Re: [clamav-users] Detection as PUA.Andr.Trojan.Generic-6878612-0

[Mark Foley]

On Wed, 13 Mar 2019 11:26:06 +0100 vamp898 wrote:
>
> Hi there,
>
> since a few days we get a _lot_ detections for 
> PUA.Andr.Trojan.Generic-6878612-0
>
> Office Documents, ZIP Docuemnts, JPEG Images (containing nothing as 
> JPEG) are all more and more detected at this type. Not all of them but 
> way too much to see a real pattern what the actual issue is :(
>
> Is that something known?
>

Yes, I'm having the same issue.  Several hundred emails in IMAP folder are FOUND
with this PUA.  Many of these messages are one or more years old, many of the
emails are generated from with my office and are unlikely to contain malware. 

I'm wondering how legit this is and whether to actually go through and remove
hundreds of message from user's mail folder or to set .ign2 to ignore this
signature.

--Mark

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Emf.Exploit.CVE_2017_16395-6376329-0

[Mark Foley]

Interesting. All the allegedly affected emails I've checked have docx
attachments, not Adobe or .PDF. It seems incorrect that a signature for Adobe
and Reader would be triggering on docx files.

For now, I'm not going to put this in .ign2, but I will exclude the Maildir
scanning script from looking at these specific older messages. We'll see what
happens from there.

Thanks for your feedback.

--Mark

On Sun, 19 Nov 2017 14:52:36 -0800 Al Varnell <alvarn...@mac.com> wrote:

> It's a vulnerability that impacts Adobe Acrobat and Reader for Windows and 
> Macintosh, specifically a Critical Buffer Access with Incorrect Length Value 
> that can result in Remote Code Execution.
> <https://helpx.adobe.com/security/products/acrobat/apsb17-36.html 
> <https://helpx.adobe.com/security/products/acrobat/apsb17-36.html>>
>
> It was added to the ClamAV signature database on Friday and the signature 
> looks for:
> VIRUS NAME: Emf.Exploit.CVE_2017_16395-6376329-0
> TDB: Target:0
> LOGICAL EXPRESSION: (0&1)
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> {WILDCARD_ANY_STRING(LENGTH==36)} EMF
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> 
>
> -Al-
>
> On Sun, Nov 19, 2017 at 09:12 AM, Mark Foley wrote:
> > For the past couple of days I've been getting notices from clamscan for
> > Emf.Exploit.CVE_2017_16395-6376329-0. clamscan is running on the IMAP 
> > Maildir
> > directories and is finding this exploit on emails as old as 2010.
> > 
> > I can find nothing on this exploit searching on the web other than it 
> > exists. No
> > description, etc. Can anyone tell me anything about this? What systems does 
> > it
> > affect (Windows only?) What does it do? Etc. I'll have to decide whether to
> > remove these old emails or stick this signature into my .ign2 file.
> > 
> > btw - is there some good website that describes ALL current exploits?
> > cve.mitre.org <http://cve.mitre.org/> has a supposed complete list but for 
> > CVE-2017-16395 all it says
> > is:
> > 
> >  ** RESERVED **
> >  This candidate has been reserved by an organization or individual that
> >  will use it when announcing a new security problem.  When the
> >  candidate has been publicized, the details for this candidate will be
> >  provided.
> > 
> > THX --Mark
>
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
>
>
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Emf.Exploit.CVE_2017_16395-6376329-0

[Mark Foley]

For the past couple of days I've been getting notices from clamscan for
Emf.Exploit.CVE_2017_16395-6376329-0. clamscan is running on the IMAP Maildir
directories and is finding this exploit on emails as old as 2010.

I can find nothing on this exploit searching on the web other than it exists. No
description, etc. Can anyone tell me anything about this? What systems does it
affect (Windows only?) What does it do? Etc. I'll have to decide whether to
remove these old emails or stick this signature into my .ign2 file.

btw - is there some good website that describes ALL current exploits?
cve.mitre.org has a supposed complete list but for CVE-2017-16395 all it says
is:

  ** RESERVED **
  This candidate has been reserved by an organization or individual that
  will use it when announcing a new security problem.  When the
  candidate has been publicized, the details for this candidate will be
  provided.

THX --Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Malvare not detected

[Mark Foley]

Actually, the clamscanner is now finding these files, so someone must have
updated something since yesterday (which is when these files came in):

/home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S:
 Doc.Dropper.Agent-6374331-0 FOUND
/home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S!MAIL:InvoiceETT3600920.doc!...!(3)ZIP:docProps/core.xml:
 Doc.Dropper.Agent-6374331-0 FOUND

I'll go ahead and submit my file anyway, in case this is something different.

--Mark

-Original Message-
From: Steven Morgan <smor...@sourcefire.com>
Date: Wed, 15 Nov 2017 15:50:31 -0500
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] Virus Malvare not detected

Mark,

Please open a bug report about this issue at bugzilla.clamav.net. Please
include your file and we can look into the issues.

Thanks,
Steve



On Wed, Nov 15, 2017 at 2:45 PM, Mark Foley <mfo...@novatec-inc.com> wrote:

> I'm going to continue piggybacking onto this thread as it deals with
> Clamav's
> non-discovery of the malware attached to messages with the subject "Invoice
> ...". Although, I don't know if this is the same type of attachment.
>
> The attachments I've been getting are .docx file named as .doc files. In
> examining the contents of these archives I find:
>
> $ unzip -l InvoiceZGC3020188.doc
> Archive:  InvoiceZGC3020188.doc
>   Length  DateTimeName
> -  -- -   
>  1510  01-01-1980 00:00   [Content_Types].xml
>   590  01-01-1980 00:00   _rels/.rels
>  1226  01-01-1980 00:00   word/_rels/document.xml.rels
>  5097  01-01-1980 00:00   word/document.xml
>  5424  01-01-1980 00:00   word/media/image1.emf
>132276  01-01-1980 00:00   word/media/image2.png
>  6850  01-01-1980 00:00   word/theme/theme1.xml
>  6144  01-01-1980 00:00   word/embeddings/oleObject1.bin
>  4809  01-01-1980 00:00   word/settings.xml
>  1299  01-01-1980 00:00   word/fontTable.xml
>   576  01-01-1980 00:00   word/webSettings.xml
>   995  01-01-1980 00:00   docProps/app.xml
> 29121  01-01-1980 00:00   word/styles.xml
>   732  01-01-1980 00:00   docProps/core.xml
> - ---
>196649 14 files
>
> "Normal" .docx files do not have the oleObject1.bin as an archive members.
> I do
> have ScanOLE2 and OLE2BlockMacros enabled. So why isn't clamav detecting
> this
> oleObject1.bin member?
>
> (To where should I submit a sample of this attachment?)
>
> --Mark
>
> -Original Message-
> From: Mark Foley <mfo...@novatec-inc.com>
> Date: Wed, 15 Nov 2017 13:18:23 -0500
> Organization: Novatec Software Engineering, LLC
> To: clamav-users@lists.clamav.net
>
> I'm having this same issue. The problem as I see it is that the .doc
> attached to
> these "Invoice" message is encrypted and clamav does not see what's
> inside. I'm
> discussing this encrypted attachment issue in my thread, subject: "password
> protected encrypted .docx files". I'm continuing to research this.
>
> --Mark
>
> On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel <emanuel.gonza...@donweb.com>
> wrote:
>
> > Other virus not detected
> >
> > https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f
> 78103d2e87bd4331654bc65c0daeb176dd/detection
> >
> >
> > El 14/11/17 a las 09:52, Emanuel escribió:
> > > Scan the attachment, clamav not detect this file.
> > >
> > >
> > > El 14/11/17 a las 09:51, Al Varnell escribió:
> > >> You mentioned two attachments. Kaspersky and ClamXAV appear to catch
> > >> the first one, but neither catch the second one you showed us. The
> > >> SHA246 for a file is the same no matter what scanner is used.
> > >>
> > >> -Al-
> > >>
> > >> On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:
> > >>> the first scan is with kaspersky online
> > >>>
> > >>>
> > >>> El 14/11/17 a las 09:31, Al Varnell escribió:
> > >>>> That's not the same file you showed before. The SHA256 is different.
> > >>>>
> > >>>> -Al-
> > >>>>
> > >>>> On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
> > >>>>> Please see
> > >>>>>
> > >>>>> https://www.virustotal.com/es-ar/file/
> 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/
> > >>>>> <https://www.virustotal.com/es-ar/file/
> 323cb1d2f3b9d0678a8e017fedad

Re: [clamav-users] Virus Malvare not detected

[Mark Foley]

I'm going to continue piggybacking onto this thread as it deals with Clamav's
non-discovery of the malware attached to messages with the subject "Invoice
...". Although, I don't know if this is the same type of attachment.

The attachments I've been getting are .docx file named as .doc files. In
examining the contents of these archives I find:

$ unzip -l InvoiceZGC3020188.doc 
Archive:  InvoiceZGC3020188.doc
  Length  DateTimeName
-  -- -   
 1510  01-01-1980 00:00   [Content_Types].xml
  590  01-01-1980 00:00   _rels/.rels
 1226  01-01-1980 00:00   word/_rels/document.xml.rels
 5097  01-01-1980 00:00   word/document.xml
 5424  01-01-1980 00:00   word/media/image1.emf
   132276  01-01-1980 00:00   word/media/image2.png
 6850  01-01-1980 00:00   word/theme/theme1.xml
 6144  01-01-1980 00:00   word/embeddings/oleObject1.bin
 4809  01-01-1980 00:00   word/settings.xml
 1299  01-01-1980 00:00   word/fontTable.xml
  576  01-01-1980 00:00   word/webSettings.xml
  995  01-01-1980 00:00   docProps/app.xml
29121  01-01-1980 00:00   word/styles.xml
  732  01-01-1980 00:00   docProps/core.xml
- ---
   196649 14 files

"Normal" .docx files do not have the oleObject1.bin as an archive members. I do
have ScanOLE2 and OLE2BlockMacros enabled. So why isn't clamav detecting this
oleObject1.bin member?

(To where should I submit a sample of this attachment?)

--Mark

-Original Message-----
From: Mark Foley <mfo...@novatec-inc.com>
Date: Wed, 15 Nov 2017 13:18:23 -0500
Organization: Novatec Software Engineering, LLC
To: clamav-users@lists.clamav.net

I'm having this same issue. The problem as I see it is that the .doc attached to
these "Invoice" message is encrypted and clamav does not see what's inside. I'm
discussing this encrypted attachment issue in my thread, subject: "password
protected encrypted .docx files". I'm continuing to research this.

--Mark

On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel <emanuel.gonza...@donweb.com> wrote:

> Other virus not detected
>
> https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f78103d2e87bd4331654bc65c0daeb176dd/detection
>
>
> El 14/11/17 a las 09:52, Emanuel escribió:
> > Scan the attachment, clamav not detect this file.
> >
> >
> > El 14/11/17 a las 09:51, Al Varnell escribió:
> >> You mentioned two attachments. Kaspersky and ClamXAV appear to catch 
> >> the first one, but neither catch the second one you showed us. The 
> >> SHA246 for a file is the same no matter what scanner is used.
> >>
> >> -Al-
> >>
> >> On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:
> >>> the first scan is with kaspersky online
> >>>
> >>>
> >>> El 14/11/17 a las 09:31, Al Varnell escribió:
> >>>> That's not the same file you showed before. The SHA256 is different.
> >>>>
> >>>> -Al-
> >>>>
> >>>> On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
> >>>>> Please see
> >>>>>
> >>>>> https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/
> >>>>>  
> >>>>> <https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/>
> >>>>>  
> >>>>> <https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/
> >>>>>  
> >>>>> <https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/>>
> >>>>>  
> >>>>>
> >>>>>
> >>>>>
> >>>>> El 14/11/17 a las 09:00, Al Varnell escribió:
> >>>>>> According to VirusTotal, ClamAV does detect it as 
> >>>>>> Doc.Dropper.Agent-6369707-0
> >>>>>> <https://www.virustotal.com/en/file/142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/
> >>>>>>  
> >>>>>> <https://www.virustotal.com/en/file/142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/>
> >>>>>>  
> >>>>>> <https://www.virustotal.com/en/file/142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/
> >>>>>>  
> >>>>>> <https://www.virustotal.com/en/file/142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/a

Re: [clamav-users] password protected encrypted .docx files

[Mark Foley]

OK, I've found something. Encrypted .docx files contain the following strings:



http://schemas.microsoft.com/office/2006/encryption; 
xmlns:p="http://schemas.microsoft.com/office/2006/keyEncryptor/password;> > >>> scripts and
> > >>> execute .exe files.
> > >>>
> > >>> I'd like to block encrypted Word documents.  Interestingly, as Reindl 
> > >>> Harald
> > >>> says, ".docx files *are* zip files", but lately I've been getting .doc 
> > >>> files
> > >>> which are really .docx file.  KDE Dolphin isn't deceived and opens the
> > >>> attachment as an archive, but Word in WIN7 goes ahead and opens it as a
> > >>> document.  If I rename the document to .docx, then Dolphin opens it in
> > >>> LibreOffice.
> > >>>
> > >>> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav 
> > >>> smart
> > >>> enough to look beyond the extension?
> > >>
> > >> In general, yes, clamAV doesn't pay attention to extensions and looks for
> > >> document signatures that are usually at the top of a file to determine
> > >> file type. That being said, I can't confirm exactly how it handles .doc 
> > >> and .docx files.
> > >>
> > >
> > >Thanks Al. I'll turn this on and experiment. I'll post back my findings.
> > >
> > >Does anyone have exerience with this?
> >
> > I did a few tests some time ago. The encryption/protection
> > is implemented by microsoft as a internal format somewhere in
> > the office document structure, _not_ as a encrypted zip file.
> >
> > So ArchiveblockEncrypted won't block encrypted Word documents.
> >
> >
> > Regards,
> >
> > Kees Theunissen.
> >
> > -- 
> > Kees Theunissen,  System and network manager,   Tel: +31 (0)40-3334724
> > Dutch Institute For Fundamental Energy Research (DIFFER)
> > e-mail address:   c.j.theunis...@differ.nl
> > postal address:   PO Box 6336, 5600 HH, Eindhoven, the Netherlands
> > visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands
>
> Ah! Bummer. I thought that might be the case.
>
> Did you ever find a way to identify an encrypted .doc[x] file?
>
> --Mark
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Malvare not detected

[Mark Foley]

I'm having this same issue. The problem as I see it is that the .doc attached to
these "Invoice" message is encrypted and clamav does not see what's inside. I'm
discussing this encrypted attachment issue in my thread, subject: "password
protected encrypted .docx files". I'm continuing to research this.

--Mark

On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel  wrote:

> Other virus not detected
>
> https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f78103d2e87bd4331654bc65c0daeb176dd/detection
>
>
> El 14/11/17 a las 09:52, Emanuel escribió:
> > Scan the attachment, clamav not detect this file.
> >
> >
> > El 14/11/17 a las 09:51, Al Varnell escribió:
> >> You mentioned two attachments. Kaspersky and ClamXAV appear to catch 
> >> the first one, but neither catch the second one you showed us. The 
> >> SHA246 for a file is the same no matter what scanner is used.
> >>
> >> -Al-
> >>
> >> On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:
> >>> the first scan is with kaspersky online
> >>>
> >>>
> >>> El 14/11/17 a las 09:31, Al Varnell escribió:
>  That's not the same file you showed before. The SHA256 is different.
> 
>  -Al-
> 
>  On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
> > Please see
> >
> > https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/
> >  
> > 
> >  
> >  >  
> > >
> >  
> >
> >
> >
> > El 14/11/17 a las 09:00, Al Varnell escribió:
> >> According to VirusTotal, ClamAV does detect it as 
> >> Doc.Dropper.Agent-6369707-0
> >>  >>  
> >> 
> >>  
> >>  >>  
> >> >>
> >>  
> >>
> >>
> >> but go ahead and try to submit it anyway.
> >>
> >> -Al-
> >>
> >> On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote:
> >>> Hello,
> >>>
> >>> I received two docs files in a email with the Subject "Invoice". 
> >>> The attachment is a malware virus, clamav not detected this.
> >>>
> >>> Scan with kaspersky
> >>>
> >>>
> >>> Scan result
> >>> File is infected
> >>> Detected threats
> >>> Trojan-Downloader.MSWord.Agent.bqx
> >>> File size
> >>> 144.95 KB
> >>> File type
> >>> OOXML/DOCUMENT
> >>> Scan date
> >>> Nov 14 2017 08:15:42
> >>> Databases release date
> >>> Nov 14 2017 10:36:04 UTC
> >>> MD5
> >>> 70bdc39f8f57e090bebc4616924cdadc
> >>> SHA1
> >>> ecf414f8523627a0d5d6637041f6e1e3bbcee62e
> >>> SHA256
> >>> 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf
> >>>
> >>> it's possible to add manually this virus to the clamav database?
> 
> 
>  ___
>  clamav-users mailing list
>  clamav-users@lists.clamav.net 
>  http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
>  Help us build a comprehensive ClamAV guide:
>  https://github.com/vrtadmin/clamav-faq
> 
>  http://www.clamav.net/contact.html#ml
> >> -Al-
> >>
> >>
> >> ___
> >> clamav-users mailing list
> >> clamav-users@lists.clamav.net
> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>
> >>
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> >
>
> -- 
> envialosimple.com   
> Emanuel Gonzalez
> Deliverability Specialist
> emanuel.gonza...@donweb.com 
> www.envialosimple.com 
> by donweb 
>
> Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
> confidenciales, de uso exclusivo para el destinatario del mismo. La 
> divulgación y/o uso del mismo sin autorización por parte de DonWeb.com 
> queda prohibida.
> DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
> alteración del mismo.
> De no ser Ud el destinatario del 

Re: [clamav-users] password protected encrypted .docx files

[Mark Foley]

On Wed, 15 Nov 2017 18:37:36 +0100 (CET) Kees Theunissen 
<c.j.theunis...@differ.nl> wrote:

>
> On Wed, 15 Nov 2017, Mark Foley wrote:
>
> >On Wed 15 Nov 2017 01:14:00 -0800 Al Varnell <alvarn...@mac.com> wrote:
> >
> >>On Tue, Nov 14, 2017 at 07:45 AM, Mark Foley wrote:
> >>> I found this older message in the archives. I'm receiving a lot of fake
> >>> "Invoice" messages with attached encrypted .doc files that run VB scripts 
> >>> and
> >>> execute .exe files.
> >>>
> >>> I'd like to block encrypted Word documents.  Interestingly, as Reindl 
> >>> Harald
> >>> says, ".docx files *are* zip files", but lately I've been getting .doc 
> >>> files
> >>> which are really .docx file.  KDE Dolphin isn't deceived and opens the
> >>> attachment as an archive, but Word in WIN7 goes ahead and opens it as a
> >>> document.  If I rename the document to .docx, then Dolphin opens it in
> >>> LibreOffice.
> >>>
> >>> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav 
> >>> smart
> >>> enough to look beyond the extension?
> >>
> >> In general, yes, clamAV doesn't pay attention to extensions and looks for
> >> document signatures that are usually at the top of a file to determine
> >> file type. That being said, I can't confirm exactly how it handles .doc 
> >> and .docx files.
> >>
> >
> >Thanks Al. I'll turn this on and experiment. I'll post back my findings.
> >
> >Does anyone have exerience with this?
>
> I did a few tests some time ago. The encryption/protection
> is implemented by microsoft as a internal format somewhere in
> the office document structure, _not_ as a encrypted zip file.
>
> So ArchiveblockEncrypted won't block encrypted Word documents.
>
>
> Regards,
>
> Kees Theunissen.
>
> -- 
> Kees Theunissen,  System and network manager,   Tel: +31 (0)40-3334724
> Dutch Institute For Fundamental Energy Research (DIFFER)
> e-mail address:   c.j.theunis...@differ.nl
> postal address:   PO Box 6336, 5600 HH, Eindhoven, the Netherlands
> visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands

Ah! Bummer. I thought that might be the case.

Did you ever find a way to identify an encrypted .doc[x] file?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] password protected encrypted .docx files

[Mark Foley]

On Wed 15 Nov 2017 01:14:00 -0800 Al Varnell <alvarn...@mac.com> wrote:

>On Tue, Nov 14, 2017 at 07:45 AM, Mark Foley wrote:
>> I found this older message in the archives. I'm receiving a lot of fake
>> "Invoice" messages with attached encrypted .doc files that run VB scripts and
>> execute .exe files.
>> 
>> I'd like to block encrypted Word documents.  Interestingly, as Reindl Harald
>> says, ".docx files *are* zip files", but lately I've been getting .doc files
>> which are really .docx file.  KDE Dolphin isn't deceived and opens the
>> attachment as an archive, but Word in WIN7 goes ahead and opens it as a
>> document.  If I rename the document to .docx, then Dolphin opens it in
>> LibreOffice. 
>> 
>> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav smart
>> enough to look beyond the extension?
>
> In general, yes, clamAV doesn't pay attention to extensions and looks for 
> document signatures that are usually at the top of a file to determine file 
> type. That being said, I can't confirm exactly how it handles .doc and .docx 
> files.
>

Thanks Al. I'll turn this on and experiment. I'll post back my findings.

Does anyone have exerience with this?

>-Al-
>
>> Will ArchiveblockEncrypted block *ALL* encrypted archives including zip?
>> 
>> Finally, Dino Edwards wrote:
>> 
>>> Yes, it is - you can turn ArchiveBlockEncrypted off in clamd.conf (it's off 
>>> by default)
>> 
>> Is that a typeo? Did he mean "you can turn ArchiveBlockEncrypted on in
>> clamd.conf"? Seems like turning this "off" would NOT block encrypted files.
>> 
>> THX --Mark
>> 
>> -Original Message-
>>> Date: Wed, 5 Apr 2017 21:19:47 +0200
>>> From: Reindl Harald <h.rei...@thelounge.net <mailto:h.rei...@thelounge.net>>
>>> 
>>> technically .docx *are* zip files
>>> 
>>> Am 05.04.2017 um 21:08 schrieb Dino Edwards:
>>>> Didn't realize the ArchiveblockEncrypted included MS Word files. I thought 
>>>> it would be for password protected zip rar and such
>>>> 
>>>> -Original Message-
>>>> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net 
>>>> <mailto:clamav-users-boun...@lists.clamav.net>] On Behalf Of Benny Pedersen
>>>> Sent: Wednesday, April 5, 2017 11:22 AM
>>>> To: clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>>> Subject: Re: [clamav-users] password protected encrypted .docx files
>>>> 
>>>> Dino Edwards skrev den 2017-04-05 16:48:
>>>>> Any way to get clamav to block password protected Microsoft word files?
>>>> 
>>>> Yes, it is - you can turn ArchiveBlockEncrypted off in clamd.conf (it's 
>>>> off by default)
>>>> 
>>>> if not working pastebin your clamconf (clamav section only) 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] password protected encrypted .docx files

[Mark Foley]

I found this older message in the archives. I'm receiving a lot of fake
"Invoice" messages with attached encrypted .doc files that run VB scripts and
execute .exe files.

I'd like to block encrypted Word documents.  Interestingly, as Reindl Harald
says, ".docx files *are* zip files", but lately I've been getting .doc files
which are really .docx file.  KDE Dolphin isn't deceived and opens the
attachment as an archive, but Word in WIN7 goes ahead and opens it as a
document.  If I rename the document to .docx, then Dolphin opens it in
LibreOffice. 

So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav smart
enough to look beyond the extension?

Will ArchiveblockEncrypted block *ALL* encrypted archives including zip?

Finally, Dino Edwards wrote:

> Yes, it is - you can turn ArchiveBlockEncrypted off in clamd.conf (it's off 
> by default)

Is that a typeo? Did he mean "you can turn ArchiveBlockEncrypted on in
clamd.conf"? Seems like turning this "off" would NOT block encrypted files.

THX --Mark

-Original Message-
> Date: Wed, 5 Apr 2017 21:19:47 +0200
> From: Reindl Harald 
>
> technically .docx *are* zip files
>
> Am 05.04.2017 um 21:08 schrieb Dino Edwards:
> > Didn't realize the ArchiveblockEncrypted included MS Word files. I thought 
> > it would be for password protected zip rar and such
> >
> > -Original Message-
> > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf 
> > Of Benny Pedersen
> > Sent: Wednesday, April 5, 2017 11:22 AM
> > To: clamav-users@lists.clamav.net
> > Subject: Re: [clamav-users] password protected encrypted .docx files
> >
> > Dino Edwards skrev den 2017-04-05 16:48:
> >> Any way to get clamav to block password protected Microsoft word files?
> >
> > Yes, it is - you can turn ArchiveBlockEncrypted off in clamd.conf (it's off 
> > by default)
> >
> > if not working pastebin your clamconf (clamav section only) 
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1

[Mark Foley]

You are right! I disabled the ign2 file containing a couple of bytecode
signatures generating false positives (to see if they were fixed), but I didn't
notice that I also had these two 'trojan' signatures in the same file.

I've re-enabled the PUA.*Trojan* signatures in the ign2 file and my notices have
stopped.

The bytecode signature appear to be fixed as they are no longer in the ign2
file, but are generating no notices. 

BC.Pdf.Exploit.CVE_2017_2862-6331914-0
BC.Pdf.Exploit.CVE_2017_3032-6316401-6

THX -- Mark

On Wed, 25 Oct 2017 15:17:57 -0700 Al Varnell <alvarn...@mac.com> wrote:
>
> We discussed these same two last December: Usage questions on local.ign2
> <http://lists.clamav.net/pipermail/clamav-users/2016-December/003938.html 
> <http://lists.clamav.net/pipermail/clamav-users/2016-December/003938.html>>
>
> -Al-
>
> On Wed, Oct 25, 2017 at 08:33 AM, Mark Foley wrote:
> > Today I got clamscan notices for PUA.Pdf.Trojan.EmbeddedJavaScript-1 and
> > PUA.Win.Trojan.EmbeddedPDF-1 on over 100 old email files that have been out
> > there for years. 
> > 
> > Are these false positives?
> > 
> > --Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1

[Mark Foley]

Today I got clamscan notices for PUA.Pdf.Trojan.EmbeddedJavaScript-1 and
PUA.Win.Trojan.EmbeddedPDF-1 on over 100 old email files that have been out
there for years. 

Are these false positives?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Bytecode run timed out

[Mark Foley]

It looks like this one that gives the "Bytecode run timed out" warning. I'm
trying the other two as well.

BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}

Plus, there's a new bytecode exploit that seems to be giving me a lot of
positives: 

BC.Pdf.Exploit.CVE_2017_3032-6316401-6

I've put that (with the trailing '.{}') in the .ign2 file as well.

Can I use a '#' at the beginning of the lines in the .ign2 file as a comment?
I've found no documentation on this and, if not, I might be getting false
results.

--Mark

-Original Message-----
From: Mark Foley <mfo...@novatec-inc.com>
Date: Thu, 27 Jul 2017 14:56:44 -0400
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] Bytecode run timed out

Yes, I was able to find the file as well.  I've used the syntax in the
/var/lib/clamav/local.ign2 file recommended by Al Varnell:

BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}

and that worked to block the warning. Now I will test each one in turn to see
which bytecode is causing the message.

--Mark

On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind <r...@twister.dyndns.org> 
wrote;
>
> I have been noticing the same issue.  I found at least one file that was 
> causing the error, and was able to test with a single file, instead of 
> having to virus scan an entire directory tree to test.
>
> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> LibClamAV Warning: [Bytecode JIT]: recovered from error
> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> LibClamAV Warning: Bytcode 64 failed to run: Time limit reached
>
> This worked for me:
>
> # cat /var/lib/clamav/local.ign2
> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>
> The problem file was the one listed under the JIT error messages, in my 
> case, it was a pdf file that caused it.
>
> - Fred
>
> On 7/22/2017 6:56 PM, Al Varnell wrote:
> > That's the correct place to put the file.
> >
> > I suspect you'll want to try one at a time to nail down which signature is 
> > causing the problem.
> >
> > Checking back I see there was a period rather than a space between the 
> > signature name and the brackets, so:
> >
> > BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
> > BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
> > BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
> >
> > -Al-
> >
> >
> > On Jul 22, 2017, at 1:45 PM, Mark Foley <mfo...@novatec-inc.com> wrote:
> >
> >> That didn't work. I'll try w/o the {}.
> >>
> >> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
> >>
> >> --Mark
> >>
> >> -Original Message-
> >> From: Mark Foley <mfo...@novatec-inc.com>
> >> Date: Sat, 22 Jul 2017 11:08:28 -0400
> >> To: clamav-users@lists.clamav.net
> >>
> >> So, like this?
> >>
> >> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
> >> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
> >> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
> >>
> >> --Mark
> >>
> >> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >>> Yes, they can be added to a local .ign2 file, but the last time it was 
> >>> discussed here, the entry needed to be followed by {} for some unknown 
> >>> reason, to make it work.
> >>>
> >>> -Al-
> >>>
> >>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
> >>>> Are bytecodes individually blockable?
> >>>>
> >>>> --Mark
> >>>>
> >>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >>>>> FYI, the following were added by bytecode 306:
> >>>>>
> >>>>>   * BC.Multios.Exploit.CVE_2017_2816-6329916-0
> >>>>>   * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
> >>>>>   * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
> >>>>>
> >>>>> -Al-
> >>>>>
> >>>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
> >>>>>> I ran clamscan by hand on the files before and after the error, and 
> >>>>>> it's the file
> >>>>>> after the error.  I've bumped the --bytecode-timeout to 12, 18 
> >>>>>> and
> >>>>>> finally 60 (10 minutes) and it fails for all these values, even 
> >>>>>> though the
> >>>>>> file itself is not that big (1.2M).
> >&

Re: [clamav-users] Bytecode run timed out

[Mark Foley]

Yes, I was able to find the file as well.  I've used the syntax in the
/var/lib/clamav/local.ign2 file recommended by Al Varnell:

BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}

and that worked to block the warning. Now I will test each one in turn to see
which bytecode is causing the message.

--Mark

On Thu, 27 Jul 2017 10:31:34 -0400 Fred Wittekind <r...@twister.dyndns.org> 
wrote;
>
> I have been noticing the same issue.  I found at least one file that was 
> causing the error, and was able to test with a single file, instead of 
> having to virus scan an entire directory tree to test.
>
> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> LibClamAV Warning: [Bytecode JIT]: recovered from error
> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> LibClamAV Warning: Bytcode 64 failed to run: Time limit reached
>
> This worked for me:
>
> # cat /var/lib/clamav/local.ign2
> BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
>
> The problem file was the one listed under the JIT error messages, in my 
> case, it was a pdf file that caused it.
>
> - Fred
>
> On 7/22/2017 6:56 PM, Al Varnell wrote:
> > That's the correct place to put the file.
> >
> > I suspect you'll want to try one at a time to nail down which signature is 
> > causing the problem.
> >
> > Checking back I see there was a period rather than a space between the 
> > signature name and the brackets, so:
> >
> > BC.Multios.Exploit.CVE_2017_2816-6329916-0.{}
> > BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{}
> > BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{}
> >
> > -Al-
> >
> >
> > On Jul 22, 2017, at 1:45 PM, Mark Foley <mfo...@novatec-inc.com> wrote:
> >
> >> That didn't work. I'll try w/o the {}.
> >>
> >> Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?
> >>
> >> --Mark
> >>
> >> -Original Message-
> >> From: Mark Foley <mfo...@novatec-inc.com>
> >> Date: Sat, 22 Jul 2017 11:08:28 -0400
> >> To: clamav-users@lists.clamav.net
> >>
> >> So, like this?
> >>
> >> BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
> >> BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
> >> BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}
> >>
> >> --Mark
> >>
> >> On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >>> Yes, they can be added to a local .ign2 file, but the last time it was 
> >>> discussed here, the entry needed to be followed by {} for some unknown 
> >>> reason, to make it work.
> >>>
> >>> -Al-
> >>>
> >>> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
> >>>> Are bytecodes individually blockable?
> >>>>
> >>>> --Mark
> >>>>
> >>>> On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >>>>> FYI, the following were added by bytecode 306:
> >>>>>
> >>>>>   * BC.Multios.Exploit.CVE_2017_2816-6329916-0
> >>>>>   * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
> >>>>>   * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
> >>>>>
> >>>>> -Al-
> >>>>>
> >>>>> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
> >>>>>> I ran clamscan by hand on the files before and after the error, and 
> >>>>>> it's the file
> >>>>>> after the error.  I've bumped the --bytecode-timeout to 12, 18 
> >>>>>> and
> >>>>>> finally 60 (10 minutes) and it fails for all these values, even 
> >>>>>> though the
> >>>>>> file itself is not that big (1.2M).
> >>>>>>
> >>>>>> This is a pretty recent phenomenon.  Perhaps something introduced in a 
> >>>>>> recent
> >>>>>> update.  I received bytecode.cld version 306 in freshclam starting on 
> >>>>>> July 16,
> >>>>>> 2017; which is exactly when I started seeing this warning.  I did not 
> >>>>>> get the
> >>>>>> warning with version 305.
> >>>>>>
> >>>>>> Is this a bug?
> >>>>>>
> >>>>>> For now, I guess I'll just have to live with it.
> >>>>>>
> >&

Re: [clamav-users] Bytecode run timed out

[Mark Foley]

That didn't work. I'll try w/o the {}. 

Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct?

--Mark

-Original Message-
From: Mark Foley <mfo...@novatec-inc.com>
Date: Sat, 22 Jul 2017 11:08:28 -0400
To: clamav-users@lists.clamav.net

So, like this?

BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}

--Mark

On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <alvarn...@mac.com> wrote:
> Yes, they can be added to a local .ign2 file, but the last time it was 
> discussed here, the entry needed to be followed by {} for some unknown 
> reason, to make it work.
>
> -Al-
>
> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
> > 
> > Are bytecodes individually blockable?
> > 
> > --Mark
> > 
> > On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >> 
> >> FYI, the following were added by bytecode 306:
> >> 
> >>   * BC.Multios.Exploit.CVE_2017_2816-6329916-0
> >>   * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
> >>   * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
> >> 
> >> -Al-
> >> 
> >> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
> >>> 
> >>> I ran clamscan by hand on the files before and after the error, and it's 
> >>> the file
> >>> after the error.  I've bumped the --bytecode-timeout to 12, 18 and
> >>> finally 60 (10 minutes) and it fails for all these values, even 
> >>> though the
> >>> file itself is not that big (1.2M). 
> >>> 
> >>> This is a pretty recent phenomenon.  Perhaps something introduced in a 
> >>> recent
> >>> update.  I received bytecode.cld version 306 in freshclam starting on 
> >>> July 16,
> >>> 2017; which is exactly when I started seeing this warning.  I did not get 
> >>> the
> >>> warning with version 305. 
> >>> 
> >>> Is this a bug?
> >>> 
> >>> For now, I guess I'll just have to live with it.
> >>> 
> >>> Thanks, --Mark
> >>> 
> >>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >>>> 
> >>>> It's almost certainly a file that follows S=12386 since that one is 
> >>>> being reported as "OK". The file that failed might not even be listed, 
> >>>> having failed the scan, although I suppose it's possible for it to be 
> >>>> the next one shown.
> >>>> 
> >>>> It's my understanding that not all files receive a bytecode signature 
> >>>> scan, making it even more difficult to determine the problem file.
> >>>> 
> >>>> -Al-
> >>>> 
> >>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> >>>>> 
> >>>>> Here's the partial output from clamscan w/o the --infected option:
> >>>>> 
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
> >>>>>  OK
> >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag 
> >>>>> set
> >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> >>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
> >>>>>  OK
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
> >>>>>  OK
> >>>>> 
> >>>>> These are Maildir format files. The "S=12386" part is in fact the file 
> >>>>> size.
> >>>>> It's not apparent from where the Warning message is issues what file is 
> >>>>> causing
> >>>>> the warning. The 12,657 byte file couldn't have been it and why would 
> >>>>> the
> >>>>> 1,266,193 size file cause the warning and not the more that 
> >>>>> twice-as-large file
> >>>>> immediately following? Also there are much larger files in this 
> >>>>> directory, up to
> >>>>> 21M, but this is the only warning issued.
> >>>>> 
> >

Re: [clamav-users] Bytecode run timed out

[Mark Foley]

So, like this?

BC.Multios.Exploit.CVE_2017_2816-6329916-0 {}
BC.Pdf.Exploit.CVE_2017_2818-6331913-0 {}
BC.Pdf.Exploit.CVE_2017_2862-6331914-0 {}

--Mark

On Fri, 21 Jul 2017 22:54:51 -0700 Al Varnell <alvarn...@mac.com> wrote:
> Yes, they can be added to a local .ign2 file, but the last time it was 
> discussed here, the entry needed to be followed by {} for some unknown 
> reason, to make it work.
>
> -Al-
>
> On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote:
> > 
> > Are bytecodes individually blockable?
> > 
> > --Mark
> > 
> > On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >> 
> >> FYI, the following were added by bytecode 306:
> >> 
> >>   * BC.Multios.Exploit.CVE_2017_2816-6329916-0
> >>   * BC.Pdf.Exploit.CVE_2017_2818-6331913-0
> >>   * BC.Pdf.Exploit.CVE_2017_2862-6331914-0
> >> 
> >> -Al-
> >> 
> >> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
> >>> 
> >>> I ran clamscan by hand on the files before and after the error, and it's 
> >>> the file
> >>> after the error.  I've bumped the --bytecode-timeout to 12, 18 and
> >>> finally 60 (10 minutes) and it fails for all these values, even 
> >>> though the
> >>> file itself is not that big (1.2M). 
> >>> 
> >>> This is a pretty recent phenomenon.  Perhaps something introduced in a 
> >>> recent
> >>> update.  I received bytecode.cld version 306 in freshclam starting on 
> >>> July 16,
> >>> 2017; which is exactly when I started seeing this warning.  I did not get 
> >>> the
> >>> warning with version 305. 
> >>> 
> >>> Is this a bug?
> >>> 
> >>> For now, I guess I'll just have to live with it.
> >>> 
> >>> Thanks, --Mark
> >>> 
> >>> On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >>>> 
> >>>> It's almost certainly a file that follows S=12386 since that one is 
> >>>> being reported as "OK". The file that failed might not even be listed, 
> >>>> having failed the scan, although I suppose it's possible for it to be 
> >>>> the next one shown.
> >>>> 
> >>>> It's my understanding that not all files receive a bytecode signature 
> >>>> scan, making it even more difficult to determine the problem file.
> >>>> 
> >>>> -Al-
> >>>> 
> >>>> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> >>>>> 
> >>>>> Here's the partial output from clamscan w/o the --infected option:
> >>>>> 
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
> >>>>>  OK
> >>>>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag 
> >>>>> set
> >>>>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>>>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> >>>>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
> >>>>>  OK
> >>>>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
> >>>>>  OK
> >>>>> 
> >>>>> These are Maildir format files. The "S=12386" part is in fact the file 
> >>>>> size.
> >>>>> It's not apparent from where the Warning message is issues what file is 
> >>>>> causing
> >>>>> the warning. The 12,657 byte file couldn't have been it and why would 
> >>>>> the
> >>>>> 1,266,193 size file cause the warning and not the more that 
> >>>>> twice-as-large file
> >>>>> immediately following? Also there are much larger files in this 
> >>>>> directory, up to
> >>>>> 21M, but this is the only warning issued.
> >>>>> 
> >>>>> --Mark
> >>>>> 
> >>>>> -Original Message-
> >>>>> From: Mark Foley <mfo...@novatec-inc.com>
> >>>>> Date: Thu, 20 Jul 2017 21:51:38 -0400
> >>>>> To

Re: [clamav-users] Bytecode run timed out

[Mark Foley]

Are bytecodes individually blockable?

--Mark

On Fri, 21 Jul 2017 21:10:13 -0700 Al Varnell <alvarn...@mac.com> wrote:
>
> FYI, the following were added by bytecode 306:
>
>* BC.Multios.Exploit.CVE_2017_2816-6329916-0
>* BC.Pdf.Exploit.CVE_2017_2818-6331913-0
>* BC.Pdf.Exploit.CVE_2017_2862-6331914-0
>
> -Al-
>
> On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote:
> > 
> > I ran clamscan by hand on the files before and after the error, and it's 
> > the file
> > after the error.  I've bumped the --bytecode-timeout to 12, 18 and
> > finally 60 (10 minutes) and it fails for all these values, even though 
> > the
> > file itself is not that big (1.2M). 
> > 
> > This is a pretty recent phenomenon.  Perhaps something introduced in a 
> > recent
> > update.  I received bytecode.cld version 306 in freshclam starting on July 
> > 16,
> > 2017; which is exactly when I started seeing this warning.  I did not get 
> > the
> > warning with version 305. 
> > 
> > Is this a bug?
> > 
> > For now, I guess I'll just have to live with it.
> > 
> > Thanks, --Mark
> > 
> > On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarn...@mac.com> wrote:
> >> 
> >> It's almost certainly a file that follows S=12386 since that one is being 
> >> reported as "OK". The file that failed might not even be listed, having 
> >> failed the scan, although I suppose it's possible for it to be the next 
> >> one shown.
> >> 
> >> It's my understanding that not all files receive a bytecode signature 
> >> scan, making it even more difficult to determine the problem file.
> >> 
> >> -Al-
> >> 
> >> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> >>> 
> >>> Here's the partial output from clamscan w/o the --infected option:
> >>> 
> >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
> >>>  OK
> >>> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag 
> >>> set
> >>> LibClamAV Warning: [Bytecode JIT]: recovered from error
> >>> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> >>> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
> >>>  OK
> >>> /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
> >>>  OK
> >>> 
> >>> These are Maildir format files. The "S=12386" part is in fact the file 
> >>> size.
> >>> It's not apparent from where the Warning message is issues what file is 
> >>> causing
> >>> the warning. The 12,657 byte file couldn't have been it and why would the
> >>> 1,266,193 size file cause the warning and not the more that 
> >>> twice-as-large file
> >>> immediately following? Also there are much larger files in this 
> >>> directory, up to
> >>> 21M, but this is the only warning issued.
> >>> 
> >>> --Mark
> >>> 
> >>> -Original Message-
> >>> From: Mark Foley <mfo...@novatec-inc.com>
> >>> Date: Thu, 20 Jul 2017 21:51:38 -0400
> >>> To: clamav-users@lists.clamav.net
> >>> Subject: Re: [clamav-users] Bytecode run timed out
> >>> 
> >>> OK, I'll turn that off and see what I get.
> >>> 
> >>> --Mark
> >>> 
> >>> On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <smor...@sourcefire.com> 
> >>> wrote:
> >>>> 
> >>>> --infected suppresses the printing of clean file names.
> >>>> 
> >>>> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfo...@novatec-inc.com> 
> >>>> wrote:
> >>>> 
> >>>>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan 
> >>>>> <smor...@sourcefire.com>
> >>>>> wrote:
> >>>>> My parameters are:
> >>>>> 
> >>>>> clamscan -a --detect-pua=yes --no-summary --stdout --infected 
> >>>>> --recursive \
> >>>>> --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
> >>>>> 
> >>>>> 
> >>>>> --Mark
> >>>&

Re: [clamav-users] Bytecode run timed out

[Mark Foley]

I ran clamscan by hand on the files before and after the error, and it's the 
file
after the error.  I've bumped the --bytecode-timeout to 12, 18 and
finally 60 (10 minutes) and it fails for all these values, even though the
file itself is not that big (1.2M). 

This is a pretty recent phenomenon.  Perhaps something introduced in a recent
update.  I received bytecode.cld version 306 in freshclam starting on July 16,
2017; which is exactly when I started seeing this warning.  I did not get the
warning with version 305. 

Is this a bug?

For now, I guess I'll just have to live with it.

Thanks, --Mark

On Fri, 21 Jul 2017 16:51:33 -0700 Al Varnell <alvarn...@mac.com> wrote:
>
> It's almost certainly a file that follows S=12386 since that one is being 
> reported as "OK". The file that failed might not even be listed, having 
> failed the scan, although I suppose it's possible for it to be the next one 
> shown.
>
> It's my understanding that not all files receive a bytecode signature scan, 
> making it even more difficult to determine the problem file.
>
> -Al-
>
> On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:
> > 
> > Here's the partial output from clamscan w/o the --infected option:
> > 
> > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
> >  OK
> > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
> >  OK
> > /home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
> >  OK
> > 
> > These are Maildir format files. The "S=12386" part is in fact the file size.
> > It's not apparent from where the Warning message is issues what file is 
> > causing
> > the warning. The 12,657 byte file couldn't have been it and why would the
> > 1,266,193 size file cause the warning and not the more that twice-as-large 
> > file
> > immediately following? Also there are much larger files in this directory, 
> > up to
> > 21M, but this is the only warning issued.
> > 
> > --Mark
> > 
> > -Original Message-
> > From: Mark Foley <mfo...@novatec-inc.com>
> > Date: Thu, 20 Jul 2017 21:51:38 -0400
> > To: clamav-users@lists.clamav.net
> > Subject: Re: [clamav-users] Bytecode run timed out
> > 
> > OK, I'll turn that off and see what I get.
> > 
> > --Mark
> > 
> > On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <smor...@sourcefire.com> 
> > wrote:
> >> 
> >> --infected suppresses the printing of clean file names.
> >> 
> >> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfo...@novatec-inc.com> wrote:
> >> 
> >>> On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan <smor...@sourcefire.com>
> >>> wrote:
> >>> My parameters are:
> >>> 
> >>> clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive 
> >>> \
> >>>  --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
> >>> 
> >>> 
> >>> --Mark
> >>> 
> >>>> 
> >>>> The default is 6 milliseconds. What clamscan parameters are you
> >>> using?
> >>>> I am seeing file names by default.
> >>>> 
> >>>> Steve
> >>>> 
> >>>> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfo...@novatec-inc.com>
> >>> wrote:
> >>>> 
> >>>>> It doesn't give any file names, even in the logfiles.  It happens when
> >>> I'm
> >>>>> running clamscan.
> >>>>> 
> >>>>> I am running it on lots of files, 124,681 to be exact (IMAP mail
> >>> files).
> >>>>> 
> >>>>> What is the default for --bytecode-timeout? If I get it again I'll
> >>>>> increase it.
> >>>>> 
> >>>>> Thanks, --Mark
> >>>>> 
> >>>>> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
> >>> smor...@sourcefire.com>
> >>>>> wrote:
> >>>>>> 
> >>>>>> When ClamAV runs bytecode signatures, it uses a timer to limit the
> >

Re: [clamav-users] Bytecode run timed out

[Mark Foley]

Here's the partial output from clamscan w/o the --infected option:

/home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057307.M683247P23198.mail,S=12386,W=12657:2,RS:
 OK
LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
/home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1424057400.M645852P23198.mail,S=1266193,W=1282921:2,S:
 OK
/home/HPRS/charmaine/Maildir/.INBOX.Audit-CAFR-OBM/cur/1490619717.M352662P13554.mail,S=3456056,W=3506158:2,S:
 OK

These are Maildir format files. The "S=12386" part is in fact the file size.
It's not apparent from where the Warning message is issues what file is causing
the warning. The 12,657 byte file couldn't have been it and why would the
1,266,193 size file cause the warning and not the more that twice-as-large file
immediately following? Also there are much larger files in this directory, up to
21M, but this is the only warning issued.

--Mark

-Original Message-----
From: Mark Foley <mfo...@novatec-inc.com>
Date: Thu, 20 Jul 2017 21:51:38 -0400
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] Bytecode run timed out

OK, I'll turn that off and see what I get.

--Mark

On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <smor...@sourcefire.com> wrote:
>
> --infected suppresses the printing of clean file names.
>
> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfo...@novatec-inc.com> wrote:
>
> > On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan <smor...@sourcefire.com>
> > wrote:
> > My parameters are:
> >
> > clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
> >   --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
> >
> >
> > --Mark
> >
> > >
> > > The default is 6 milliseconds. What clamscan parameters are you
> > using?
> > > I am seeing file names by default.
> > >
> > > Steve
> > >
> > > On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfo...@novatec-inc.com>
> > wrote:
> > >
> > > > It doesn't give any file names, even in the logfiles.  It happens when
> > I'm
> > > > running clamscan.
> > > >
> > > > I am running it on lots of files, 124,681 to be exact (IMAP mail
> > files).
> > > >
> > > > What is the default for --bytecode-timeout? If I get it again I'll
> > > > increase it.
> > > >
> > > > Thanks, --Mark
> > > >
> > > > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
> > smor...@sourcefire.com>
> > > > wrote:
> > > > >
> > > > > When ClamAV runs bytecode signatures, it uses a timer to limit the
> > amount
> > > > > of processing.
> > > > >
> > > > > Are you seeing it on a lot of files? If that is the case, the
> > bytecode
> > > > > signature may require attention.
> > > > >
> > > > > You can try increasing the timeout limit. --bytecode-timeout for
> > clamscan
> > > > > and BytecodeTimeout for clamd.
> > > > >
> > > > > Steve
> > > > >
> > > > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <mfo...@novatec-inc.com>
> > > > wrote:
> > > > >
> > > > > > What is this? I just started happening.
> > > > > >
> > > > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
> > > > flag set
> > > > > > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > > > > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
> > > > error!
> > > > > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> > > > > >
> > > > > > Thanks, Mark
> > > > > > ___
> > > > > > clamav-users mailing list
> > > > > > clamav-users@lists.clamav.net
> > > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > > > > >
> > > > > >
> > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > https://github.com/vrtadmin/clamav-faq
> > > > > >
> > > > > > http://www.clamav.net/contact.html#ml
> > > > > >
> > > > > ___

Re: [clamav-users] Bytecode run timed out

[Mark Foley]

OK, I'll turn that off and see what I get.

--Mark

On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <smor...@sourcefire.com> wrote:
>
> --infected suppresses the printing of clean file names.
>
> On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfo...@novatec-inc.com> wrote:
>
> > On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan <smor...@sourcefire.com>
> > wrote:
> > My parameters are:
> >
> > clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
> >   --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1
> >
> >
> > --Mark
> >
> > >
> > > The default is 6 milliseconds. What clamscan parameters are you
> > using?
> > > I am seeing file names by default.
> > >
> > > Steve
> > >
> > > On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfo...@novatec-inc.com>
> > wrote:
> > >
> > > > It doesn't give any file names, even in the logfiles.  It happens when
> > I'm
> > > > running clamscan.
> > > >
> > > > I am running it on lots of files, 124,681 to be exact (IMAP mail
> > files).
> > > >
> > > > What is the default for --bytecode-timeout? If I get it again I'll
> > > > increase it.
> > > >
> > > > Thanks, --Mark
> > > >
> > > > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <
> > smor...@sourcefire.com>
> > > > wrote:
> > > > >
> > > > > When ClamAV runs bytecode signatures, it uses a timer to limit the
> > amount
> > > > > of processing.
> > > > >
> > > > > Are you seeing it on a lot of files? If that is the case, the
> > bytecode
> > > > > signature may require attention.
> > > > >
> > > > > You can try increasing the timeout limit. --bytecode-timeout for
> > clamscan
> > > > > and BytecodeTimeout for clamd.
> > > > >
> > > > > Steve
> > > > >
> > > > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <mfo...@novatec-inc.com>
> > > > wrote:
> > > > >
> > > > > > What is this? I just started happening.
> > > > > >
> > > > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
> > > > flag set
> > > > > > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > > > > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
> > > > error!
> > > > > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> > > > > >
> > > > > > Thanks, Mark
> > > > > > ___
> > > > > > clamav-users mailing list
> > > > > > clamav-users@lists.clamav.net
> > > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > > > > >
> > > > > >
> > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > https://github.com/vrtadmin/clamav-faq
> > > > > >
> > > > > > http://www.clamav.net/contact.html#ml
> > > > > >
> > > > > ___
> > > > > clamav-users mailing list
> > > > > clamav-users@lists.clamav.net
> > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > > > >
> > > > >
> > > > > Help us build a comprehensive ClamAV guide:
> > > > > https://github.com/vrtadmin/clamav-faq
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > > >
> > > > ___
> > > > clamav-users mailing list
> > > > clamav-users@lists.clamav.net
> > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > > >
> > > >
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > ___
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Bytecode run timed out

[Mark Foley]

On Thu, 20 Jul 2017 12:22:39 -0400 Steven Morgan <smor...@sourcefire.com> wrote:
My parameters are:

clamscan -a --detect-pua=yes --no-summary --stdout --infected --recursive \
  --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ 2>&1


--Mark

>
> The default is 6 milliseconds. What clamscan parameters are you using?
> I am seeing file names by default.
>
> Steve
>
> On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfo...@novatec-inc.com> wrote:
>
> > It doesn't give any file names, even in the logfiles.  It happens when I'm
> > running clamscan.
> >
> > I am running it on lots of files, 124,681 to be exact (IMAP mail files).
> >
> > What is the default for --bytecode-timeout? If I get it again I'll
> > increase it.
> >
> > Thanks, --Mark
> >
> > On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <smor...@sourcefire.com>
> > wrote:
> > >
> > > When ClamAV runs bytecode signatures, it uses a timer to limit the amount
> > > of processing.
> > >
> > > Are you seeing it on a lot of files? If that is the case, the bytecode
> > > signature may require attention.
> > >
> > > You can try increasing the timeout limit. --bytecode-timeout for clamscan
> > > and BytecodeTimeout for clamd.
> > >
> > > Steve
> > >
> > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <mfo...@novatec-inc.com>
> > wrote:
> > >
> > > > What is this? I just started happening.
> > > >
> > > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
> > flag set
> > > > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
> > error!
> > > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> > > >
> > > > Thanks, Mark
> > > > ___
> > > > clamav-users mailing list
> > > > clamav-users@lists.clamav.net
> > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > > >
> > > >
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > ___
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Bytecode run timed out

[Mark Foley]

It doesn't give any file names, even in the logfiles.  It happens when I'm
running clamscan. 

I am running it on lots of files, 124,681 to be exact (IMAP mail files).

What is the default for --bytecode-timeout? If I get it again I'll increase it.

Thanks, --Mark

On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <smor...@sourcefire.com> wrote:
>
> When ClamAV runs bytecode signatures, it uses a timer to limit the amount
> of processing.
>
> Are you seeing it on a lot of files? If that is the case, the bytecode
> signature may require attention.
>
> You can try increasing the timeout limit. --bytecode-timeout for clamscan
> and BytecodeTimeout for clamd.
>
> Steve
>
> On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <mfo...@novatec-inc.com> wrote:
>
> > What is this? I just started happening.
> >
> > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> >
> > Thanks, Mark
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Bytecode run timed out

[Mark Foley]

What is this? I just started happening.

LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytcode 5 failed to run: Time limit reached

Thanks, Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

[Mark Foley]

On Thu, 6 Jul 2017 11:34:53 -0400 Kris Deugau <kdeu...@vianet.ca> wrote
>
> Mark Foley wrote:
>
> > So, the question posted below remains:
> >
> > Will the expetr.yara rule, described in this thread, run as is, or not, on
> > Linux?
>
> Any valid signature file will be loaded and used.
>
> Any *invalid* signature file will cause clamd to exit.
>
> If clamd is running, and you've been able to confirm the signature file 
> is being loaded, the signature will be checked.
>
> Signatures are not platform-specific except in terms of what they're 
> intended to match on.
>
> > I'm specifically asking about Eric's comment, "it requires a Win32 
> > executable".
>
> To answer this specific point, one of the signature fragments checks a 
> byte pattern in a certain location to help ensure that it only triggers 
> on files that are Win32 executables.
>
> More generally, to confirm whether a specific signature is doing what 
> it's supposed to, you need to have a file to test with that you know is 
> supposed to match on that signature.
>
> -kgd

Thanks Kris, that answers my question. I somehow incorrectly took from Eric's
comment that the rule would only run on Windows, but I get that the rule is
inspecting the message for a Windows executable.

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

[Mark Foley]

From: Mark Foley <mfo...@novatec-inc.com>
Date: Wed, 05 Jul 2017 17:52:03 -0400
Organization: Novatec Software Engineering, LLC
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] How to know if yara rules are being run?

I'm following up to my own message.  I've confirmed that my clamav-milter *is*
running yara rules.  I created the following rule:

rule testme
{
strings:
$st1 = "How now brown cow"

condition:
$st1
}

and put it in /var/lib/clamav/testme.yara. I had to make it owned by
clamav.clamav (owned by root failed), and I had to restart clamav-milter.

I sent an email containing the "brown cow" string to a recipient on this host
and clamav-milter caught it: clamav-milter.log:

Wed Jul  5 18:06:46 2017 -> Message v65M6iRh026596 from 
<mfo...@server.novatec-inc.com> to  with subject 'test4' message-id 
'<201707052206.v65m6gzc025...@server.novatec-inc.com>' date 'Wed, 05 Jul 2017 
18:06:42 -0400' infected by YARA.testme.UNOFFICIAL

So, the question posted below remains: 

Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux? I'm specifically asking about Eric's comment, "it requires a Win32 
executable".

--Mark

On Tue, 4 Jul 2017 11:47:35 -0400 eric-l...@truenet.com  wrote
> > Eric - you misunderstand my question.  I'm not asking if the yara rule is
> > working as designed.  I'm asking how I can tell if clamav-milter is actually
> > running the rule during its scan of incoming email.  All I did was put
> > expetr.yara in /var/lib/clamav.  That's it.  I don't know if that's 
> > sufficient,
> > whether .yara or .yar is the proper file type (I've seen both), what the 
> > file
> > permissions should be ...  In short, I have no feedback from clamav that it 
> > even
> > notices the presence of this rule.
> > 
> > Can I set a debug level or something in clamd.conf, clandscan.conf or
> > clamav-milter.conf?
> > 
> > --Mark
>
> If your using clamav-milter, than turn on logging:
> LogFile STRING
> Enable logging to selected file. 
> Default: no
>
> LogInfected STRING
> This option allows you to tune what is logged when a message is infected. 
> Possible values are Off (the default - nothing is logged), Basic (minimal 
> info logged), Full (verbose info logged) 
> Note: For this to work properly in sendmail, make sure the msg_id, mail_addr, 
> rcpt_addr and i macroes are available in eom. In other words add a line like: 
> Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file. 
> Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id}, 
> {mail_addr}, {rcpt_addr}, i') 
> Postfix should be working fine with the default settings. 
> Default: disabled
>

Thanks for the response Eric. I've checked clamav-milter.conf and logging is
turned on and some of the older rotated log files do have messages about past
catches.

My LogInfected is set to Full

I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc,
re-genned .cf and restarted sendmail.

> Depending on your clamd.conf, it should show what DBs to load.
> DatabaseDirectory STRING
> Path to a directory containing database files.
> OfficialDatabaseOnly BOOL
> Only load the official signatures published by the ClamAV project.
> Default: no

All my clamd.conf settings are as you describe:
DatabaseDirectory /var/lib/clamav (the yara rule is here)
OfficialDatabaseOnly is default (commented out)

> I found the Yara rule I think your using, but it requires a Win32 executable:
> condition:
>
> uint16(0) == 0x5A4D and
> filesize < 100 and
> any of them

Yes, that appears to be correct. I got the rule from
https://securelist.com/schroedingers-petya/78870/ and it does end the way you
indicate.

> So you could use something like PAR::Packer and try to compile a quick PERL 
> script, but I would just put in a test yara rule like I email previously and 
> send yourself an email.  It should show up in the log file, and you???ll be 
> sure it???s working.
>
> Eric

Here;s where you lost me! First off, I did try creating an email containing the
string about "POWER CABLE" as defined in the rule.  I sent the message, but
nothing was detected.  Although, not being versed in yara, I may need more
conditions set than that. 

BUT ... I'm not asking you about debugging/interpreting a yara script. I'll
check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is
running this check.

What do you mean, "it requires a Win32 executable"? Does that mean this rule
will not run on Linux?

Not being a frequent Perl user, I don't know what you're saying with "you could
use something like PAR::Packer and try to compile a quick PERL script". I have a
feeling expl

Re: [clamav-users] How to know if yara rules are being run?

[Mark Foley]

On Tue, 4 Jul 2017 11:47:35 -0400 eric-l...@truenet.com  wrote
> > Eric - you misunderstand my question.  I'm not asking if the yara rule is
> > working as designed.  I'm asking how I can tell if clamav-milter is actually
> > running the rule during its scan of incoming email.  All I did was put
> > expetr.yara in /var/lib/clamav.  That's it.  I don't know if that's 
> > sufficient,
> > whether .yara or .yar is the proper file type (I've seen both), what the 
> > file
> > permissions should be ...  In short, I have no feedback from clamav that it 
> > even
> > notices the presence of this rule.
> > 
> > Can I set a debug level or something in clamd.conf, clandscan.conf or
> > clamav-milter.conf?
> > 
> > --Mark
>
> If your using clamav-milter, than turn on logging:
> LogFile STRING
> Enable logging to selected file. 
> Default: no
>
> LogInfected STRING
> This option allows you to tune what is logged when a message is infected. 
> Possible values are Off (the default - nothing is logged), Basic (minimal 
> info logged), Full (verbose info logged) 
> Note: For this to work properly in sendmail, make sure the msg_id, mail_addr, 
> rcpt_addr and i macroes are available in eom. In other words add a line like: 
> Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i to your .cf file. 
> Alternatively use the macro: define(`confMILTER_MACROS_EOM', `{msg_id}, 
> {mail_addr}, {rcpt_addr}, i') 
> Postfix should be working fine with the default settings. 
> Default: disabled
>

Thanks for the response Eric. I've checked clamav-milter.conf and logging is
turned on and some of the older rotated log files do have messages about past
catches.

My LogInfected is set to Full

I did add the confMILTER_MACROS_EOM setting you suggested to my sendmail.mc,
re-genned .cf and restarted sendmail.

> Depending on your clamd.conf, it should show what DBs to load.
> DatabaseDirectory STRING
> Path to a directory containing database files.
> OfficialDatabaseOnly BOOL
> Only load the official signatures published by the ClamAV project.
> Default: no

All my clamd.conf settings are as you describe:
DatabaseDirectory /var/lib/clamav (the yara rule is here)
OfficialDatabaseOnly is default (commented out)

> I found the Yara rule I think your using, but it requires a Win32 executable:
> condition:
>
> uint16(0) == 0x5A4D and
> filesize < 100 and
> any of them

Yes, that appears to be correct. I got the rule from
https://securelist.com/schroedingers-petya/78870/ and it does end the way you
indicate.

> So you could use something like PAR::Packer and try to compile a quick PERL 
> script, but I would just put in a test yara rule like I email previously and 
> send yourself an email.  It should show up in the log file, and you???ll be 
> sure it???s working.
>
> Eric

Here;s where you lost me! First off, I did try creating an email containing the
string about "POWER CABLE" as defined in the rule.  I sent the message, but
nothing was detected.  Although, not being versed in yara, I may need more
conditions set than that. 

BUT ... I'm not asking you about debugging/interpreting a yara script. I'll
check that elsewhere. I'm just trying to figure out if clamav-milter on Linux is
running this check.

What do you mean, "it requires a Win32 executable"? Does that mean this rule
will not run on Linux?

Not being a frequent Perl user, I don't know what you're saying with "you could
use something like PAR::Packer and try to compile a quick PERL script". I have a
feeling explaining that is a lot more involved than you'd care to go into, but
if you can do so in a one- or two-liner, please do.

So, will this rule run as is, or not, on Linux? Do I have to do something?

Thanks, Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

[Mark Foley]

On Mon, 3 Jul 2017 19:57:25 -0400 Eric Tykwinski  wrote:
> >> 
> > 
> > Yes. I got exactly the same output as you show. Therefore, yara rules are 
> > enabled.
> > 
> > So then, how can I confirm the expetr.yara I created is being run?
> > 
> > ???Mark
>
> Mark,
>
> We are getting off topic for ClamAV list.  I don???t know what rule that they 
> published, and thankfully haven???t had to deal with anything locally.
> My guess would be to open the yara rule and check it out.  You might be able 
> to fake it with a hex editor to test it out, or you can search for sample 
> files and see if they catch them.  With Yara rules though you are usually 
> only getting a small fragment of the infections, and probably a large portion 
> of false positives.  I use them for scanning backup archives personally to 
> find web exploits, and the like, don???t deleted but find when the file was 
> dropped.
>
> Hope this helps,
>
> Eric
>

Eric - you misunderstand my question.  I'm not asking if the yara rule is
working as designed.  I'm asking how I can tell if clamav-milter is actually
running the rule during its scan of incoming email.  All I did was put
expetr.yara in /var/lib/clamav.  That's it.  I don't know if that's sufficient,
whether .yara or .yar is the proper file type (I've seen both), what the file
permissions should be ...  In short, I have no feedback from clamav that it even
notices the presence of this rule.

Can I set a debug level or something in clamd.conf, clandscan.conf or
clamav-milter.conf?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

[Mark Foley]

On Sat, 1 Jul 2017 09:21:50 -0400 Eric Tykwinski <eric-l...@truenet.com> wrote:
> > On Jul 1, 2017, at 1:10 AM, Mark Foley <mfo...@novatec-inc.com> wrote:
> > 
> > I've put the expetr.yara rule from Kaspersky for the recent notPetya 
> > ransomware
> > in my /var/lib/clamav directory.
> > 
> > How can I tell if clamav is running it? I see nothing in 
> > /var/log/clamav.log.
> > 
> > --Mark
>
>
> My first suggestion would be make sure Yara rules are enabled in clamav.
> So make a couple of files: 
> /*** test.yara ***/
> rule Test_Yara_Rules : test
> {
>   meta:
> description = "Test Yara"
>   strings:
> $test = "YaraTest" fullword ascii
>   condition:
> $test
> }
> /***/
>
> echo YaraTest > test.txt
>
> clamscan -d ./test.yara test.txt
>
> Should show you:
> test.txt: YARA.Test_Yara_Rules.UNOFFICIAL FOUND
>
> --- SCAN SUMMARY ---
> Known viruses: 1
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 0.007 sec (0 m 0 s)
>

Yes. I got exactly the same output as you show. Therefore, yara rules are 
enabled.

So then, I can I confirm the expetr.yara I created is being run?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] New ClamAV update?

[Mark Foley]

 On Sun, 02 Jul 2017 11:25:34 -0700 Al Varnell <alvarn...@mac.com> wrote
> On Jul 2, 2017, at 7:44 AM, Mark Foley wrote:
> > On Jun 29, 2017, at 5:10 PM, Al Varnell wrote:
> >> The list of CVE's known to apply to ClamAV can be found here:
> >> <https://www.cvedetails.com/vulnerability-list/vendor_id-8871/product_id-15657/Clamav-Clamav.html>.
> > 
> > I've check that known CVE list. That's a great link! Is there something on 
> > that
> > list indicating whether the vulnerability has been addressed? The last 3 
> > columns
> > are "Conf.", "Integ." "Avail.", having values of "None" and "Partial". I 
> > can't
> > interpret the meaning of these and I find no legend on the page describing 
> > them.
> > 
> > How can I determine the resolution status?
> > 
> > --Mark
>
> You will need to look each one up on either:
>
> <https://cve.mitre.org/cve/cve.html>
> or
> <https://nvd.nist.gov/vuln/search>
>
> -Al-
> -- 
> Al Varnell
> Mountain View, CA

Thanks Al. Looking each one up is something I'm unlikely to do. Too bad the
authors of that page don't periodically update an otherwise fine list with
resolution status.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] New ClamAV update?

[Mark Foley]

On Jun 29, 2017, at 5:10 PM, Al Varnell 
> wrote:

> The list of CVE's known to apply to ClamAV can be found here:
> .

I've check that known CVE list. That's a great link! Is there something on that
list indicating whether the vulnerability has been addressed? The last 3 columns
are "Conf.", "Integ." "Avail.", having values of "None" and "Partial". I can't
interpret the meaning of these and I find no legend on the page describing them.

How can I determine the resolution status?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] How to know if yara rules are being run?

[Mark Foley]

I've put the expetr.yara rule from Kaspersky for the recent notPetya ransomware
in my /var/lib/clamav directory.

I can I tell if clamav is running it? I see nothing in /var/log/clamav.log.

--Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] WannaCry Homeland Security yara script. False positives?

[Mark Foley]

Perhaps I'm missing it, but I didn't see any attachment.

--Mark

On 5/17/2017 1:46 PM, João Gouveia wrote:

Those rules are know for FP'ing a lot.
Here's a different set you might want to check, courtesy of ReversingLabs (
attached ).

On Wed, May 17, 2017 at 6:10 AM, Mark Foley <mfo...@novatec-inc.com> wrote:


I added the yara script published by Homeland security to the clamav
database
directory. I believe I am getting a substantial number of false positives
on
this including messages containing PDF and JPG attachments, the latter
known to
be OK.

$ clamscan "/home/HPRS/mpress/Maildir/.Sent Items/cur/1486141726.
M192155P10931.mail,S=188385,W=191025:2,S"
/home/HPRS/mpress/Maildir/.Sent Items/cur/1486141726.
M192155P10931.mail,S=188385,W=191025:2,S:
YARA.Wanna_Cry_Ransomware_Generic.UNOFFICIAL FOUND

--- SCAN SUMMARY ---
Known viruses: 6284977
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.95 MB
Data read: 0.18 MB (ratio 5.42:1)
Time: 7.567 sec (0 m 7 s)

Is anyone else using this rule seeing this?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml





___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] WannaCry Homeland Security yara script. False positives?

[Mark Foley]

I added the yara script published by Homeland security to the clamav database
directory. I believe I am getting a substantial number of false positives on
this including messages containing PDF and JPG attachments, the latter known to
be OK.

$ clamscan "/home/HPRS/mpress/Maildir/.Sent 
Items/cur/1486141726.M192155P10931.mail,S=188385,W=191025:2,S"
/home/HPRS/mpress/Maildir/.Sent 
Items/cur/1486141726.M192155P10931.mail,S=188385,W=191025:2,S:
YARA.Wanna_Cry_Ransomware_Generic.UNOFFICIAL FOUND

--- SCAN SUMMARY ---
Known viruses: 6284977
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.95 MB
Data read: 0.18 MB (ratio 5.42:1)
Time: 7.567 sec (0 m 7 s)

Is anyone else using this rule seeing this? 

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

[Mark Foley]

On Mon May 15 15:06:07 2017 "Eric Tykwinski" <eric-l...@truenet.com> wrote:
>
> Here's links to sample files, ie use at your own risk:
> https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>

Well, it does seem to try and use the yara rule. Using one of the samples on the
link you gave me:

$ clamscan 
CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE
LibClamAV Error: yyerror(): /var/lib/clamav/wannaCry.yar line 3 non-ascii 
character
LibClamAV Error: yyerror(): /var/lib/clamav/wannaCry.yar line 3 syntax error, 
unexpected $end, expecting _CONDITION_
LibClamAV Error: cli_loadyara: failed to parse rules file 
/var/lib/clamav/wannaCry.yar, error count 2

When I fixed the non-ascii character thing I got:

> clamscan
CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE   
  
CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE:
Win.Trojan.Agent-6312832-0 FOUND

--- SCAN SUMMARY ---
Known viruses: 6284809
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 3.49 MB
Data read: 3.35 MB (ratio 1.04:1)
Time: 6.828 sec (0 m 6 s)

The yara rule didn't find anything.

I used sample 
.hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE

The page is headed, "WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware 
Worm"
so I would imagine the samples on this page are for wannaCry, right?

--Mark

> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf
> Of Mark Foley
> Sent: Monday, May 15, 2017 2:58 PM
> To: clamav-users@lists.clamav.net
> Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with
> clamav
>
> On Sat May 13 13:25:07 2017 From: Alain Zidouemba
> <azidoue...@sourcefire.com> wrote:
> >
> > Yara rules have been supported by ClamAV since 2015:
> > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
> >
> > - Alain
>
> I'm following these instructions now.  The instruction say, "just place your
> YARA rule files into the ClamAV virus database location." I've copied the
> Homland Security yara script to a file, wannaCry.yar, in my /var/lib/clamav
> directory. 
>
> Is that it? No clamscan switch or config setting? Is there any way to
> confirm this rule is being used?
>
> I also downloaded and looked at the yara repo on github.  There are over 400
> rules in the zipfile.  To use some or all of them would I just unzip into my
> database location?
>
> The instructions also say, "Regular expressions in both YARA rules and
> ClamAV logical signatures require the Perl Compatible Regular Expressions
> (PCRE) library." Is there a way to see if my clamAV was built with this?
>
> Thanks, Mark
>
> >
> > On Sat, May 13, 2017 at 1:16 PM, Alex <mysqlstud...@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > So you've probably heard of the latest ransomware dubbed WannaCry. 
> > > I'm wondering if anyone has figured out a way to integrate the yara 
> > > signatures for these types of exploits with spamassassin?
> > >
> > > https://www.us-cert.gov/ncas/alerts/TA17-132A
> > >
> > > What is the status of development of integration of yara rules into
> clamav?
> > >
> > > [deleted]
> > >
> > > Thanks,
> > > Alex
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

[Mark Foley]

On Sat May 13 13:25:07 2017 From: Alain Zidouemba  
wrote:
>
> Yara rules have been supported by ClamAV since 2015:
> http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
>
> - Alain

I'm following these instructions now.  The instruction say, "just place your
YARA rule files into the ClamAV virus database location." I've copied the
Homland Security yara script to a file, wannaCry.yar, in my /var/lib/clamav
directory. 

Is that it? No clamscan switch or config setting? Is there any way to confirm
this rule is being used?

I also downloaded and looked at the yara repo on github.  There are over 400
rules in the zipfile.  To use some or all of them would I just unzip into my
database location?

The instructions also say, "Regular expressions in both YARA rules and ClamAV
logical signatures require the Perl Compatible Regular Expressions (PCRE)
library." Is there a way to see if my clamAV was built with this?

Thanks, Mark

>
> On Sat, May 13, 2017 at 1:16 PM, Alex  wrote:
>
> > Hi,
> >
> > So you've probably heard of the latest ransomware dubbed WannaCry. I'm
> > wondering if anyone has figured out a way to integrate the yara
> > signatures for these types of exploits with spamassassin?
> >
> > https://www.us-cert.gov/ncas/alerts/TA17-132A
> >
> > What is the status of development of integration of yara rules into clamav?
> >
> > [deleted]
> >
> > Thanks,
> > Alex
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Signature update timeliness

[Mark Foley]

I have a question about the timeliness of signature updates. I am running a
clamav-milter to check email when received by the MDA -- this rarely finds
anything. I also have clamscan running multiple times a day checking all the
Maildir folders. 

Yesterday, the Maildir folder scan found Js.Downloader.Nemucod.  But, this
message was recieved on April 26th -- 8 days before the malware was detected by
clamscan.  Doing a quick google search, I find that the JS.Nemucod trojan has
been around since at least December 2015. 

So, was the clamav signature for this malware just added to the list on May 4th?
If so, why does it take so long to include a malware that's been around for
years? If it was added earlier, why did clamscan not find it for 8 days?
Mutation?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problems with 3rd party sigs

[Mark Foley]

On Fri, 31 Mar 2017 14:01:29 -0400 Steven Morgan <smor...@sourcefire.com> wrote:
>

Thanks Steve. Is then there a way to disable the pe rules or do I just have to
ignore these messages?

--Mark

> Mark,
>
> The pe import module of yara rules is not currently implemented in ClamAV.
> Other specifics of using yara rules in Clam may be found in
> docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara
> rule?
>
> Hope this helps,
> Steve
>
> On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley <mfo...@novatec-inc.com> wrote:
>
> > Per advice on this list, I downloaded and installed the
> > clamav-unofficial-sigs
> > scripts from the link on Sanesecurity.
> >
> > I've not been able to get it running. Two problems:
> >
> > 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from
> > crond. I get an email:
> >
> > /bin/sh: clamav: command not found
> >
> > I've searched the computer and the clamav-unofficial-sigs.sh script
> > looking for a
> > reference to a clamav command and simply cannot find such a command. I've
> > sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and
> > redirected
> > the cron script's output to a log file. I never get anything in the
> > logfile.
> > Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.
> >
> > 2. I run a cron'd clamscan job to scan mail folders several time a day. I
> > get
> > the following errors which are new since installing the unofficial-sigs:
> >
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614
> > undefined identifier "pe"
> > LibClamAV Error: cli_loadyara: failed to parse rules file
> > /var/lib/clamav/antidebug_antivm.yar, error count 7
> > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 34
> > duplicate identifier "CryptoWall_Resume_phish"
> > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 52
> > duplicate identifier "docx_macro"
> > LibClamAV Error: cli_loadyara: failed to parse rules file
> > /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2
> >
> > The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:
> >
> > 496 contition:
> > 497 pe.imports("kernel32.dll","CheckRemoteDebuggerPresent")
> > and
> > 498 pe.imports("kernel32.dll","IsDebuggerPresent")
> >
> > These seem like rather basic programming bugs.  Nevertheless, it does
> > appear to
> > catch new signatures, e.g.:
> >
> > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456.
> > M955042P32209.mail,S=13067,W=13269:2,S: 
> > Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL
> > FOUND
> > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151.
> > M124643P21974.mail,S=30684,W=31217:2,S: 
> > Sanesecurity.Spam.12404.Ml.UNOFFICIAL
> > FOUND
> > /home/HPRS/shay/Maildir/.Trash/cur/1485781802.M776532P6090.mail,S=2905,W=
> > 2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL
> > FOUND
> > /home/HPRS/shay/Maildir/.Trash/cur/1486393658.M60634P26487.mail,S=48881,W=49823:2,S:
> > Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
> > /home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877.
> > M266324P18041.mail,S=22511,W=22844:2,S: 
> > Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL
> > FOUND
> >
> > etc.
> >
> > Has anyone on this list encountered the same problem and if so were you
> > able to
> > fix them? I'm running Slackware.
> >
> > Thanks, Mark
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Problems with 3rd party sigs

[Mark Foley]

Per advice on this list, I downloaded and installed the clamav-unofficial-sigs
scripts from the link on Sanesecurity.

I've not been able to get it running. Two problems:

1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from crond. I 
get an email:

/bin/sh: clamav: command not found

I've searched the computer and the clamav-unofficial-sigs.sh script looking for 
a
reference to a clamav command and simply cannot find such a command. I've
sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and redirected
the cron script's output to a log file. I never get anything in the logfile.
Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.

2. I run a cron'd clamscan job to scan mail folders several time a day. I get
the following errors which are new since installing the unofficial-sigs:

LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 
undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file 
/var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 34 
duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 52 
duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file 
/var/lib/clamav/EMAIL_Cryptowall.yar, error count 2

The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:

496 contition:
497 pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and
498 pe.imports("kernel32.dll","IsDebuggerPresent")

These seem like rather basic programming bugs.  Nevertheless, it does appear to
catch new signatures, e.g.:

/home/HPRS/mpress/Maildir/.Deleted 
Items/cur/1463485456.M955042P32209.mail,S=13067,W=13269:2,S: 
Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL FOUND
/home/HPRS/mpress/Maildir/.Deleted 
Items/cur/1460374151.M124643P21974.mail,S=30684,W=31217:2,S: 
Sanesecurity.Spam.12404.Ml.UNOFFICIAL FOUND
/home/HPRS/shay/Maildir/.Trash/cur/1485781802.M776532P6090.mail,S=2905,W=2971:2,S!(1)MAIL:mixedtextportion:
 Sanesecurity.Junk.33365.UNOFFICIAL FOUND
/home/HPRS/shay/Maildir/.Trash/cur/1486393658.M60634P26487.mail,S=48881,W=49823:2,S:
 Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
/home/HPRS/dsmith/Maildir/.Deleted 
Items.Sent/cur/1443025877.M266324P18041.mail,S=22511,W=22844:2,S: 
Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL FOUND

etc.

Has anyone on this list encountered the same problem and if so were you able to
fix them? I'm running Slackware.

Thanks, Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.DarkKomet-5711346-0 false positive?

[Mark Foley]

On Thu, 16 Feb 2017 21:21:06 +0100 Reindl Harald <h.rei...@thelounge.net> wrote:

> Am 16.02.2017 um 21:17 schrieb Mark Foley:
> > I am running a scheduled clamscan on the IMAP mail folders. The command is:
> >
> > /usr/local/bin/clamscan -a --detect-pua=yes --no-summary --stdout 
> > --infected \
> > --recursive --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/
> >
> > This scan turns up the following:
> >
> >
> > /home/HPRS/dsmith/Maildir/.Sent 
> > Items/cur/1424639819.M717944P16540.mail,S=1444158,W=1463348:2,S: 
> > Win.Trojan.DarkKomet-5711346-0 FOUND
> >
> > /home/HPRS/dsmith/Maildir/.Sent 
> > Items/cur/1424639819.M717944P16540.mail,S=1444158,W=1463348:2,S!...!(72)MAIL:SEC_deficiency_letter_to_Timbervest.pdf:
> >  Win.Trojan.DarkKomet-5711346-0 FOUND
> >
> > This email has 4 .pdf attachments.  When I run clamscan manually on any of 
> > them
> > I get no infections:
> >
> > $ clamscan --detect-pua=yes --scan-ole2=yes 2011.06.08\ Notification\ of\ 
> > Distribution.pdf
> > 2011.06.08 Notification of Distribution.pdf: OK
>
> why --scan-ole2=yes when you scan a pdf?
> --scan-pdf makes more sense

For hopefully consistent results, I was using the same clamscan switches the 
schedule
clamscan job used. With those switches (plus --scan-mail=yes) the scheduled
clamscan found the infections. I didn't use --scan-mail=yes in my manual test
because I had unpacked the attachments from the email.

In any case, running clamscan --scan-pdf also turned up no infections:

So the question stands, Why does it find infections when run on the mail file,
but not on the attachments (or mail body text) when run manually?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Win.Trojan.DarkKomet-5711346-0 false positive?

[Mark Foley]

I am running a scheduled clamscan on the IMAP mail folders. The command is:

/usr/local/bin/clamscan -a --detect-pua=yes --no-summary --stdout --infected \
--recursive --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/

This scan turns up the following:


/home/HPRS/dsmith/Maildir/.Sent 
Items/cur/1424639819.M717944P16540.mail,S=1444158,W=1463348:2,S: 
Win.Trojan.DarkKomet-5711346-0 FOUND

/home/HPRS/dsmith/Maildir/.Sent 
Items/cur/1424639819.M717944P16540.mail,S=1444158,W=1463348:2,S!...!(72)MAIL:SEC_deficiency_letter_to_Timbervest.pdf:
 Win.Trojan.DarkKomet-5711346-0 FOUND

This email has 4 .pdf attachments.  When I run clamscan manually on any of them
I get no infections:

$ clamscan --detect-pua=yes --scan-ole2=yes 2011.06.08\ Notification\ of\ 
Distribution.pdf
2011.06.08 Notification of Distribution.pdf: OK

--- SCAN SUMMARY ---
Known viruses: 5832752
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.41 MB
Data read: 0.08 MB (ratio 5.20:1)
Time: 5.877 sec (0 m 5 s)

Why? This is making it difficult to determine if there is an actual problem.

This email is also from 2013, so unlikely it suddenly became infected.  I'm
assuming a new signature was added.  This "malware" (?) started being reported
Feburary 1st. 

I run freshclam twice a day.

Thanks --Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] How to get/use 3rd party signatures?

[Mark Foley]

On 29/12/2016 09:32, Reindl Harald wrote:
>
> Am 29.12.2016 um 10:21 schrieb Reindl Harald:
>>
>> state of the official sgnatures is that clamav don't catch many real
>> malware all over the time without sanesecurity 3rd party signatures and
>> the official
>

I'd like to add these 3rd party signatures to my clamav scans.  How do I know
what signature repositories I am currently using?

How do I get e.g. the sanesecurity signatures? 

Other than turning off --official-db-only and OfficialDatabaseOnly, how to I
incorporate 3rd party signatures into my clamav system?

Are there other good repositories besides sanesecurity?

THX --Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Usage questions on local.ign2

[Mark Foley]

For my clamscan cron job, I turned on --detect-pua=yes. While it did detect some
genuinely infected files, it also turned up a lot of false positives for
PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1. 

In searching for a way to block just these specific PUA signatures, I found
several reference on the web to putting these names in 
/var/lib/clamav/local.ign2:

PUA.Win.Trojan.EmbeddedPDF-1
PUA.Pdf.Trojan.EmbeddedJavaScript-1

I found nothing in any of my clamav documentation mentioning this file (I'm
running 0.99.2). However, that local.ign2 file did work. 

Question 1: is the use of this file officially documented anywhere? Likewise for
another file mentioned, whitelist.ign2?

Question 2: I've also turned on 'DetectPUA yes' for clamd. Will clamd look at
this local.ign2 file to exclude these signatures?

Question 3: Given the recent dialog in this list about false positives, could
the Win.Trojan.Toa- signatures be added to this file for at least temporary
ignoring? I tried adding the several distinct ones found on my system and, upon
starting clamscan got the errors:

LibClamAV Error: cli_loadign: No signature name provided
LibClamAV Error: cli_loadign: Problem parsing database at line 17
LibClamAV Error: Can't load /var/lib/clamav/local.ign2: Malformed database
LibClamAV Error: cli_loaddbdir(): error loading database
/var/lib/clamav/local.ign2
ERROR: Malformed database

Further research showed that the format for entries in local.ign2 is

Repository.Name.Number

Just entering "Win.Trojan.Toa-5366523-0" apparently doesn't work.  Not sure what
the correct syntax would be for these Win.Trojan.Toa culprits, if this mechanism
would even work for these at all. 

Thanks, --Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot skip OLE2 checking

[Mark Foley]

On Wed, 21 Dec 2016 20:05:27 (CET) Kees Theunissen wrote:
>
> On Wed, 21 Dec 2016, Mark Foley wrote:
>
> >On Wed, 21 Dec 2016 17:34:05 Reindl Harald wrote:
> >>
> >> Am 21.12.2016 um 17:25 schrieb Mark Foley:
> >> > I'm running clamdscan on Maildir folders as:
> >> >
> >> > clamdscan --config-file=/usr/local/etc/clamdscan.conf --multiscan \
> >> >   --fdpass --allmatch --stdout /home/HPRS/user/Maildir/
> >> >
> >> > I want to skip checking for OLE2 macros. The 
> >> > /usr/local/etc/clamdscan.conf has:
> >> >
> >> > ScanOLE2 no
> >> > OLE2BlockMacros no
>
> Also specify different values for "LocalSocket", "PidFile" and "LogFile"
> and start a second instance of the clamd daemon using this config file.
>
> < ... >
>
> >Thinking about what the "d" means doesn't help me solve my problem. clamdscan
> >has an option --config-file. I would assume clamdscan would spawn another 
> >clamd
> >with the new option file. Is this not the case? Will the currently running 
> >clamd
> >be used regardless of the --config-file parameter?
>
> Clamdscan will connect to the socket specified in the config file and
> hence to the right deamon process. The socket specification is probably the
> only parameter from the config that is used by clamdscan.
>

Kees - thanks for that info. So, basically I'd have to start a new clamd with a
different socket and therefore pointing to a different config file. Not sure
then what the point of the --config-file parameter to clamdscan is ...

Anyway, that's too much fiddling for what I need.  My purpose in this particular
scan is to periodically scan (via cron) the domain Maildir repositories for
viruses not initially caught by the clamav-milter.  This does happen not
infrequently because, I suppose, updated signatures reveal possible virus in old
messages that made it through before those signature were added. 

However, Heuristics.OLE2.ContainsMacros (OLE2BlockMacros yes) are ubiquitous in
.xls attachments from usually legitimate senders and would indicate hundreds of
"infected" files in the Maildir folders. 

So, what I will do is keep the "OLE2BlockMacros yes" for clamd/clamav-milter for
quarantining such incoming messages (I can manually release legitimate ones
later), but I'll use clamscan (not clamdscan) with the settings shown below for
semi-daily scanning of the Maildir folder without the --block-macros=yes
parameter.  This seems to give me the results I want. 

clamscan -a --no-summary --stdout --infected --recursive --allmatch \
  --scan-mail=yes --scan-ole2=yes /home/HPRS/user/Maildir/

Thanks!

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot skip OLE2 checking

[Mark Foley]

On Wed, 21 Dec 2016 17:34:05 Reindl Harald wrote:
>
> Am 21.12.2016 um 17:25 schrieb Mark Foley:
> > I'm running clamdscan on Maildir folders as:
> >
> > clamdscan --config-file=/usr/local/etc/clamdscan.conf --multiscan \
> >   --fdpass --allmatch --stdout /home/HPRS/user/Maildir/
> >
> > I want to skip checking for OLE2 macros. The /usr/local/etc/clamdscan.conf 
> > has:
> >
> > ScanOLE2 no
> > OLE2BlockMacros no
> >
> > However, it still finds OLE2 macros:
> >
> > /home/HPRS/user/Maildir/.Deleted 
> > Items/cur/1448980384.M492273P32500.mail,S=751508,W=761365:2,S: 
> > Heuristics.OLE2.ContainsMacros FOUND
> >
> > Is this happening because there is alread a clamd running for mail queue
> > checking which has the above config settings set to "yes"?
> >
> > How can I get clamdscan to skip checking for these macros?
>
> "man clamdscan" and think about what the "d" means versus "clamscan"
>
> NAME
> clamdscan - scan files and directories for viruses using Clam AntiVirus 
> Daemon

I believe I know what the "d" means. I've recently posted here with the subject
"No notice of OLE2.ContainsMacros" and got excellent information from you, in
fact.

Thinking about what the "d" means doesn't help me solve my problem. clamdscan
has an option --config-file. I would assume clamdscan would spawn another clamd
with the new option file. Is this not the case? Will the currently running clamd
be used regardless of the --config-file parameter?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Cannot skip OLE2 checking

[Mark Foley]

I'm running clamdscan on Maildir folders as:

clamdscan --config-file=/usr/local/etc/clamdscan.conf --multiscan \
  --fdpass --allmatch --stdout /home/HPRS/user/Maildir/

I want to skip checking for OLE2 macros. The /usr/local/etc/clamdscan.conf has:

ScanOLE2 no
OLE2BlockMacros no

However, it still finds OLE2 macros:

/home/HPRS/user/Maildir/.Deleted 
Items/cur/1448980384.M492273P32500.mail,S=751508,W=761365:2,S: 
Heuristics.OLE2.ContainsMacros FOUND

Is this happening because there is alread a clamd running for mail queue
checking which has the above config settings set to "yes"?

How can I get clamdscan to skip checking for these macros?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] No notice of OLE2.ContainsMacros

[Mark Foley]

On Tue, 20 Dec 2016 17:26:10 "G.W. Haywood" wrote:
> To: clamav-users@lists.clamav.net
> Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros
>
> On Tue, 20 Dec 2016, Mark Foley wrote:
>
> > ... running clamscan --block-macros=yes does find the
> > "ContainsMacros" notice.  ... (if I specify --block-macros=yes,
> > apparently the settings in /usr/local/etc/clamd.conf aren't used).
>
> Check the documentation.  The settings in clamd.conf are for clamd.
> They are never used by clamscan.  They will be used by clamd when
> is it responding to requests from clamdscan.  Note the distinction
> between clamscan and clamdscan.

My clamscan documentation doesn't mention config files at all and the clamd doc
doesn't explictly say its config *is not* used for other clamXX modules, so I
didn't know for sure. 

I did not know about clamdscan! Thanks for that info. I've replaced clamscan
with clamdscan in my script for 2 reasons: First, while clamscan with the
--block-macros=yes switch did work for .doc[x|m] quarantined messaged, it found
macro enabled .xls files to be OK -- clamd quarantined these as well. Therefore,
clamdscan does a better job of finding these macro-enabled files. Secondly,
clamdscan *will* use the /usr/local/etc/clamd.conf, so I have only one place to
worry about config settings.

Thanks! --Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] No notice of OLE2.ContainsMacros

[Mark Foley]

Ah ha! Some progress:

# First, I'll extract the attachment:
$ ripmime -v -i /var/spool/mqueue/dfuBJBh64e020058
Decoding filename=textfile0
Decoding filename=textfile1
Decoding filename=Payslip_Dec_2016_84286914.doc

# try vanilla clamscan (nothing found):

$ clamscan Payslip_Dec_2016_84286914.doc
Payslip_Dec_2016_84286914.doc: OK

--- SCAN SUMMARY ---
Known viruses: 5314698
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.18 MB
Data read: 0.03 MB (ratio 5.75:1)
Time: 6.143 sec (0 m 6 s)
1 21:44:18 root@mail:~

# Next try with block-macros:

$ clamscan --block-macros=yes Payslip_Dec_2016_84286914.doc
Payslip_Dec_2016_84286914.doc: Heuristics.OLE2.ContainsMacros FOUND

--- SCAN SUMMARY ---
Known viruses: 5314698
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.01 MB
Data read: 0.03 MB (ratio 0.25:1)
Time: 5.380 sec (0 m 5 s)

Extracting the attachment, then running clamscan --block-macros=yes does
find the "ContainsMacros" notice. Also, reconstructing the email file using both
header and data components as you've instructed also works (if I specify
--block-macros=yes, apparently the settings in /usr/local/etc/clamd.conf aren't
used). 

Too bad I cannot scan a email datafile directly as that is what is readily
accesible when dealing with the quarantine queue. Perhaps something the clamav
dev folk could look into some day.

My best bet, then, is to extract the df file, then run clamscan on it directly.
That's easier than reconsituting the email.

Thanks for the help. That's what I was looking for!

--Mark

-Original Message-
Date: Tue, 20 Dec 2016 07:26:29 +1000 (AEST)
From: David Shrimpton 
To: ClamAV users ML 
Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros

> $ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058
> Scanning /var/spool/mqueue/dfuBJBh64e020058
> /var/spool/mqueue/dfuBJBh64e020058: OK


The dfuBJBh64e020058 file looks like a sendmail queue datafile, in which
case it would have no email headers and contain only mime encoding eg base64
and just be a plain text file and not an email file to clamav, so scan negative.

If you extract the email file from the queue files, or extract the Office file
from the mime part in the df file  and re-scan
this may work.

For sendmail quarantined queue file something like the
following will extract the email file:

cat hfuBJBh64e020058 dfuBJBh64e020058 > somefile
Edit somefile to remove the unwanted lines down to the
start of the email headers eg the first H??Received: , then
remove H?? at start of lines and change the '.' on its own at
the end to just a newline (to mark the end of headers)

(Use qf instead of hf for a non quarantine queue file,
 but also bear in mind that queue processing by the mail daemon
 may be writing to a qf but not a hf file.)

Rescan and clamav should recognize as email file and extract
and scan any attachments.


--
David Shrimpton
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]

[Mark Foley]

Well, *that's* confusing! I suppose if I hadn't changed the subject line back to
my original subject my reply might have unsubscribed be as well.

Thanks for the clarification.

--Mark

-Original Message-
To: <clamav-users@lists.clamav.net>
From: Matteo Dessalvi <m.dessa...@gsi.de>
Date: Mon, 19 Dec 2016 16:15:37 +0100
Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]

Mark, I believe it was not a suggestion. It often happens here that
a user which want to unsubscribe {him,her}self from the ClamAV
mailing list just reply to whatever message is crossing the list, asking
to be 'unsubscribed'.

Best regards,
Matteo

On 12/19/2016 04:05 PM, Mark Foley wrote:
> Please elaborate a bit on your suggestion "unsubscrib". I don't understand.
>
> --Mark
>
> -Original Message-
> Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST)
> From: "ca...@toursupply.com" <ca...@toursupply.com>
> To: "ClamAV users ML" <clamav-users@lists.clamav.net>
> Subject: [clamav-users] unsubscribe
>
> unsubscribe
>

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] No notice of OLE2.ContainsMacros

[Mark Foley]

Please elaborate a bit on your suggestion "unsubscrib". I don't understand.

--Mark

-Original Message-
Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST)
From: "ca...@toursupply.com" <ca...@toursupply.com>
To: "ClamAV users ML" <clamav-users@lists.clamav.net>
Subject: [clamav-users] unsubscribe

unsubscribe

-----Original Message-
From: "Mark Foley" <mfo...@novatec-inc.com>
Sent: Monday, December 19, 2016 8:36am
To: clamav-users@lists.clamav.net
Subject: [clamav-users] No notice of OLE2.ContainsMacros

Before I submit a bug report on this, I thought I'd see if any list members 
have ideas.

I'm running clamav 0.99.2 on Linux Slackware64 14.1.  I'm running clamav-milter
for sendmail.  I have "OLE2BlockMacros yes" set in /usr/local/etc/clamd.conf.
This is working fine, I get:

fd[10]: Heuristics.OLE2.ContainsMacros(fa7491778b806ca1fdc4a809ea3213d5:47944) 
FOUND

in /var/log/clamd.log when it finds such macros, and the email is put in the
quarantine mail queue.

My problem is that when I run clamscan manually I can never see these files as
having blocked macros. I've tried all the switch settings I can thing of,
especially --block-macros=yes, but I get nothing, e.g.:

$ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058
Scanning /var/spool/mqueue/dfuBJBh64e020058
/var/spool/mqueue/dfuBJBh64e020058: OK

--- SCAN SUMMARY ---
Known viruses: 5304016
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.09 MB
Data read: 0.04 MB (ratio 2.00:1)
Time: 5.775 sec (0 m 5 s)

This message is in the quarantine mail queue and got there because
clamav-milter/clamd found a macro -- which it logged in /var/log/clamd.log, but
I cannot get clamscan to output any indiciation of this condition. I always get
"Infected files: 0" -- nothing about macros.

Is there something I can do, or is this just a bug?

THX - Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] No notice of OLE2.ContainsMacros

[Mark Foley]

Before I submit a bug report on this, I thought I'd see if any list members 
have ideas.

I'm running clamav 0.99.2 on Linux Slackware64 14.1.  I'm running clamav-milter
for sendmail.  I have "OLE2BlockMacros yes" set in /usr/local/etc/clamd.conf.
This is working fine, I get:

fd[10]: Heuristics.OLE2.ContainsMacros(fa7491778b806ca1fdc4a809ea3213d5:47944) 
FOUND

in /var/log/clamd.log when it finds such macros, and the email is put in the
quarantine mail queue.

My problem is that when I run clamscan manually I can never see these files as
having blocked macros. I've tried all the switch settings I can thing of,
especially --block-macros=yes, but I get nothing, e.g.:

$ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058
Scanning /var/spool/mqueue/dfuBJBh64e020058
/var/spool/mqueue/dfuBJBh64e020058: OK

--- SCAN SUMMARY ---
Known viruses: 5304016
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.09 MB
Data read: 0.04 MB (ratio 2.00:1)
Time: 5.775 sec (0 m 5 s)

This message is in the quarantine mail queue and got there because
clamav-milter/clamd found a macro -- which it logged in /var/log/clamd.log, but
I cannot get clamscan to output any indiciation of this condition. I always get
"Infected files: 0" -- nothing about macros.

Is there something I can do, or is this just a bug?

THX - Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml