and a list of variously risky 
third-party signatures whose results are scored in SpamAssassin instead.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Limitation or bug in ClamAV's processing of Yara rules?

[Kris Deugau]

G.W. Haywood wrote:

Hi Kris,

On Thu, 15 Mar 2018, Kris Deugau wrote:


I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. ...


Would you be able to send me a few samples?  Preferably with full headers.


I've been able to create logical (.ldb) variant signatures for nearly 
all of the examples I've had reported thanks to suggestions from Steve 
Basford, so I can't email them as the message would be blocked by our 
outgoing AV scan...


So I've posted a .zip on my web space with four (small) more or less 
representative examples of the class.  Please note the full set of 
variations cover, essentially, "long strings of symbols in the 

Re: [clamav-users] Limitation or bug in ClamAV's processing of Yara rules?

[Kris Deugau]

Mark Fortescue wrote:

Hi

I know nothing about YARA but you could try escaping the hash in case it 
is being treated as a comment line.


e.g  \#a > 1


The comment metasymbol for Yara rules is "//", but I tried this anyway 
as a long shot:


$ clamscan -d foo.yar
LibClamAV Error: yyerror(): foo.yar line 3 syntax error, unexpected '\\'
LibClamAV Error: cli_loadyara: failed to parse rules file foo.yar, error 
count 1


pretty much as expected.

The rule is syntactically correct, otherwise Clam would throw a fit.

The ClamAV signature-writing guide makes no mention of this Yara feature 
being disabled, limited, or otherwise not implemented to match the Yara 
docs from http://yara.readthedocs.io/en/v3.5.0/;  it *does* mention some 
other specific limits so I would assume this should be working.


I don't think this is related to Clam's requirement for two-byte fixed 
references in patterns in all other pattern-matching signature types, 
since I have another Yara rule for a series of obfuscated Javascript 
that uses a similar type of regex pattern.


-kgd




Regards
 Mark.

On 14/03/18 20:47, Kris Deugau wrote:

I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML.  I've found an issue that is either an
implementation limit or a bug in ClamAV's handling of Yara rules.

I've narrowed it down to an issue with the "#" condition variant.

For a rule like so:

rule badstyle {
   strings:
 $a = /[~!@#$%^&*\(\)_+`\[\]\{\}\|<>\/\?]{10}/
   condition:
 #a > 1
}

and a message like https://pastebin.com/Hs3jcj9i, ClamAV *should* flag
the message.  (Note, this isn't what I'd use as a live signature!)

If I change the condition to "$a" instead, it flags the message, so the
expression for $a is valid and correct.

Since this particular series of spams will require "#a > 100" (or higher
counts) for safety, and none of the other signature types lend
themselves very well to this particular type of pattern matching, I'm
unable to use just a few signatures as above.  Instead I've been using a
crude workaround of setting up closing-on-hundreds of very similar
logical signatures, or an extended list of 3-6 hex-coded character
sequences in a single logical signature.

-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Limitation or bug in ClamAV's processing of Yara rules?

[Kris Deugau]

I'm still chasing signatures for a certain class of (very) oversized 
spam with malformed HTML.  I've found an issue that is either an 
implementation limit or a bug in ClamAV's handling of Yara rules.


I've narrowed it down to an issue with the "#" condition variant.

For a rule like so:

rule badstyle {
  strings:
$a = /[~!@#$%^&*\(\)_+`\[\]\{\}\|<>\/\?]{10}/
  condition:
#a > 1
}

and a message like https://pastebin.com/Hs3jcj9i, ClamAV *should* flag 
the message.  (Note, this isn't what I'd use as a live signature!)


If I change the condition to "$a" instead, it flags the message, so the 
expression for $a is valid and correct.


Since this particular series of spams will require "#a > 100" (or higher 
counts) for safety, and none of the other signature types lend 
themselves very well to this particular type of pattern matching, I'm 
unable to use just a few signatures as above.  Instead I've been using a 
crude workaround of setting up closing-on-hundreds of very similar 
logical signatures, or an extended list of 3-6 hex-coded character 
sequences in a single logical signature.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding freshclam log entry

[Kris Deugau]

J Doe wrote:

I note though that man 5 freshclam.conf states that clamd is *NOT* set to 
update by default, however when I installed the package on Ubuntu 16.04.03 LTS, 
it has put in 3600 for an update frequency.


Between freshclam and clamd there are three options here that operate 
indpendently:


NotifyClamd -> freshclam configuration, tells freshclam where to find 
the clamd configuration file to look for the clamd socket


Checks -> freshclam configuration, tells freshclam how often to check 
for new signatures


SelfCheck -> clamd configuration, tells clamd how often to check and see 
if the signature files have been updated



That said, if freshclam does not notify clamd by default, does that mean if I 
don’t get the socket problem sorted out that clamd (and more importantly 
clamav-milter), will still use the most recently downloaded signatures when 
scanning ?  Or does clamd and clamav-milter have to receive an update message 
via the socket to use the most recent signatures?


No;  the notification is just a way to get clamd aware of the new 
signatures faster.  Otherwise it will pick them up on its own refresh 
(SelfCheck).


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Possible FP on Doc.Dropper.Agent-6447876-0?

[Kris Deugau]

I've had a customer reporting problems sending a supposedly all-text 
(likely actually multipart text+html with no hand-added attachments) 
triggering this signature.


Since it's a hash I'm baffled by what it might be misfiring on in a 
legitimate more-or-less text-only message.


I don't yet have a copy of the message that actually triggered this 
signature, and after finally getting a couple of empty test messages 
they are of course scanning clean.


Can anyone give any more detail on what kind of file or file component 
this is matching on?  All I can see is that it's in daily.hsb, so beyond 
the fact that it is a hash of either the whole file or a component of a 
Word document containing macros I have no idea what it is, and whether 
it's really a FP or not.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't Install ClamAV

[Kris Deugau]

Paul B. wrote:

Ok, I got the same errors from Synaptics upon trying to install a
completely unrelated program:

E: clamav-base: subprocess installed post-installation script returned
error exit status 1
E: clamav-freshclam: dependency problems - leaving unconfigured
E: clamav: dependency problems - leaving unconfigured
E: clamtk: dependency problems - leaving unconfigured


You have these packages partially installed, and likely won't be able to 
install or upgrade any others until their status is cleaned up.


Synaptic should be able to show you enough information to track down the 
missing dependencies, or allow you to uninstall them.  Note that this 
may break your installed-from-source working ClamAV, depending on where 
it was installed.



Upon rebooting, I tried to reinstall ClamAv, freshclam, clambase, and
clamtk through Synaptics:

Attempt to reinstall freshclam, clambase, and clamtk:

E: Internal Error, No file name for clamav-base:amd64
E: Internal Error, No file name for clamav-freshclam:amd64
E: Internal Error, No file name for clamav:amd64


Something is wrong with the recordkeeping in the package system.

You should probably take this up with a list for your specific Debian 
derivative, or possibly ask on the main Debian users list.  This is just 
a problem that happens to be triggering on the ClamAV packages, not a 
ClamAV problem.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ERROR: NotifyClamd: Can't connect to clamd on 127.0.0.1:3310: Connection refused

[Kris Deugau]

Chris wrote:

Using nc -l 3310 in one terminal and nc 127.0.0.1 3310 I get:

nc -l 3310
test
this is a test

  nc 127.0.0.1 3310
test
this is a test

So, IIUC I can talk to port 3310 with 127.0.0.1 or am I incorrect?


nc -l should have returned an error if clamd was actually listening on 
that port.


TCP communication is working, but based on this log line from your 
earlier post:


Jan 30 19:12:39 localhost clamd[22830]: TCP: No tcp AF_INET/AF_INET6 
SOCK_STREAM socket received from systemd.


you have an issue with how clamd is started from systemd - basically, 
systemd needs to be told to set up a TCP socket as well as (instead of? 
don't know if it's possible to use both) the local UNIX socket.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Matching variant patterns in logical or Yara signatures

[Kris Deugau]

G.W. Haywood wrote:

Hi there,

On Tue, 16 Jan 2018, Kris Deugau wrote:


I'm trying to create signatures to match a particular series of
large to very large spams whose main identifier is a 

[clamav-users] Matching variant patterns in logical or Yara signatures

[Kris Deugau]

I'm trying to create signatures to match a particular series of large to 
very large spams whose main identifier is a 

Re: [clamav-users] problem installing clamav

[Kris Deugau]

richard parker wrote:

I am sure this is something obvious to the experienced but not to a bit of
a newbie such as myself. I am struggling with installation with the
following being reported

E: dpkg was interrupted, you must manually run 'sudo dpkg --configure -a'
to correct the problem.
richard@richard-ThinkPad-T400:~$ sudo dpkg --configure -a
Processing triggers for ureadahead (0.100.0-19) ...
ureadahead will be reprofiled on next reboot
dpkg: dependency problems prevent configuration of clamav:
  clamav depends on clamav-freshclam (>= 0.99.2+dfsg) | clamav-data; however:
   Package clamav-freshclam is not installed.
   Package clamav-data is not installed.
   Package clamav-freshclam which provides clamav-data is not installed.


This isn't a ClamAV problem;  this is an issue with how you've gone 
about installing a third-party package.  It looks like you're using 
either Debian or Ubuntu.


The last few lines above should clearly report the problem - the ClamAV 
package depends on one of two packages that arrange to provide the Clam 
signatures (either clamav-freshclam - which will actively get and update 
them with freshclam, or clamav-data, which may be a separate static 
package containing the signature files, or may be a "virtual" package 
provided by clamav-freshclam).


However, it should also be impossible to get into this state when using 
the standard package management tools.  Did you manually download a 
ClamAV .deb and install it with dpkg -i?


I'd recommend running "sudo apt-get -f install clamav" to get the 
package management tools to fix the dependency issue.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain

[Kris Deugau]

micah anderson wrote:

I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain - my research has shown me that
the reason this is happening is because of Outlook's "advanced threat
protection" which wraps urls in a "safelink" url,



I really didn't want to do this, but I followed
https://github.com/vrtadmin/clamav-devel/blob/master/docs/phishsigs_howto.pdf

and I added the following to local.wdb (is this still the right place?!)
to "whitelist" safebrowsing:

X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17

but people are still complaining. Did I do this wrong? Looking again at
the documentation, it appears that it should be '17-' instead of '17',
but I'm not sure that matters.


I don't know if the whitelist setup will let you blanket-whitelist ALL 
EVARYTHING like that.  Grab a sample message, and run clamscan -D on it 
to find the link it's choking on.  Tweak the regex in between calls - 
eg, start with a specific match on the example, and gradually make it 
more general.  IME there are undocumented limits on what really 
constitutes a "valid" entry (both in syntax and in results), so the only 
way to get it right is to test and adjust until it works as expected.  :/



Is there some better way to deal with this? I do not want to turn off
phishing protection in general.


I'd suggest moving up a layer, to whatever is calling Clam, and handle 
that result differently (ie, add a header to pass on to the spam filter 
rather than treat it as an absolute black/white result on its own).


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps

[Kris Deugau]

Ravi wrote:

Thanks Kris for your comments. Currently we scan the incoming
files(zips/archives) placed on the local hard drive with the
clamdscan(which uses clamd daemon), Can you share more info on what you
meant on handling the result differently if we are using the clamdscan?


Whatever calls clamdscan needs to look at the results in more detail, 
and instead of just blindly treating any positive result as a virus, 
check the virus "name" to see if there is some other action, or if the 
result is something that should be let past.


For instance, I've added checks to several mail systems that treat a 
resulting "virus name" of "Heuristics.Phishing.SpoofDomain" differently 
from other results, because that test (PhishingScanURLs) tends to FP on 
legitimate mail.  The test is still valuable but it's not reliable as an 
absolute black/white result.


In general, if you don't want certain things to cause false positives 
with a content filter, either:


- don't pass those things to the filter in the first place,

- handle the results from the filter differently for your problem case,

- disable the problematic test(s) in the filter

Exactly what changes you need to make for each of these will depend on 
how you're passing content to the filter, how you're accepting the scan 
results back, and how configurable the filter is.


-kgd

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Run script on file scanned but no virus found

[Kris Deugau]

Chris Johnson wrote:

I have on access scanning configured and we successfully run a script
when a virus is found.  This script allows us to make a log that the
file was scanned and a virus found.  However we'd also like to run a
script to make a log when the file has been scanned and no virus has
been found

there are 2 goals (and I accept there may be a different way of
achieving these.)

1) Script are too fast
The files we're scanning get uploaded through a web form
On access scanning checks the file once uploaded


You might do better to just integrate a call to clamdscan (note, not 
clamscan, which loads the virus DB on each call) with your upload script 
rather than rely on on-access scanning.  You're already more or less in 
control of when and where files actually get written to your local 
filesystem, where on-access scanning is usually intended for situations 
more like the conventional AV usage in Windows where files accessed by 
many processes with many origins all need to be scanned.



We put a 1 second pause in before checking for the (deleted) file and
this now works.  However the file might take longer than 1 second to
scan if its big or the server is busy.


If scan speed is a concern, maybe something AJAXy to send feedback on 
the state of the upload (eg "Uploading", "Scanning", "OK"/"Virus found") 
rather than just stalling the main script while the scan runs.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] OT: mailing list behaviours (Re: Part 2: Dynamic engine module for scanning media files (e.g., MP3, MP4, etc.)?)

[Kris Deugau]

Crystalslave wrote:

Return-Path: harlequin...@gmail.com

First off, my apologies for the confusion. This is my first time
posting to a mailing list; I didn't really know how to handle the
return path thing, so I had to start over. Is this better? The return
path goes at the top of the message body, right? Or is it the subject
line? The verbiage on the ML FAQ is a little ambiguous.



http://www.clamav.net/documents/mailing-lists-faq


TBH I had to go have a look to see what you were talking about;  in ~20+ 
years participating in various lists like this I've never met one that 
had such a strange public-facing requirement for something that's part 
of the internals of normal mail system operation.  "Return-Path" is a 
generated header most commonly added to a message on final delivery, not 
something you add in the body or as an outgoing header.


The sentence "Please check that your outgoing messages start with a line 
like the following: Return-Path: m...@mydomain.com where m...@mydomain.com 
is the mail account which you used to subscribe to the mailing-list." 
should really be removed outright, along with the last sentence "You 
will be able to post to the mailing-lists by putting any of those 
addresses in Return-Path.".


"Subscribers-only" posting is common on "interactive" mailing lists like 
this one - technically inclined or not.  So long as you're using a 
regular mail program to send to the list, and you have your user profile 
set to the address you subscribed with, you should be fine.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

[Kris Deugau]

Mark Foley wrote:


So, the question posted below remains:

Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux?


Any valid signature file will be loaded and used.

Any *invalid* signature file will cause clamd to exit.

If clamd is running, and you've been able to confirm the signature file 
is being loaded, the signature will be checked.


Signatures are not platform-specific except in terms of what they're 
intended to match on.



I'm specifically asking about Eric's comment, "it requires a Win32 executable".


To answer this specific point, one of the signature fragments checks a 
byte pattern in a certain location to help ensure that it only triggers 
on files that are Win32 executables.


More generally, to confirm whether a specific signature is doing what 
it's supposed to, you need to have a file to test with that you know is 
supposed to match on that signature.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

[Kris Deugau]

outre...@epsilon.com wrote:

Hi Al,

Could you please confirm exactly what is the issue you see with the links? As 
far as I can see, they use standard link tracking.

 ^^

In my experience that, in and of itself, is often the problem.

The cases I've whitelisted locally are almost always mismatches between 
the visible link text and the actual link target, eg:


example.com/link

All too often, "bigesp" seems to go to great lengths to remain 
unidentified, by way of cryptic and ever-multiplying domains which 
appear, without time-consuming investigation, to be Just Another Spoof.


I would also suggest that using a complete separate TLD for 
click-tracking is a good way to *raise* red flags when a message is 
inspected by hand;  even worse when the domain looks similar to the main 
domain - such as "paypal-communications.com" vs "paypal.com".


Use a subdomain (eg "communication.paypal.com", or 
"espname.paypal.com"), which is clearly delegated from the organization 
potentially being spoofed, rather than Yet Another Similar But Not 
Obviously Associated Domain (because the domain registrars clearly can't 
be trusted to prevent *these* from being registered by world+dog, and a 
disturbing number don't shut down the real spoofs very quickly either).


In short, stop doing the same things that the scammers do, and do things 
that the scammers can't.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Signature specifics (was Re: Malware/ransomware and Yara signatures with clamav)

[Kris Deugau]

Cedric Knight wrote:


Devs - is it possible to block PDFs based on containing '/JavaScript'
and '/OpenAction' (or '/Launch')?  I wish ClamAV has a hierarchy from
definite signatures first to secondly checking heuristics...


Not a ClamAV developer, but yes, you can create a signature for this.

You don't really want to do this, because you *will* block legitimate 
PDFs.  Speaking from experience.  :(


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV UnOfficial Database

[Kris Deugau]

Joel Esler (jesler) wrote:

We already distribute some third party feeds into the official database, we 
have a program for that which can be found on our website.


For my part I would far prefer an enhancement to freshclam to allow it 
to download arbitrary third-party signature sets, much as SpamAssassin's 
"sa-update" tool can download third-party SpamAssassin rules without any 
upstream involvement.


Database (re)load time is already rather high with the current 
officially-distributed signatures, and many ongoing complaints 
substantially amount to "Database (re)load time is too long" and/or "I 
can't run Clam on a low-memory VPS".


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] disabling a database

[Kris Deugau]

nobswolf wrote:

Hello,

I just added virus support by ClamAV to my email-server. I am almost
satisfied. It already catched some "zero days".

But I'd like to separate the detection of junk from the detection of
malware. So I'd like to disable the junk detection in ClamAV.

I commented out the Jurl-DB and I tried "PhishingScanURLs false". I
restarted the service. But still it detects spam:

Sanesecurity.Jurlbl.5ac7a2.UNOFFICIAL FOUND


Both Sanesecurity (and several other third-party signature sets) and the 
upstream stock signatures mix actual malware with 
almost-certainly-unwanted-but-not-actually-malware signatures.


With third-party sets, you could walk through the signature names, and 
build some local scripting to split the datasets as you please - I've 
started to do this locally.


The other thing you might consider is to modify whatever calls ClamAV to 
handle different "viruses" in different ways.


For instance, I've recently set up a secondary Clam instance with both 
an extract of third-party signatures, and a handful of local signatures, 
to be called from and scored in SpamAssassin instead of called directly 
and treated as an absolute yes/no result.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Kris Deugau]

Groach wrote:
>   If I could exclude the Clam default
> signatures and just continue to use Sane then I would and then I could
> turn back on quarantining to make our systems safe again.

You can;  turn off freshclam and delete the stock signature files.

Also make sure that you don't use the --official-db-only option to
clamscan, or have the OfficialDatabaseOnly option set in clamd.conf.

I was investigating using clamd with just a select set of
custom/third-party signatures for another segment of mail filtering and
this worked just fine.

So long as you have at least one signature file (and I think at least
one signature;  never tested quite that far), clamd will start up quite
happily.

-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

[Kris Deugau]

Al Varnell wrote:
> On Dec 27, 2016, at 1:53 PM, demonhunter  wrote:
>> Office Open XML file format (.doc(x|m), .xls(x|m), etc., 
>> https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with 
>> macros typically contain an OLE2 file named vbaProject.bin. This signature 
>> appears as though it would match all standard Open XML files that contain 
>> macros. Examples of false positives should not be necessary to remove this 
>> signature:
> 
> Yes, but as mentioned here several times, the vbaProject.bin file can be 
> added to the QA test environment so that future FP's concerning it will no 
> longer be distributed, but only when we submit the file.

To rephrase demonhunter, the signature is on the filename component, not
the content of the file;  it's a generic name for the container for
macro(s) in a current-generation Office document, which happen to
lightly rebranded .zip files.

I've had a report as well;  I don't yet have an example file though.

-kgd



> 
> -Al-
> 
>> $ sigtool --find-sigs=Win.Trojan.Toa-5368540-0
>> [daily.cdb] 
>> Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:
>>
>> $ echo "Win.Trojan.Toa-5368540-0:CL_TYPE_ZIP:*:vbaProject\.bin$:*:*:*:*:*:" 
>> | sigtool --decode-sig
>> VIRUS NAME: Win.Trojan.Toa-5368540-0
>> CONTAINER TYPE: CL_TYPE_ZIP
>> CONTAINER SIZE: ANY
>> FILENAME REGEX: vbaProject\.bin$
>> COMPRESSED FILESIZE: ANY
>> UNCOMPRESSED FILESIZE: ANY
>> ENCRYPTION: IGNORED
>> FILE POSITION: ANY
>> CRC SUM: ANY
>>
>>
>> DH
>>
>>
>> - Original Message -
>> From: "Joel Esler (jesler)" 
>> To: "Adnan de Castro Donato" , "ClamAV users ML" 
>> 
>> Sent: Tuesday, December 27, 2016 3:25:14 PM
>> Subject: Re: [clamav-users] Probable false positive *.xlsm-
>> Win.Trojan.Toa-5368540-0
>>
>> Are you able to submit the files via the website?
>>
>>
>> Sent from my Apple Watch
>>
>> On Dec 27, 2016, at 3:08 PM, Adnan de Castro Donato wrote:
>>> In keeping with one false positive reports 
>>> I have 8 CentOS servers report below after Signatures Published daily - 
>>> 22782 update:
>>>
>>> All attachment with extension *.xlsm have the same issue:
>>>
>>> Our content checker found
>>>   virus: Win.Trojan.Toa-5368540-0
>>>
>>> Believe this is a false positive  Would like confirmation and an update if 
>>> possible
>>>
>>> Thanks.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot skip OLE2 checking

[Kris Deugau]

Mark Foley wrote:
> Kees - thanks for that info. So, basically I'd have to start a new clamd with 
> a
> different socket and therefore pointing to a different config file. Not sure
> then what the point of the --config-file parameter to clamdscan is ...

It allows you to call a different clamd than the "system default" - we
used this for a time to hack in crude load balancing on our mail
infrastructure.  (We have a couple of servers running clamd and
SpamAssassin's spamd, and both the incoming and outgoing mail-handling
servers call the daemons on the dedicated scanner servers, rather than
running clamd and SpamAssassin on each mail server.)

A set of configuration files with the minimal host and port settings,
each directed to a specific scanning host, and chosen at random when
assembling the clamdscan call, held up fairly well for several years.

I don't recall what the issue was (if we ever even found anything other
than "doesn't work"), but some time ago clamd did not play nice with
Linux LVM load balancing.  More recently we tried again and it's
working, so we don't need multiple clamdscan configurations any more.

> So, what I will do is keep the "OLE2BlockMacros yes" for clamd/clamav-milter 
> for
> quarantining such incoming messages (I can manually release legitimate ones
> later), but I'll use clamscan (not clamdscan) with the settings shown below 
> for
> semi-daily scanning of the Maildir folder without the --block-macros=yes
> parameter.  This seems to give me the results I want. 
> 
> clamscan -a --no-summary --stdout --infected --recursive --allmatch \
>   --scan-mail=yes --scan-ole2=yes /home/HPRS/user/Maildir/

*nod*  For occasional bulk scanning there's little advantage to using
clamd/clamdscan anyway (aside from assembling all the arguments for
clamscan) since you only pay the startup time of parsing the signature
databases once for each run.  For scanning mail, you're making one call
for each message, so you don't want to be paying that startup cost on
each message.

-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Documentation for creating ndb signatures?

[Kris Deugau]

Joel Esler (jesler) wrote:
> Dave,
> 
> Check out: 
> https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf

Unfortunately this document still leaves a number of questions, since
it's quite easy to create a signature that looks to be valid but which
ClamAV won't accept.  And the specifics of what it won't accept have
varied from version to version, and as far as I can tell are not clearly
documented anywhere but the ClamAV source.

For instance, I have regularly seen malware that I am trying to create a
signature for, where I have a pattern of 1-3 alternating known and
unknown (or small-set, eg ASCII numeric or [a-z]) bytes or byte groups.
 It is possible to generate a signature that should match this, but
which won't be accepted by the engine.  It has gotten less restrictive
in recent versions but some types of pattern are still not supported.

-kgd


> On Oct 26, 2016, at 8:45 AM, Dave McMurtrie 
> > wrote:
> 
> Hi,
> 
> I know it exists, because I remember reading it before.  However, I
> can't find it now.  I found the docs at
> https://github.com/vrtadmin/clamav-devel/tree/master/docs but I didn't
> find what I was looking for there.
> 
> Specifically, I'm looking for information on using pattern matching or
> regexes in an ndb signature.  I'd like to come up with a signature that
> will match any email body that contains a URL in the .top domain.
> 
> Thanks!
> 
> Dave
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] WSF viruses, and other issues

[Kris Deugau]

John T. Bryan wrote:
> I’ve been running ClamAV now for some years as the virus-checking plug-in on
> my main multi-client mail server.  For a long time, I was very pleased with
> it and how easily I was able to integrate it into the custom software back
> when I first switched to it.
> 
> Lately, however, ClamAV never seems to catch any of the viruses that are
> coming at my server.  My custom-built spam-checking software is
> inadvertently catching the majority of them after ClamAV has passed them.  I
> have noticed two primary patterns to the viruses that are coming through
> these days:
> 
> * ZIP files containing a WSF (Windows Script File) and possibly some small
> distractor files
> 
> * ZIP files containing a JavaScript file and possibly some small distractor
> files
> 
> As for the WSF files, my primary issue there is that ClamAV seems to refuse
> to check them at all; I have added literally hundreds of signatures for
> these to my local signatures file but ClamAV still does not identify them as
> viruses afterwards.

.wsf files are not pattern-matched as-is, they're decoded and normalized
first.  Run clamscan --leave-temps foo.wsf, and inspect the files left
in /tmp/clamav* (or wherever ClamAV leaves its temporary working files)
for the actual content ClamAV does its matching against.

Note that this actually strips off some of the obfuscation, making it a
little tricky if the pattern you're trying to match is, in and of
itself, the obfuscation.

I'd guess you're just using hash signatures from sigtool --md5 (or
--sha1, or --sha256), since if you collect a number of examples from a
single run you *can* find similarities in the files to create
pattern-based sigs that match a range of files.

I've posted one of the crude utilities I've been using under
http://www.deepnet.cx/~kdeugau/clamtools/.  This takes several files,
grabs a more or less arbitrary block of 8K hex characters (based on the
$baseoffset and $fromstart variables - I keep the script open in a text
editor and change these as I go), and spits out a pattern, with ?? or
{nn} bits for variant character runs, formatted for a .ndb signature.  I
tend to manually copy-paste an extract of that as a signature rather
than using the whole thing.  You can use this on any set of files you
think are likely to be similar, and if they're not as similar as you
thought (or the segment you set it up to extract isn't) you'll get
either something like "{2345}abf3{3243}", or possibly a couple of blank
lines, as output.

The other thing to try is an archive-contents filename signature.  I
haven't had much luck with the newer "any archive type" version, but
I've had decent luck with the older-style .zip-only .zmd signature file.
 I still see hits on some of those signatures I've added locally coming
up on several years after first adding them.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to get each file status when scan a ditrtectory using clamdscan

[Kris Deugau]

crazy thinker wrote:
> Hi,
> 
> I would you like to  get  each file status call back  in *Clamdscan output*
>  while perfrom scan over a dirtectory using *clamdscan*. but i able to get
> a  file status call back *(OR | ERROR| FOUND)* in *Clamdscan output*  when
> i perfrom scan over a *single file.*

After a bit of testing this looks to be the difference between:

clamdscan /path/to/directory

and

clamdscan /path/to/directory/*

Is there any reason you can't do the second?

Unfortunately I don't see any command-line options that might allow the
first call to produce exactly the same output as the second.

Generally the only files that are "interesting" in the results are the
ones that did get flagged - is there some specific reason you need the
"OK" results explicitly listed as well?

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CryLocker and Cryptolocker

[Kris Deugau]

Matus UHLAR - fantomas wrote:
> On 15.09.16 00:51, Reindl Harald wrote:
>> frankly i have seen companies blocking every .doc and .xls attachment
>> with a reject info that you should use .docx and .xslx becasue they
>> can't contain macros (would be .docm for the new formats)
> 
> .docm is docx with macros, so they would want to block them too :-)

... and there's nothing stopping a malicious sender (human or program)
from misrepresenting a document to bypass filename-based filters.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Match on raw .wsf file?

[Kris Deugau]

Steven Morgan wrote:
> Please try clamscan --scan-html=no to turn off normalization.

Mmmm.  I suppose that's technically the functionality I'm asking for,
but in its current form it's a pretty blunt instrument - it's all or
nothing, especially if set for clamd with the "ScanHTML" option in
clamd.conf.

I don't want to *break* any stock or third-party signatures that assume
that option is on;  I just want a way to indicate, for a specific
signature, "match this against the raw bitstream".

This hasn't been a major problem so far, but I could see use cases where
it might be.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Match on raw .wsf file?

[Kris Deugau]

Kris Deugau wrote:
> Is there a way to force matching on the raw file, or at least control
> the normalization to some degree so that formatting and details in the
> original code aren't lost?

As a complement to that question, is there a way to *force* other
Javascript files to be normalized for matching?  The key problem with
the obfuscation as in the examples I posted is all the ways you can
split those strings, plus all the variations on whitespace in between
the string fragments and operators.

-kgd


> I've been coming across .wsf files in .zip files, which are essentially
> Javascript wrapped in a very thin wrapper:
> 
> 
> [insert nasty Javascript here]
> 
> 
> However, signatures I've created based on the raw file never match, and
> I finally figured out a few months ago that I'd have to use clamscan
> --leave-temps to dig up the normalized text Clam was actually running
> pattern matches against.
> 
> Unfortunately I've just discovered a flaw in this process, in that the
> normalizing process is also stripping off some of the key JS-obfuscation.
> 
> I've posted the raw first ~8 lines of one of these files, and the
> normalized version of that same chunk of text:
> 
> http://deepnet.cx/clamfrags/raw-wsf-01
> http://deepnet.cx/clamfrags/norm-wsf-01
> 
> In this case, one of the key things I'd like to match on is the
> "br"+"o"+"ken" strings in their broken form, but that information is
> wiped away in the normalized version.
> 
> -kgd
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Match on raw .wsf file?

[Kris Deugau]

Is there a way to force matching on the raw file, or at least control
the normalization to some degree so that formatting and details in the
original code aren't lost?

I've been coming across .wsf files in .zip files, which are essentially
Javascript wrapped in a very thin wrapper:


[insert nasty Javascript here]


However, signatures I've created based on the raw file never match, and
I finally figured out a few months ago that I'd have to use clamscan
--leave-temps to dig up the normalized text Clam was actually running
pattern matches against.

Unfortunately I've just discovered a flaw in this process, in that the
normalizing process is also stripping off some of the key JS-obfuscation.

I've posted the raw first ~8 lines of one of these files, and the
normalized version of that same chunk of text:

http://deepnet.cx/clamfrags/raw-wsf-01
http://deepnet.cx/clamfrags/norm-wsf-01

In this case, one of the key things I'd like to match on is the
"br"+"o"+"ken" strings in their broken form, but that information is
wiped away in the normalized version.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Kris Deugau]

Alex wrote:
> Please don't send me to the amavis list - there must be someone who
> uses both clamav and amavis that understands what's happening here.

Much like SpamAssassin, Clamav in and of itself can only say "Matched
signature " or "Triggered heuristic test ", or "Didn't match
anything".

It's up to whatever is calling Clam to decide what to do with that result.

Many common integration methods for both are simple enough that they
don't have any way of postprocessing the result from SA or Clam (and
therefore treat those results as go/no-go flags), but AFAIK amavis
should be able to give you more flexibility - something best asked about
on the amavis users list.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Kris Deugau]

Alex wrote:
> Hi,
> 
> I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
> for capitaloneemail.com, but can't figure out how to use sigtool to
> determine which actual domain it thinks was spoofed.
> 
> # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
> sigtool --decode-sigs
> #
> 
> Why doesn't it display the signature with the above command?
> 
> How do I scan the quarantined message to find out exactly what
> triggered this false positive?

The Heuristics* "signatures" aren't fixed signatures in the signature
files.  This particular one represents link where the visible and
link-target domain are "too different", but only for high-risk domains
(eg banks).  I'm not sure where the list of domains to consider is kept.

To whitelist a specific match hit by this signature chase down the
mismatched domains as per Steve's message, and add a line to local.wdb, eg:

X:\.rbc\.com:www\.rbcroyalbank\.com

or

M:trk.cp20.com:bmo.com

I have yet to figure out why I have to use an X: line for some matches,
and an M: line for others;  I use one or the other depending on which
one I can get to actually work on a case-by-base basis.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ign2 whitelist don't work

[Kris Deugau]

Charles Swiger wrote:
> On Jul 19, 2016, at 10:39 AM, Kris Deugau <kdeu...@vianet.ca> wrote:
>> ClamAV hits on any of the Heuristics.* tests get flagged instead of
>> treated the same as the signature-based hits, and that flag either
>> causes an an adjustment in the SpamAssassin results returned directly to
>> MIMEDefang later on, or a header is added which I check for in
>> SpamAssassin on mail delivery.
> 
> Are you using LMTP, or did SpamAssassin grow a local delivery agent 
> capability?

Wearing my ISP sysadmin hat, for inbound mail we have a custom delivery
agent that calls both ClamAV and SA, along with doing a number of other
tasks.  We don't currently handle Heuristics.* hits differently,
something I'd like to change.  On our outbound servers they're flagged
and added to the SA results.

On my personal server, which happens to still be on sendmail, I use
procmail for local delivery.  My new server in (very slow) progress will
run Postfix, but I'll still use procmail for local delivery.  For all
that it's not the friendliest tool it does its job quite well and I'm
the only user who has any need of complex delivery rules.  I'd switch to
something using sieve but I don't like the limitation on not calling
external programs - it makes it much harder to write a set of delivery
rules like this:

if (sender is newsletter A)
  deliver to folder news
if (sender is newsletter B)
  deliver to folder news
call a lightweight content filter
  if the filter says "Spam"
deliver to folder spam
if (received from a mailing list that allows nonsubscriber posts)
  deliver to folder spammynews
call a process-expensive content filter
  if the filter says "Spam"
deliver to folder spam
deliver to the Inbox

Which about sums up my .procmailrc, although the live one is much longer.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ign2 whitelist don't work

[Kris Deugau]

Charles Swiger wrote:

> The milter approach is less flexible.  With a scoring mechanism, you can rate 
> actual viruses sufficiently negative that the scoring algorithm will always 
> reject them.

That depends on the milter you're using.  My own favoured milter is
MIMEDefang, which allows you do do anything you like to a message in
transit so long as you can figure out how to code it in Perl.

ClamAV hits on any of the Heuristics.* tests get flagged instead of
treated the same as the signature-based hits, and that flag either
causes an an adjustment in the SpamAssassin results returned directly to
MIMEDefang later on, or a header is added which I check for in
SpamAssassin on mail delivery.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV+exim: scanner finds not a single malware

[Kris Deugau]

Groach wrote:
> As a side note:  is anyone surprised a virus hasnt been released,
> embedded in a  'password protected' Zip file (to fool AV scans) with the
> body of the email sayuing something like "to fight against viruses and
> to protect you, it is password protected.  Your password is:  ABC123" ? 
> That is bound to fool some users, aint it.  (Or has this already been
> done and I havent seen it)?

I've seen a couple of those, although none recently.  I don't recall if
I archived a copy for reference or not.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] zip, rar, jar, ... how to delete all exe's and others files?

[Kris Deugau]

Steve Basford wrote:
> 1) .rmd/.zmd databases are obsolete, they are replaced with .cdb
> 
> More details:
> https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf

Does anyone have any examples of valid signatures for the .cdb sigfiles?

I've tried a couple of times to port some of my local .zmd sigs, but I
can't find the right formatting.

In reading the reference file above, I see fields for the archive file
size, compressed file size, expanded size of the file, and a whole bunch
of other details that I don't car about (and so I want to set them to
"whatever"), but based on what I've tried so far that's apparently not
valid.

The only thing I want to match on is the name of the files in the
archive.  .zmd and .rmd still work for that.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd vs clamscan

[Kris Deugau]

Gene Heskett wrote:
> But, I do wish that clamd would send me a substitute email advising that 
> it has stashed a suspect incoming email into the 
> mailfile /var/spool/mail/virii.  I try to look that file over for FP's, 
> but quickly get lost in the visual garbage because its probably a zip'd 
> file.

This depends on exactly where clamdscan is being called in your mail
processing;  ClamAV just does a bunch of pattern matching and returns a
result in most configurations.

On my personal server, I call Clam from the MIMEDefang milter such that
all signature-based hits get discarded sight unseen, but any hits on any
phishing or "Heuristics" tests get a header added for consideration by
SpamAssassin, precisely because of things like:

 I just looked over 260kb of what clamd id'd as virii, but which in
> fact are 5 messages from my bank about a new CC they were sending me, 
> and some 5 or 6 were propaganda from AARP. And 3 shipping notices 
> regarding stuff I bought thru ebay. In this case, an FP rate in excess 
> of 90%! That is so high that I am expunging the clamd recipe from 
> my .procmailrc as the next thing I do.  Only two files 
> containing .zip's, were real suspects, and I do have a delete button.

I suspect those FP hits are Heuristics.Phishing.Email.SpoofedDomain
hits.  A lot of organizations that should really know better tend to
trigger this with third-party mailings or promotional mailings where the
link text says "mybank.com", but the link address is "tracking.example.com".

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Finding the spoofed domain

[Kris Deugau]

Alex wrote:

> Steve Basford wrote:
>> I've posted the email here:
>> http://pastebin.com/n4WRjmzE
> 
>> Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema
>> Before inserting .: .f.email.americanexpress.com
>> Lookup result: in regex list
>> Phishcheck:host:.r.smartbrief.com
>> Phishing: looking up in whitelist:
>> .r.smartbrief.com:.f.email.americanexpress.
>> Looking up in regex_list: r.smartbrief.com:f.email.americanexpress.com/
>> Lookup result: not in regex list
>> Phishcheck: Phishing scan result: URLs are way too different
>> found Possibly Unwanted: Heuristics.Phishing.Email.SpoofedDomain
>> emax_reached: marked parents as non cacheable
> 
> Okay, interesting, thanks.
> 
> While I don't necessarily expect clamav to understand
> americanexpress.com isn't a phishing/spoofed site, should we expect
> every time a URL is rewritten in this way for it to be labelled as a
> phishing attack?
> 
> I actually also don't see in the message where
> f.email.americanexpress.com was wrapped inside of a smartbrief.com
> URL. I only see americanexpress.com/merchant, so perhaps I'm not
> understanding.

The thing to look for are links that appear to the eye as
americanexpress.com, but actually lead to smartbrief.com:

Visit us at: http://r.smartbrief.com/resp/"
target="_new" style="text-decoration:none;
color:#2196c2">americanexpress.com/merchant

You would just see americanexpress.com/merchant, but the link does not
lead *directly* to that location, it redirects from a clicktracking link
under smartbrief.com.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Difficult malwarefiles - signature too short

[Kris Deugau]

G.W. Haywood wrote:
> Hi there,
> 
> On Mon, 2 Nov 2015, Hajo Locke wrote:
> 
>> ... It seems to be so easy for a php-programmer to generate infinite
>> number of malwarefiles ...
> 
> That's correct.
> 
> Any .php file sent here goes straight to /dev/null without inspection.

I can't say I've seen PHP randomly splattered around by email (unlike
Javascript or Windows executables, very little will even recognize it
never mind auto-execute it);  I'm guessing the OP is scanning customer
webhosting content.

Customers will get very unhappy if you blindly delete all PHP files from
their webhosting account...

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Match alternate bytes?

[Kris Deugau]

I've been seeing Javscript malware on and off where (one layer of) the
Javascript obfuscation is done by taking the real code, sticking in
random characters every other character, wrapping it in one or more
strings, and then using string manipulation to pull out the original
characters and execute it.

ClamAV won't let you just create a pattern like so:

3d2766{1}75{1}6e{1}63{1}74{1}69{1}6f{1}6e{1}20{1}64{1}6c...

and I understand the reasoning, but in this case I really do need to
match every other character, because the alternates are random garbage.

I've also created local signatures based on the .zip filename list (a
bare .js in a .zip in a random email is almost certainly malware), but
I'd still like to have signatures for the Javascript itself.

I've just submitted one of several samples I have on hand (SHA256
2f5688b2e23b5b481f63a7f465086f7b19dfbf20e8ac16c0ae5bc56fefe72849), but
I'm more interested in how to build a signature that will match most
similar obfuscated JS.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml