Re: [clamav-users] How to determine false-v-real FOUND

[Steve Basford]

On Thu, February 9, 2017 1:12 pm, Brad Scalio wrote:
> Clamscan found a PE "visor.exe.svn-base" that matched
> Win.Trojan.Agent-793284 FOUND.
>
> Is there a way, or an online tutorial, or some other information to
> decompose the signature and the file easily to determine if it's a false
> positive or not?  I realize this is a complete science in and of itself,
> but I am looking for a way for our tier 0 folks to quickly discern if
> they need to wake up the whole enterprise at 3am in the future.

Submit the file to a sandbox, eg:

https://www.hybrid-analysis.com/
https://malwr.com/

sigtool --find-sigs=Win.Trojan.Agent-793284
[main.mdb] 28672:f380d36c6d636f50392e83fb58fb8a59:Win.Trojan.Agent-793284

In the above case you can see it's an old hash in the main.mdb database

sigtool --find-sigs=Win.Trojan.Agent-793284 --decode-sigs
(will let you see the sigs as long as it's not a hash)

Also... found the hash here...

https://totalhash.cymru.com/analysis/?8d87580f90b6a6e66803bac07744c1439fb18c02

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] svg files support

[Steve Basford]

On Wed, February 1, 2017 10:19 am, Al Varnell wrote:
> After further review, I see that SVG is in XML text format, which should
> not be a problem and there are a couple of SVG signatures in the
> database:

That's correct...

I've a few sigs for SVG too, mainly due to Javascript being used inside
SVG formatted files to distribute malware.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Steve Basford]

On Thu, December 29, 2016 1:40 pm, Mark Allan wrote:

> It seems a little overkill to add a new feature for this. Couldn't you
> just delete the cvd/cld file and prevent freshclam from running? Or
> better yet, write a wrapper around freshclam so the update still takes
> place and then unpack the cvd/cld file and delete the bits you don't want
> to keep.
Hi Mark,

You could do that yes, there's always different ways of doing things,
but if it's easy-ish to add the feature then the option is there for
clamwin etc. to use too.
--
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Steve Basford]

On Thu, December 29, 2016 9:32 am, Reindl Harald wrote:
>

>i would love to be able to *completly* exclude
>"daily.cld", "daily.cvd" and "main.cvd" and only update
>"safebrowsing.cvd"

daily.cvd and main.cvd are compressed versions of multiple databases...

eg. sigtool --unpack-current=daily


29/12/2016  11:5246,364,915 daily.hsb
29/12/2016  11:5229,004,820 daily.hdb
29/12/2016  11:52 4,850,079 daily.mdb
29/12/2016  11:52   825,187 daily.ndu
29/12/2016  11:52   629,105 daily.ldb
29/12/2016  11:5276,399 daily.ndb
29/12/2016  11:5269,427 daily.mdu
18/02/2016  06:3849,553 daily.crtdb
29/12/2016  11:5236,126 daily.idb
29/12/2016  11:5226,043 daily.fp
18/02/2016  06:3825,227 daily.db
18/02/2016  06:3810,943 daily.zmd
29/12/2016  11:5210,739 daily.ldu
29/12/2016  11:5210,095 daily.wdb
29/12/2016  11:52 9,965 daily.ftm
29/12/2016  11:52 6,040 daily.crb
29/12/2016  11:52 4,094 daily.pdb
29/12/2016  11:52 3,530 daily.hdu
18/02/2016  06:38 2,991 daily.rmd
29/12/2016  11:52 2,914 daily.ign
29/12/2016  11:52 2,269 daily.info
29/12/2016  11:52 2,168 daily.ign2
29/12/2016  11:52   424 daily.cfg
29/12/2016  11:52   378 daily.cdb
29/12/2016  11:5292 daily.msb
29/12/2016  11:5292 daily.msu
29/12/2016  11:5289 daily.hsu
29/12/2016  11:5287 daily.sfp

82,023,791 bytes

In clamscan there is:

--official-db-only[=yes/no(*)]   Only load official signatures

in clamd.conf there is:

OfficialDatabaseOnly#Only loading official signatures.

I suppose there could be a:

--3rd-party-db-only=[=yes/no(*)]

and the same thing in clamd.conf.

but this may not then load safebrowsing.cvd.

You may also need to keep daily.ftm as that contains filetypes.

I guess the best thing is to raise a bugzilla enhancement, if
people want to add their comments:

https://bugs.clamav.net/show_bug.cgi?id=11708


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] signature memory use

[Steve basford]

doppelstern aren't used any more but I still mirror the blank files for a 
while so people's config don't break.



Cheers,

Steve
Twitter: @sanesecurity



On 28 December 2016 19:57:06 Alex  wrote:


Hi Steve,


crdfam.clamav.hdb,pool memory used: 4.355 MB
doppelstern-phishtank.ndb,pool memory used: 4.355 MB
doppelstern.hdb,pool memory used: 4.355 MB
doppelstern.ndb,pool memory used: 4.355 MB


Can you explain what these are for? I don't see these on the signature
description page:

http://sanesecurity.com/usage/signatures/

Hmm.. just googled it, and found it on a mirror, but it appears to be
quite old. Perhaps it's just not relevant any longer..

Thanks,
Alex


foxhole_all.cdb,pool memory used: 4.366 MB
foxhole_all.ndb,pool memory used: 4.449 MB
foxhole_filename.cdb,pool memory used: 4.445 MB
foxhole_generic.cdb,pool memory used: 4.374 MB
foxhole_js.cdb,pool memory used: 4.355 MB
foxhole_js.ndb,pool memory used: 4.363 MB
junk.ndb,pool memory used: 21.616 MB
jurlbl.ndb,pool memory used: 5.519 MB
jurlbla.ndb,pool memory used: 5.714 MB
lott.ndb,pool memory used: 5.441 MB
phish.ndb,pool memory used: 18.101 MB
phishtank.ndb,pool memory used: 14.284 MB
porcupine.ndb,pool memory used: 7.136 MB
rogue.hdb,pool memory used: 4.359 MB
scam.ndb,pool memory used: 12.667 MB
scamnailer.ndb,pool memory used: 26.624 MB
shelter.ldb,pool memory used: 4.374 MB
spam.ldb,pool memory used: 4.382 MB
spamattach.hdb,pool memory used: 4.355 MB
spamimg.hdb,pool memory used: 4.359 MB
spear.ndb,pool memory used: 13.261 MB
spearl.ndb,pool memory used: 4.702 MB
winnow.attachments.hdb,pool memory used: 5.374 MB
winnow.complex.patterns.ldb,pool memory used: 4.363 MB
winnow_bad_cw.hdb,pool memory used: 4.355 MB
winnow_extended_malware.hdb,pool memory used: 4.499 MB
winnow_extended_malware_links.ndb,pool memory used: 4.355 MB
winnow_malware.hdb,pool memory used: 4.894 MB
winnow_malware_links.ndb,pool memory used: 9.808 MB
winnow_phish_complete.ndb,pool memory used: 5.316 MB
winnow_phish_complete_url.ndb,pool memory used: 5.316 MB
winnow_spam_complete.ndb,pool memory used: 5.159 MB


SecuriteInfo:

javascript.ndb,pool memory used: 29.484 MB
securiteinfo.hdb,pool memory used: 243.804 MB
securiteinfoascii.hdb,pool memory used: 15.726 MB
securiteinfohtml.hdb,pool memory used: 10.613 MB
spam_marketing.ndb,pool memory used: 5.675 MB

Official:

daily.hdb,pool memory used: 49.777 MB
daily.hsb,pool memory used: 58.074 MB
daily.ldb,pool memory used: 11.394 MB
daily.mdb,pool memory used: 11.656 MB
daily.mdu,pool memory used: 4.355 MB
daily.ndb,pool memory used: 5.273 MB
daily.ndu,pool memory used: 4.355 MB

Hope that helps see where some of the memory may be going,
sorry for not sorting... I'm under orders to go shopping ;)

--
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

[Steve basford]

#All# macros inside xlsm files are being blocked due to sig blocking of 
Vbaproject.bin inside.


Cheers,

Steve
Twitter: @sanesecurity



On 27 December 2016 20:08:37 Adnan de Castro Donato 
 wrote:




In keeping with one false positive reports
I have 8 CentOS servers report below after Signatures Published daily - 
22782 update:


All attachment with extension *.xlsm have the same issue:

Our content checker found
virus: Win.Trojan.Toa-5368540-0


Believe this is a false positive  Would like confirmation and an update if 
possible


Thanks.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

[Steve Basford]

On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote:
> In keeping with the other false positive reports I have more than 400
> CentOS servers report below after yesterday's freshclam update:

Yes, nashorn.jar seems to get hit too...

eg:

fp2\11476331d01: Win.Trojan.Toa-5372078-0
fp2\200ENGI.EXE: Win.Trojan.Toa-5380327-0
fp2\3A627716d01: Win.Trojan.Toa-5372078-0
fp2\firefox-hot...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
fp2\Microsoft Virtual PC 2004 MSDN.msi: Win.Trojan.Toa-5370996-0
fp2\nashorn.jar: Win.Trojan.Toa-5370166-0
fp2\startupCache.4.little: Win.Trojan.Toa-5370166-0

and the earlier reported FP's are still there:

fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0
fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0
fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0
fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0
fp\omni.ja: Win.Trojan.Toa-5370166-0
fp\org-netbeans-modules-javascript-nodejs.jar: Win.Trojan.Toa-5370166-0
fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0

etc.

IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing done
in full after holidays.

As the issues go on...

https://forum.kaspersky.com/index.php?s=252c49e91f4e5a6572be42fda3a1ff56=363061

https://www.joomlashine.com/forum/other-products/169144-uniform-package-has-win-trojan-toa-5370166-0

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] More fp's.

[Steve Basford]

On Mon, December 26, 2016 12:39 pm, Sierk Bornemann wrote:

Just run freshclam...

fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370164-0.UNOFFICIAL FOUND
fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370297-0.UNOFFICIAL FOUND
fp\l...@mozilla.org.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
fp\omni.ja: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
fp\org-netbeans-modules-javascript-nodejs.jar:
Win.Trojan.Toa-5370166-0.UNOFFICI
fp\privacy_badger-1.7.0-fx.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
fp\tbtestpi...@labs.mozilla.com.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL
FOUND
fp\tbtestpi...@labs.mozilla.com.xpi: Win.Trojan.Toa-5370261-0.UNOFFICIAL
FOUND
fp\turbo_download_manager-0.2.8-an+fx.xpi:
Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND

In short these need removing too...

Win.Trojan.Toa-5370164-0.UNOFFICIAL FOUND
Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND
Win.Trojan.Toa-5370261-0.UNOFFICIAL FOUND
Win.Trojan.Toa-5370297-0.UNOFFICIAL FOUND

So in short... these new sig changes are making a huge mess...

https://wordpress.org/support/topic/wordpress-4-7-virus/
https://forums.linuxmint.com/viewtopic.php?t=236204
http://stackoverflow.com/questions/41326419/cannot-upload-file-online-due-to-win-trojan-toa-5372190-0-found
https://forums.cpanel.net/threads/can-not-upload-zip-files-virus-detected.588843/

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

[Steve Basford]

On Sun, December 25, 2016 10:40 am, Al Varnell wrote:

> A handful of ClamXav users can confirm the Firefox
> omni.ja:Win.Trojan.Toa-5370234-0. It also identified some Adobe products
> as infected when run through QA.

Firstly, Merry Christmas to all.

Onto the FP's... basically they are too generic... currently the
reported FP's, when you decode them, are going to hit quite a few
files.

sigtool --find-sigs Win.Trojan.Toa-5370234-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5370234-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: [\W][a-z]{3,4}\.js$

sigtool --find-sigs Win.Trojan.Toa-5372190-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5372190-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: [a-z]{8,30}\.exe$

sigtool --find-sigs Win.Trojan.Toa-5371146-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5371146-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: ^[a-z]{3,7}\.exe$

sigtool --find-sigs Win.Trojan.Toa-5370085-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5370085-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: ^[a-z]{2,12}\.exe$

They have hit a few in my ham folder too..


eg:

sanesecurity\ham\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370297-0


The good news is that the Toa-xxx sigs are hitting malware

eg:

21_12_2016\IMG-20161221-WA9898.zip: Win.Trojan.Toa-5368799-0 FOUND

sigtool --find-sigs Win.Trojan.Toa-5368799-0|sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Toa-5368799-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: ^[A-Za-z0-9]{1,25}\.wsf$

Foxhole sigs are doing a similar thing but trying not to be too generic.

Right, off to carry on munching and playing with playdoh(tm) ;)

--
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] signature memory use

[Steve Basford]

> So all signatures should be running fine with 6Gb of RAM, right ?
> Even our big signatures :)

Summary test:

Using clamscan only to scan test.eml (3,706 bytes)

ClamAV Official sigs only (daily/main):
pool memory used: 385.675 MB

Official + *all* Sanesecurity/Distributed sigs
pool memory used: 467.359 MB
Time: 39.500 sec (0 m 39 s)

Official + *all* Sanesecurity/Distributed + SecuriteInfo sigs

Time: 86.344 sec (1 m 26 s)
pool memory used: 750.292 MB




-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] signature memory use

[Steve Basford]

As some people have reported memory issues...

Quickly put these together based on scanning a small file
and *only* loading *one* signature database at a time:

Sanesecurity:

badmacro.ndb,pool memory used: 5.132 MB
blurl.ndb,pool memory used: 4.800 MB
bofhland_cracked_URL.ndb,pool memory used: 4.370 MB
bofhland_malware_attach.hdb,pool memory used: 4.519 MB
bofhland_malware_URL.ndb,pool memory used: 4.546 MB
bofhland_phishing_URL.ndb,pool memory used: 4.421 MB
crdfam.clamav.hdb,pool memory used: 4.355 MB
doppelstern-phishtank.ndb,pool memory used: 4.355 MB
doppelstern.hdb,pool memory used: 4.355 MB
doppelstern.ndb,pool memory used: 4.355 MB
foxhole_all.cdb,pool memory used: 4.366 MB
foxhole_all.ndb,pool memory used: 4.449 MB
foxhole_filename.cdb,pool memory used: 4.445 MB
foxhole_generic.cdb,pool memory used: 4.374 MB
foxhole_js.cdb,pool memory used: 4.355 MB
foxhole_js.ndb,pool memory used: 4.363 MB
junk.ndb,pool memory used: 21.616 MB
jurlbl.ndb,pool memory used: 5.519 MB
jurlbla.ndb,pool memory used: 5.714 MB
lott.ndb,pool memory used: 5.441 MB
phish.ndb,pool memory used: 18.101 MB
phishtank.ndb,pool memory used: 14.284 MB
porcupine.ndb,pool memory used: 7.136 MB
rogue.hdb,pool memory used: 4.359 MB
scam.ndb,pool memory used: 12.667 MB
scamnailer.ndb,pool memory used: 26.624 MB
shelter.ldb,pool memory used: 4.374 MB
spam.ldb,pool memory used: 4.382 MB
spamattach.hdb,pool memory used: 4.355 MB
spamimg.hdb,pool memory used: 4.359 MB
spear.ndb,pool memory used: 13.261 MB
spearl.ndb,pool memory used: 4.702 MB
winnow.attachments.hdb,pool memory used: 5.374 MB
winnow.complex.patterns.ldb,pool memory used: 4.363 MB
winnow_bad_cw.hdb,pool memory used: 4.355 MB
winnow_extended_malware.hdb,pool memory used: 4.499 MB
winnow_extended_malware_links.ndb,pool memory used: 4.355 MB
winnow_malware.hdb,pool memory used: 4.894 MB
winnow_malware_links.ndb,pool memory used: 9.808 MB
winnow_phish_complete.ndb,pool memory used: 5.316 MB
winnow_phish_complete_url.ndb,pool memory used: 5.316 MB
winnow_spam_complete.ndb,pool memory used: 5.159 MB


SecuriteInfo:

javascript.ndb,pool memory used: 29.484 MB
securiteinfo.hdb,pool memory used: 243.804 MB
securiteinfoascii.hdb,pool memory used: 15.726 MB
securiteinfohtml.hdb,pool memory used: 10.613 MB
spam_marketing.ndb,pool memory used: 5.675 MB

Official:

daily.hdb,pool memory used: 49.777 MB
daily.hsb,pool memory used: 58.074 MB
daily.ldb,pool memory used: 11.394 MB
daily.mdb,pool memory used: 11.656 MB
daily.mdu,pool memory used: 4.355 MB
daily.ndb,pool memory used: 5.273 MB
daily.ndu,pool memory used: 4.355 MB

Hope that helps see where some of the memory may be going,
sorry for not sorting... I'm under orders to go shopping ;)

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamd restart

[Steve basford]

On 21 December 2016 11:07:42 Al Varnell  wrote:

Are you using any UNOFFICIAL signatures? Some of them have been causing 
memory issues recently for others.




Al, while some 3rd party sigs are using memory, you also got to remember the
Huge amount of sig only hashes the official sigs are adding recently in 
order to have better detection.


Javascript.ndb from Securiteinfo was causing major memory and scanning 
issues for some people.


A list of sig databases would be a starting point to diagnose issues.

I'm mobile at the moment but will check sig performance later.

Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamd restart

[Steve basford]

Do you have a list of signatures in your clamav database folder you can list?

Cheers,

Steve
Twitter: @sanesecurity



On 21 December 2016 11:20:12 "Richard Walker - Seven Internet Ltd" 
 wrote:



Hi Al

Yes I'm using unofficial signatures. I have disabled the cron for updates.
How do I safety remove the UNOFFICIAL signatures?

Thanks

Rich

-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf
Of Al Varnell
Sent: 21 December 2016 11:07
To: ClamAV users ML
Subject: Re: [clamav-users] clamd restart

Are you using any UNOFFICIAL signatures? Some of them have been causing
memory issues recently for others.

-Al-

On Wed, Dec 21, 2016 at 02:09 AM, Richard Walker - Seven Internet Ltd wrote:


Hi

I am having to restart clamd twice a day now. I can't find anything in
the mail/clamd logs other than hundreds of entries like this
1cIzSP-8u-84 malware acl condition: clamd /var/run/clamav/clamd.sock :
unable to connect to UNIX socket (/var/run/clamav/clamd.sock):
Connection refused

On some forums its saying I'm running out of memory. The server it is
installed on is running 6GB and handles about 22000+ emails a day.

Clamscan -V is showing

ClamAV 0.99.2/22749/

Thanks

Rich



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Custom CVD

[Steve Basford]

On Fri, December 16, 2016 2:39 am, filipecalderon66...@yahoo.com wrote:
> Hello all - first time post and new clamav user.
> I have installed clamav on a box that has very specific exposures, and has
> very limited memory and disk space. The existing signatures when all the
> other optional ones are loaded like unofficial-sigs creates a ginormous
> file and eats all my memory.

There been a huge amount of hashes added to official dbs too..

Daily...

28,958,837 daily.hdb
35,700,190 daily.hsb

Main...

3,607,299 main.hdb
   89 main.hsb

I think in --debug you see

LibClamAV debug: pool memory used: 24.206 MB

But I don't think there is a memory per database show at load time...

LibClamAV debug: ..\sigs_rsync\phish.ndb loaded

I wonder if the memory used per database could be added eg:

LibClamAV debug: ..\sigs_rsync\phish.ndb loaded (24.206 MB)



-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Custom CVD

[Steve Basford]

On Fri, December 16, 2016 2:39 am, filipecalderon66...@yahoo.com wrote:
> Hello all - first time post and new clamav user.
> I have installed clamav on a box that has very specific exposures, and has
> very limited memory and disk space. The existing signatures when all the
> other optional ones are loaded like unofficial-sigs creates a ginormous
> file and eats all my memory.

What database's are you using, list the database folder.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question on attachments

[Steve basford]

Hi Tom,

.ftm files contain magic headers of various formats.

Cat daily.ftm
Cat sanesecurity.ftm

The engine then unpacks if it's a zip etc and the unpacked exists. That's 
why your example filename still unpacks.


You can also use. ftm to skip file formats from scanning.

I'm mobile at the moment ...so sorry if this is a bit vague.

Cheers,

Steve
Twitter: @sanesecurity



On 12 December 2016 16:44:17 TR Shaw  wrote:


How does ClamAV decide to unpack an attachment?

In particular this is in reference to the recent Locky attachments that are 
zips but have the attachment extension “dip”


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] bugzilla security certificate

[Steve Basford]

On Wed, December 7, 2016 5:03 pm, Benny Pedersen wrote:

>> You can bypass the warning if desired.
>
> worst advise you ever have giving here

Thanks... but I didn't actually say you *should* ... but browsers do allow
you too.

In this case the firefox error box was:

bugs.clamav.net uses an invalid security certificate.
The certificate ***is only valid*** for bugzilla.clamav.net
Error code: SSL_ERROR_BAD_CERT_DOMAIN

Seeing as the url is: https://bugs.clamav.net/
and the certificate is for bugzilla.clamav.net, you are given
a bit of information to help you decide if you really want to bypass the
warning.

BIG FLASHING LED'S -> not saying that you should

Plus, you have to click Advanced, Add Exception before you
even get to confirming the exception... so you have to be pretty certain
you want to do this.

Hopefully case closed ;)

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Goldeneye ransomware

[Steve basford]

Hi... this is detected with Badmacro.ndb.

On 8 December 2016 16:54:26 Matteo Dessalvi  wrote



I also ran a quick analysis on Malwr:
https://malwr.com/analysis/Y2VhYWNjZTk3NWFhNGRhMDg5OWYwY2E5MzdjNDA2M2I/

Best regards,
  Matteo

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Goldeneye ransomware

[Steve basford]

On 8 December 2016 20:39:49 Jack  wrote:

In addition to SaneSecurity, here is another third-party repo of sigs 
(updated often) that catches these docs:


They are available on the to use on the download script already I seem to 
remember.


I've high fps with them and had clamd crash out when processing certain 
messages but in essence they are similar to Badmacro.ndb... but ymmv.


Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] bugzilla security certificate

[Steve Basford]

Just a quick one... in case it confuses visitors to Bugzilla...

Going to https://bugs.clamav.net/

Firefox reports:

"bugs.clamav.net uses an invalid security certificate. The certificate is
only valid for bugzilla.clamav.net Error code: SSL_ERROR_BAD_CERT_DOMAIN"

You can bypass the warning if desired.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] support

[Steve Basford]

Hi,

Just had a twitter user contact me regarding an fp that he reported 1st
September (I don't have a hash sorry):


3986318.cbc:BC.Legacy.Exploit.CVE_2012_4148-1.{};Engine:70-255,Target:10;(0&2&1)
;0:255044462d312e;*:2f416e6e6f74;*:2f53756274797065{-5}2f576964676574

Secondly, I'm seeing this using 0.99.3... in debug logs when loading
daily.ldb:

LibClamAV debug: lsigattribs: Unknown attribute name 'HanderType'
LibClamAV debug: init_tdb: Not supported attribute(s) in signature for
Win.Trojan.CVE_2006_5857-1, skipping
LibClamAV debug: lsigattribs: Unknown attribute name 'HanderType'
LibClamAV debug: init_tdb: Not supported attribute(s) in signature for
Win.Exploit.CVE_2009_2502-1, skipping
LibClamAV debug: lsigattribs: Unknown attribute name 'HanderType'
LibClamAV debug: init_tdb: Not supported attribute(s) in signature for
Pdf.Exploit.Agent-1388609, skipping
LibClamAV debug: lsigattribs: Unknown attribute name 'HanderType'
LibClamAV debug: init_tdb: Not supported attribute(s) in signature for
Pdf.Exploit.CVE_2012_4154-1, skipping
LibClamAV debug: lsigattribs: Unknown attribute name 'HanderType'
LibClamAV debug: init_tdb: Not supported attribute(s) in signature for
Pdf.Exploit.CVE_2012_4157-1, skipping
LibClamAV debug: lsigattribs: Unknown attribute name 'HanderType'
LibClamAV debug: init_tdb: Not supported attribute(s) in signature for
Pdf.Exploit.CVE_2011_4370-1, skipping
LibClamAV debug: lsigattribs: Unknown attribute name 'HanderType'
LibClamAV debug: init_tdb: Not supported attribute(s) in signature for
Osx.Trojan.Iumler-1, skipping
LibClamAV debug: lsigattribs: Unknown attribute name 'HanderType'
LibClamAV debug: init_tdb: Not supported attribute(s) in signature for
Pdf.Exploit.Dropped-2014, skipping
LibClamAV debug: lsigattribs: Unknown attribute name 'HanderType'
LibClamAV debug: init_tdb: Not supported attribute(s) in signature for
Win.Trojan.Quarian-2, skipping

These seem be of the type...

,HanderType:CL_TYPE_PDF,Target:

not the usual

,Container:CL_TYPE_PDF,Target:

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Steve Basford]

On Wed, November 30, 2016 10:50 am, Al Varnell wrote:
>

> On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
>
>>
>> * Al Varnell :
>>
>>> Has anybody submitted a PDF yet?
>>>
>>
>> Of course.
>>
>
> Hash?

Here's one example I saw in a forum...

Source:
http://www.ubuntu-es.org/node/191328

Url:

h t t p s : / /
it-bqcom15-media.s3.amazonaws.com/prod/resources/manual/Aquaris_E5s_Gui%CC%81a_completa_de_usuario-1475652714
DOT pdf

VirusTotal:

https://www.virustotal.com/en/file/b1cc8969aff399539d61eba6c42d1a75ecaec0cb656c30b0b844288e2c2aefd6/analysis/1480503855/

Hashes:

MD5 978e240a57fe2cabce4073fba2266520
SHA1 c0e5b4b34b47eaaa8d5b9321279b285bcea67427
SHA256 b1cc8969aff399539d61eba6c42d1a75ecaec0cb656c30b0b844288e2c2aefd6


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] BKF archives scanable by ClamAV?

[Steve Basford]

On Tue, November 29, 2016 9:26 pm, Fr34k wrote:
> Hello ClamAV Experts,
> Can ClamAV scan within Windows BKF archives?
> Both the Clam AntiVirus 0.99.1User Manual and my Internet searches thus
> far suggest the answer is, sadly, "no".I presume this may be due to the
> age of .bkf usage.  Regardless, I was hoping for a definitive answer from
> the experts. Thoughts?

Don't think ClamAV will read bkf, did come across this, in case it helps:

https://github.com/sjmurdoch/mtftar

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Reddit fp report

[Steve basford]

Might need a reply

https://www.reddit.com/r/Malware/comments/5fix65/clamav_and_fortinet_have_not_fixed_a_false/

https://www.virustotal.com/en/file/61b5451350a110512d734f426a37e49721a7dea8170fd10f0a48974dedd971a5/analysis/

Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelist based on sign *and* filename?

[Steve Basford]

On Mon, November 28, 2016 1:56 pm, Mathieu D. wrote:
> Hello,
>
>
> Is there any way to whitelist a file based on it's signature *and* it's
> filename?
>
Not that I know of...

I guess this *might* be an option.

1.  Find something common in your pdf you want to "whitelist", say "Your
company name or department", convert this to hex.

2. Create an ign2 file to ignore the normal PUA file.

3. Create an ldb sig, which should do the same at the current PUA
BUT you are creating a whitelist "phrase".

eg:

Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0);255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c);41646F6265204C6976654379636C652044657369676E65722045532031302E30

eg:

This is the hex for your phrase:
41646F6265204C6976654379636C652044657369676E65722045532031302E30 =
"Adobe LiveCycle Designer ES 10.0"

So, if the pdf contains "Javascript" and "Adobe LiveCycle Designer ES
10.0" it won't get hit... all other pdf's with Javascript will get
blocked.

Not ideal but at least it should work.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [Ext] Using very high CPU with lots of errors

[Steve Basford]

On Mon, November 21, 2016 3:15 pm, Hayes, Doug wrote:
> Hi Team,
>
>
> Looking for some assistance here, looks like I am getting the below
> errors when starting the clamd process? Any ideas?
>
> --Version
> ClamAV 0.97.6/22576/Mon Nov 21 06:21:40 2016

Sorry for to add...

https://bugzilla.clamav.net/show_bug.cgi?id=11647

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [Ext] Using very high CPU with lots of errors

[Steve Basford]

On Mon, November 21, 2016 3:15 pm, Hayes, Doug wrote:
> Hi Team,
>
>
> Looking for some assistance here, looks like I am getting the below
> errors when starting the clamd process? Any ideas?
>
> --Version
> ClamAV 0.97.6/22576/Mon Nov 21 06:21:40 2016

You need to upgrade your ClamAV engine.

http://blog.clamav.net/2016/05/clamav-097-engine-end-of-life.html
-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CRDF databases and clamav

[Steve basford]

Passed directly to CRDF at the same time something is reported to the 
ClamAV team.


For infoIf someone reports an FP with a Sanesecurity or Sanesecurity 
distributed sigs, the sig is firstly removed then reported to the sig maker 
and if the FP can be avoided and fixed, it will be reinstated.


Ham tests are done every hour automatically  before mirror updates... 
issues and database errors directly reported, which has been the case for 
years.



On 20 November 2016 21:46:56 Dennis Peterson  wrote:


Will the ClamAV team handle CRDF FP's and other issues?


Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CRDF databases and clamav

[Steve basford]

On 20 November 2016 16:54:48 Rafael Ferreira  wrote:


CRDF databases are now being rolled into the >main/daily.cvd ones?

Yes they were distributed on the Sanesecurity mirror originally (with an 
config option to enable) but were removed after the announcement... as it 
didn't make sense to

download them twice.


Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-users@lists.clamav.net

[Steve basford]

Great... thanks for confirming the hunch.

Cheers,

Steve
Twitter: @sanesecurity



On 18 November 2016 22:26:13 Richard Doyle <list...@arbitrarydomain.name> 
wrote:



Ah yes, that seems to have caused the hangup. The clamscan debug run
went from 257 seconds to 25 seconds

On 11/18/2016 02:07 PM, Steve basford wrote:

Remove javascript.ndb and retry...

Cheers,

Steve
Twitter: @sanesecurity



On 18 November 2016 22:02:41 Richard Doyle
<list...@arbitrarydomain.name> wrote:


On 11/18/2016 01:52 PM, Steve basford wrote:

Does clamscan --debug on the database folder show the same delays...


Yes



Can you do a ls on the database folder

Sure:

root@panic:/var/lib/clamav# ls
badmacro.ndb junk.ndb  porcupine.ndb
spear.ndb
bofhland_cracked_URL.ndb jurlbla.ndb   rfxn.hdb
bofhland_malware_attach.hdb  jurlbl.ndbrfxn.ndb
winnow.attachments.hdb
bofhland_malware_URL.ndb local.ign rogue.hdb
winnow_bad_cw.hdb
bofhland_phishing_URL.ndblott.ndb  sanesecurity.ftm
winnow.complex.patterns.ldb
bytecode.cld main.cvd  scamnailer.ndb
winnow_extended_malware.hdb
crdfam.clamav.hdbmalwarehash.hsb   scam.ndb
winnow_extended_malware_links.ndb
daily.cldmirrors.dat   sigwhitelist.ign2
winnow_malware.hdb
daily.cld.hold   mirrors.dat.save  spamattach.hdb
winnow_malware_links.ndb
foxhole_all.cdb  phish.ndb spamimg.hdb
winnow_phish_complete.ndb
hackingteam.hsb  phishtank.ndb spam.ldb
winnow_spam_complete.ndb
javascript.ndb   porcupine.hsb spearl.ndb




Cheers,

Steve
Twitter: @sanesecurity



On 18 November 2016 21:39:09 Richard Doyle
<list...@arbitrarydomain.name> wrote:


Last time I tried it with an empty list, and it still took 5 minutes
for
clamd to start.

On 11/18/2016 01:25 PM, Steve basford wrote:

Can you give me a list of 3rd party databases you are using

Cheers,

Steve
Twitter: @sanesecurity



On 18 November 2016 21:11:22 Richard Doyle
<list...@arbitrarydomain.name> wrote:


Yes, clamd on my system is taking about 5 minutes to start, which
causes
timeouts. This issue developed just this week.

I found that setting

OfficialDatabaseOnly true

helped considerebly--clamd loads in a few seconds. I'd really like to
get back to using unofficial databases, but not right now.


On 11/18/2016 11:59 AM, Mike Grau wrote:

Hello all,

Since yesterday, 10:26:52 CST, I've gotten 30 if these in the mail
log:

"Timeout reading from clamd daemon at
/var/spool/MIMEDefang/clamd.sock"

Before that I can't remember when I've seen this message - perhaps
years. This is on a low volume server with < 3500 total connection
attempts per day. Has anyone else been seeing this?

-- Mike G.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clama

Re: [clamav-users] clamav-users@lists.clamav.net

[Steve basford]

Remove javascript.ndb and retry...

Cheers,

Steve
Twitter: @sanesecurity



On 18 November 2016 22:02:41 Richard Doyle <list...@arbitrarydomain.name> 
wrote:



On 11/18/2016 01:52 PM, Steve basford wrote:

Does clamscan --debug on the database folder show the same delays...


Yes



Can you do a ls on the database folder

Sure:

root@panic:/var/lib/clamav# ls
badmacro.ndb junk.ndb  porcupine.ndb  spear.ndb
bofhland_cracked_URL.ndb jurlbla.ndb   rfxn.hdb
bofhland_malware_attach.hdb  jurlbl.ndbrfxn.ndb
winnow.attachments.hdb
bofhland_malware_URL.ndb local.ign rogue.hdb
winnow_bad_cw.hdb
bofhland_phishing_URL.ndblott.ndb  sanesecurity.ftm
winnow.complex.patterns.ldb
bytecode.cld main.cvd  scamnailer.ndb
winnow_extended_malware.hdb
crdfam.clamav.hdbmalwarehash.hsb   scam.ndb
winnow_extended_malware_links.ndb
daily.cldmirrors.dat   sigwhitelist.ign2
winnow_malware.hdb
daily.cld.hold   mirrors.dat.save  spamattach.hdb
winnow_malware_links.ndb
foxhole_all.cdb  phish.ndb spamimg.hdb
winnow_phish_complete.ndb
hackingteam.hsb  phishtank.ndb spam.ldb
winnow_spam_complete.ndb
javascript.ndb   porcupine.hsb spearl.ndb




Cheers,

Steve
Twitter: @sanesecurity



On 18 November 2016 21:39:09 Richard Doyle
<list...@arbitrarydomain.name> wrote:


Last time I tried it with an empty list, and it still took 5 minutes for
clamd to start.

On 11/18/2016 01:25 PM, Steve basford wrote:

Can you give me a list of 3rd party databases you are using

Cheers,

Steve
Twitter: @sanesecurity



On 18 November 2016 21:11:22 Richard Doyle
<list...@arbitrarydomain.name> wrote:


Yes, clamd on my system is taking about 5 minutes to start, which
causes
timeouts. This issue developed just this week.

I found that setting

OfficialDatabaseOnly true

helped considerebly--clamd loads in a few seconds. I'd really like to
get back to using unofficial databases, but not right now.


On 11/18/2016 11:59 AM, Mike Grau wrote:

Hello all,

Since yesterday, 10:26:52 CST, I've gotten 30 if these in the mail
log:

"Timeout reading from clamd daemon at
/var/spool/MIMEDefang/clamd.sock"

Before that I can't remember when I've seen this message - perhaps
years. This is on a low volume server with < 3500 total connection
attempts per day. Has anyone else been seeing this?

-- Mike G.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-users@lists.clamav.net

[Steve basford]

Does clamscan --debug on the database folder show the same delays...

Can you do a ls on the database folder

Cheers,

Steve
Twitter: @sanesecurity



On 18 November 2016 21:39:09 Richard Doyle <list...@arbitrarydomain.name> 
wrote:



Last time I tried it with an empty list, and it still took 5 minutes for
clamd to start.

On 11/18/2016 01:25 PM, Steve basford wrote:

Can you give me a list of 3rd party databases you are using

Cheers,

Steve
Twitter: @sanesecurity



On 18 November 2016 21:11:22 Richard Doyle
<list...@arbitrarydomain.name> wrote:


Yes, clamd on my system is taking about 5 minutes to start, which causes
timeouts. This issue developed just this week.

I found that setting

OfficialDatabaseOnly true

helped considerebly--clamd loads in a few seconds. I'd really like to
get back to using unofficial databases, but not right now.


On 11/18/2016 11:59 AM, Mike Grau wrote:

Hello all,

Since yesterday, 10:26:52 CST, I've gotten 30 if these in the mail log:

"Timeout reading from clamd daemon at /var/spool/MIMEDefang/clamd.sock"

Before that I can't remember when I've seen this message - perhaps
years. This is on a low volume server with < 3500 total connection
attempts per day. Has anyone else been seeing this?

-- Mike G.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-users@lists.clamav.net

[Steve basford]

Can you give me a list of 3rd party databases you are using

Cheers,

Steve
Twitter: @sanesecurity



On 18 November 2016 21:11:22 Richard Doyle  
wrote:



Yes, clamd on my system is taking about 5 minutes to start, which causes
timeouts. This issue developed just this week.

I found that setting

OfficialDatabaseOnly true

helped considerebly--clamd loads in a few seconds. I'd really like to
get back to using unofficial databases, but not right now.


On 11/18/2016 11:59 AM, Mike Grau wrote:

Hello all,

Since yesterday, 10:26:52 CST, I've gotten 30 if these in the mail log:

"Timeout reading from clamd daemon at /var/spool/MIMEDefang/clamd.sock"

Before that I can't remember when I've seen this message - perhaps
years. This is on a low volume server with < 3500 total connection
attempts per day. Has anyone else been seeing this?

-- Mike G.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV malware report: include info from Malwr?

[Steve Basford]

On Wed, November 16, 2016 1:56 pm, Matteo Dessalvi wrote:

> It ended up to be just the first step in order to download the
> real malware:
>
> https://malwr.com/analysis/MzVkNzAzYjBiOTJhNDlmODhkZjRiY2EwY2EwOWZhZWE/

I Guess you could post links to other sites too...

eg:

https://www.hybrid-analysis.com/sample/42afe1bfcf2ec48aa2fb293b637d8df2033504ec98fe5944167187f19899ddb4?environmentId=100

https://virustotal.com/en/file/2586f39b57bd74439b539abe51b686389526047c806f059413602767f98d864d/analysis/


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problems with safe browsing

[Steve basford]

Hi Tom,

Create a standard header body formatted  email and then insert the address 
at the end.


It will be detected.  Just placing on a line.. it won't be detected,

Cheers,

Steve
Twitter: @sanesecurity



On 10 November 2016 19:53:05 TR Shaw  wrote:


I have freshclam set to load safe browsing:

-rw-r--r--   1 _clamav  admin   57874944 Nov 10 11:51 daily.cld
-rw-r--r--   1 _clamav  admin  103419904 Nov 10 13:51 safebrowsing.cld

I placed http://ianfette[.]org/ in a file safebrowsingtest.txt

Then I run clam and expect to hit safe browsing but I instead I get OK.

$ clamscan -v safebrowsingtest.txt
Scanning safebrowsingtest.txt
safebrowsingtest.txt: OK

--- SCAN SUMMARY ---
Known viruses: 8073056
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 12.567 sec (0 m 12 s)

When I place http://ianfette[.]org/ in a browser I get the safe browsing 
alert.  Any ideas what I am doing wrong?


Tom


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Creating Windows 10 Services

[Steve Basford]

On Thu, November 10, 2016 12:15 am, Andrew Brown wrote:

> I would now like to turn this into a service. I have found Sc
> create #BKMK_examples> useful and I can create the service but when I enter my
> parameters it goes bang and I have no idea what to do next. Does anyone
> have any hints or tips on how to get any and all of clamav's daemons
> running as services under Windows please. When freshclam is running as a
> daemon, I do see it as a background task using Task Manager.

Hi Andrew,

This entry has an option "Running ClamAV as a service":

http://kb.gtkc.net/installing-clamav-on-windows-server-2012/

You might need to modify pathnames etc. but looks like runassvc.zip is the
bit you'd need.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] WSF viruses, and other issues

[Steve basford]

Hi John,

phish.ndb, rogue.ndb for most malware,
See foxhole sigs for other levels of detection.

As well as .js, .wsf and .hta malware, now
seeing and detecting .lnk malware with an auto downloading PowerShell 
command, which is nasty.


Cheers,

Steve
Twitter: @sanesecurity



On 24 October 2016 17:57:52 "John T. Bryan"  wrote:


Ive been running ClamAV now for some years as the virus-checking plug-in on
my main multi-client mail server.  For a long time, I was very pleased with
it and how easily I was able to integrate it into the custom software back
when I first switched to it.

Lately, however, ClamAV never seems to catch any of the viruses that are
coming at my server.  My custom-built spam-checking software is
inadvertently catching the majority of them after ClamAV has passed them.  I
have noticed two primary patterns to the viruses that are coming through
these days:

* ZIP files containing a WSF (Windows Script File) and possibly some small
distractor files

* ZIP files containing a JavaScript file and possibly some small distractor
files

As for the WSF files, my primary issue there is that ClamAV seems to refuse
to check them at all; I have added literally hundreds of signatures for
these to my local signatures file but ClamAV still does not identify them as
viruses afterwards.

As for the JavaScript files, these are being obfuscated in various ways,
mostly just by altering the names of variables in the script and similar
obvious non-semantic alterations.  The obfuscation is almost certainly being
done by automated processes of some sort.  As a result, even multiple copies
of the same script produce different signatures due to the non-semantic
changes in the script.  I have added literally thousands of these to my
signature files but, of course, I rarely see the same obfuscated version
again and virtually none of them are getting caught.

The only malware that is being consistently caught these days is stuff
identified by the heuristics as OLE documents containing macros and spoofed
domains; I have had about a dozen of those in the last 30 days.  Alas, the
spoofed domains checking produces almost as many false positives as real
ones.

I dutifully send a copy of each new false negative that shows up on my
server off to your evaluation team.  I have no idea if youre even looking
at them but I do send them.  Hopefully thats helping.

As a programmer myself, I understand the difficulty in identifying an
obfuscated script, but is anything being done to address this?  And what can
be done about the WSF files that arent being checked at all?  Not that I
expect it will matter much; the ones I have examined by hand appear to be
obfuscated in ways similar to the JavaScript files.

Thanks!


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Memory error

[Steve basford]

On 23 October 2016 21:11:26 Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:


On 22.10.16 22:53, Steve basford wrote:
Upgrade... ie. 
https://wiki.zimbra.com/wiki/ClamAV_DB_update_leads_to_**UNCHECKED**_in_all_messages


I wonder if this hasn't been known prior to the update.


Last EOL blog entry I saw was:

http://blog.clamav.net/2016/05/clamav-097-engine-end-of-life.html

Steve
Twitter: @sanesecurity


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Memory error

[Steve basford]

Upgrade... ie. 
https://wiki.zimbra.com/wiki/ClamAV_DB_update_leads_to_**UNCHECKED**_in_all_messages


Cheers,

Steve
Twitter: @sanesecurity



On 22 October 2016 21:40:11 Marcelo Machado  wrote:


Hi everybody.

I have a Zimbra server and the clamav crashes when it loads the virus
definitions after last updates. The freshclam.log shown many lines with
this error "WARNING: [libclamav] mpool_malloc (): Attempt to allocate
8388608 bytes Please report to http://bugs.clamav.net.;

Clamav version: 0.97.8

Anyone can help me?

Marcelo
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

[Steve Basford]

On Wed, October 19, 2016 3:12 pm, Joel Esler (jesler) wrote:
> Heino,
>
>
> Can you clarify which sig caught it?
>
>
> Doc.Dropper.Agent-177659 is not an actual sig number.

Damn cut and paste... it's: Doc.Dropper.Agent-1776597
(a hash)

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

[Steve Basford]

On Wed, October 19, 2016 3:05 pm, Joel Esler (jesler) wrote:
> So to be clear, it is not detected or it is detected?

I think here's saying...

* It *should* have been blocked with OLE2BlockMacros yes option but *wasn't*
* It is now detected as Doc.Dropper.Agent-177659

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] unsubscribe

[Steve Basford]

On Wed, October 12, 2016 8:40 am, Van Dalsen, Herbie wrote:
> unsubscribe
>

Here you go...

List-Unsubscribe:

http://lists.clamav.net/cgi-bin/mailman/options/clamav-users

or

mailto:clamav-users-requ...@lists.clamav.net?subject=unsubscribe

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelisting FP domains

[Steve Basford]

On Thu, October 6, 2016 3:21 pm, Reindl Harald wrote:
>


>> I have another that was just discovered. Is this a sanesecurity
>> pattern and could it be a FP? There's no reference to it on virustotal or
>> elsewhere:
>>
>>
>> # sigtool --find-sigs winnow.spam.ts.miscspam.1025807 | sigtool
>> --decode-sigs

Sig removed.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelisting FP domains

[Steve Basford]

On Thu, October 6, 2016 1:40 pm, Alex wrote:
> Hi,
>
>
> We have reports of a domain being blacklisted and we don't think it
> should be:
>
> LibClamAV debug: Phishcheck:Checking url
> http://www.hospitalitytec.com->www.hospitalitytec.com

I think its better to keep the domain listed at the moment..

https://www.virustotal.com/en/url/291d973f15db6a186cf6b947f15794c4b12f1846fb5969ffa4057c9f20eda7b2/analysis/1475758916/

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Encrypted Word doc/phishing attack

[Steve Basford]

On Wed, October 5, 2016 1:21 pm, Alex wrote:
> Hi,
> I'm starting to receive emails like this:
>
>
> http://pastebin.com/HpvEcT9K
>
>
> They're not being caught by clamav or other virus filters. Is it even
> possible to catch encrypted Word docs with a virus scanner?
>
Sorry this is brief, still generating sigs but...

badmacro.ndb: Sanesecurity.Badmacro.Doc.CryptDoc.v1 now detecting them.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to get each file status when scan a ditrtectory using clamdscan

[Steve Basford]

On Mon, October 3, 2016 6:05 pm, crazy thinker wrote:
> Hi,
>
>
> when i  scanned  a dirtectory using clamdscan, i could get only error and
>  virus file infected files status in output.but i would like to see each
> file status(including "OK" status also ) when i perform scan over sinle
> dirtectory / multiple dirtectories
>

> how does it can be achived? could anyone  please help me in this...

clamd.conf...

# Log time with each message.
# Default: no
LogTime yes

# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
LogClean yes

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] false positive rate

[Steve basford]

I guess the first question is are you using official only signatures or do 
you use 3rd party ones... if so could you do a database list.


Next, are you scanning files which are getting fps or are these files 
grabbed via http or proxy?


Could you post sig names, filenames and hashes of a few of these.

ClamAV official fps can be reported here:
https://www.clamav.net/reports/fp

3rd party ones here:
http://sanesecurity.com/support/false-positives

Cheers,

Steve
Twitter: @sanesecurity



On 2 October 2016 02:20:51 Tsutomu Oyamada  wrote:


Hi,

We like to know the Malware Detection Rate of ClamAV.
We are finding "False positive" as ClamAV scanning result in our developing 
environment.
It is very rare or allmost nothing for us to find "false positive" from 
other vendors AV products

such as Sophos or Symantec in the same environment.
Is there a possibility of unsuitable configuration of our product?
( e.g. to set heuristic level higher or lower)
We know well that no AV program can get zero (0) percent of false positive, 
however
we like to have lower frequency of false positive as well as higher 
detection rate.


Bestregards,

Promark

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Empty updates

[Steve Basford]

On Fri, September 30, 2016 10:56 am, Al Varnell wrote:
> Last two daily's (22277 and 22278) were empty.


ClamAV Signature Publishing Notice

Datefile:   daily
Version:22277
Publisher:  Alain Zidouemba
New Sigs:   0
Dropped Sigs:   0
Ignored Sigs:   49

New Detection Signatures:
Dropped Detection Signatures:


ClamAV Signature Publishing Notice

Datefile:   daily
Version:22278
Publisher:  Alain Zidouemba
New Sigs:   0
Dropped Sigs:   0
Ignored Sigs:   49


New Detection Signatures:
Dropped Detection Signatures:

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

[Steve Basford]

On Tue, September 27, 2016 8:39 am, David Shrimpton wrote:
> Hi,
>
>
> Win.Trojan.Agent-1696554 added to daily.hdb on 21/9/16 is an
> md5sum of a file containing 2240 null bytes only, so appears to be a broken
> signature.
>
> It is causing false positives.

Confirmed FP I would say:

https://virustotal.com/en/file/2f7eaacf490839d9c603736149286272aea4df46c0daf58f0c70062041c68230/analysis/

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CryLocker and Cryptolocker

[Steve basford]

On 14 September 2016 18:20:17 Alex  wrote:






I also don't always get the feedback from the >users on the
specific Word documents that were missed, >only that their desktop was
compromised.

Without having a sample it's a bit difficult but
if you do get a sample that would be great.

Also drive by infection could also be the desktop cause... unless they are 
telling you they clicked on a document.


Steve
Twitter: @sanesecurity


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CryLocker and Cryptolocker

[Steve Basford]

On Wed, September 14, 2016 5:51 pm, Philip Parsons wrote:
> I am also still having a bunch get through.   .doc .zip .docm most of the
> java script ones are not making in it.

Hi Philip,

If you zip up a few samples with a password:

samp...@sanesecurity.me.uk

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CryLocker and Cryptolocker

[Steve basford]

On 14 September 2016 16:48:45 Alex  wrote:



Yes, I'm using all the third-party sigs, including sanesecurity, but
they are still getting through.


Hi Alex,

What types are getting through JavaScript or docs etc.

What dbs are you using ?

Can you send some missed samples offlist  and I'll check.

Sorry this is brief .. mobile atm

Cheers,

Steve
Twitter: @sanesecurity


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] (no subject)

[Steve Basford]

>LibClamaV Warning: fmap_readpage : preadfail : asked for 4085
>bytes@offset11, got 0

An old post but hopefully advice is still sound...

http://www.gossamer-threads.com/lists/clamav/users/50788

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Steve Basford]

On Thu, August 25, 2016 9:20 pm, Dennis Peterson wrote:

>> I think the issue is that he wants to block recognized viruses, but
>> only mark heuristic matches.
>>
> That would be a scoring task in Amavisd.
>

Maybe...

# [ qr’^’^Heuristics\.OLE2\.ContainsMacros’  => 0.1 ],

So, allocate a score and deliver

use HeuristicScanPrecedence as indicated in earlier post

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Steve Basford]

>
> Try this:
> 1) Enable OLE2BlockMacros and restart clamd
> 2) Use clamdscan to test your sample message and note the results
> 3) Disable OLE2BlockMacros and restart clamd
> 4) Use clamdscan to test your sample message again and note these results
>
>
Something else...

In amavisd-new there are virus_name_to_spam_score_maps

For example:
http://sanesecurity.com/support/problems/

If the setting to block macros is enable in ClamAV and is actually hitting,
it should hit with Heuristics.OLE2.ContainsMacros

But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
Heuristics.OLE2.ContainsMacros so, it might let the email through but
just mark it, instead of blocking it?

Eg...

# [ qr’^Heuristics\.OLE2\.ContainsMacros’   
=> undef ],# keep as infected

Does that change things?

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] False negative.

[Steve Basford]

On Sun, August 21, 2016 5:02 pm, G.W. Haywood wrote:
> Hi there,
>
>
> I tried to submit this:
>
>
> https://virusscan.jotti.org/en-GB/filescanjob/3fyvy4dcmm
>
>
> using this:
>
> http://www.clamav.net/reports/malware
>
>
> but my browser gets no response, just a blank page, after hitting
> 'submit'.  So I don't know if it's submitted or not.
I had a blank page... swapped browser and it worked ok the next time.

The above sample looks like random ransomware, 3rd Party sigs:
phish.ndb, foxhole_filename.cdb, foxhole_generic.cdb, foxhole_js.cdb
can usually block these script type nasties.

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

[Steve basford]

Try clamscan --debug 2>debug.log and I think that should show you a domain.

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity



On 16 August 2016 17:32:31 Alex  wrote:


Hi,

I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
for capitaloneemail.com, but can't figure out how to use sigtool to
determine which actual domain it thinks was spoofed.

# sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
sigtool --decode-sigs
#

Why doesn't it display the signature with the above command?

How do I scan the quarantined message to find out exactly what
triggered this false positive?

Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Sigtool parsing issues

[Steve Basford]

On Mon, August 15, 2016 4:25 pm, Jack wrote:
> Great, thanks. Here is the output with ‘—debug’:
>
>
> LibClamAV debug: Initialized 0.99.2 engine
> LibClamAV debug: in cli_ole2_extract()
> LibClamAV debug: OLE2 magic failed!
> LibClamAV debug: Cleaning up phishcheck
> LibClamAV debug: Phishcheck cleaned up
>
>
> To note, the document opens fine in Microsoft Word, and oletools has no
> issues dumping out the macros.
>
badmacro.ndb is picking up these (Sanesecurity.Badmacro.Doc.df) and
yep, sigtool doesn't seem to dump the macro but clamscan will extract
the macro files ok.

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Sigtool parsing issues

[Steve Basford]

On Mon, August 15, 2016 3:50 pm, Jack wrote:
> Hello,
>
>

>
> Can someone take a look and determine why there are passing issues?
Hi Jack,

add --debug on the end... eg... might give you a bit more info...

sigtool --vba "287DD777DB20BE14F2DD0B9952BECF41.xxx" --debug
LibClamAV debug: Initialized 0.99.2 engine
LibClamAV debug: in cli_ole2_extract()
LibClamAV debug: OLE2 magic failed!
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up


Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

[Steve basford]

This was on the blog

YARA rules using any of the following features will be flagged in error, 
and the respective rules will be disabled:


Single byte YARA string components – currently in the ClamAV matcher, all 
strings, as well as components of strings delimited by wild cards, must be 
at least two bytes in length


External variables – variables referenced in YARA conditions whose value 
may be set using the ‘yara –d’ command line option.


Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity



On 11 August 2016 18:33:49 Axb  wrote:


In that post aithor states:

"I created some YARA rules that use the external variable „filename“ to
work. LOKI and THOR use the „filename“ and other external variables by
default."

hmm...  now how the heck do we get to happen with ClamAv? :)

.. talking to myself...


On 08/11/2016 07:29 PM, Axb wrote:

Found it!

https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/


see "rule Suspicious_Size_chrome_exe" and others...

Assumed it was a "legal" keyword.


On 08/11/2016 07:26 PM, Axb wrote:

I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...

Will try to find it again.


On 08/11/2016 05:08 PM, Steven Morgan wrote:

filename does not appear as a yara keyword:

http://yara.readthedocs.io/en/latest/writingrules.html

Is it a new keyword not yet in a released version of yara? Did you mean
filesize?

On Thu, Aug 11, 2016 at 5:21 AM, Axb  wrote:


Guys,

clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
error
count 1
test.yar: OK
blah.html: OK

test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
 condition:
 $BLAH and filename == "blah.html"
}

Am I missing something? or is filename unsupported by ClamAV's YARA
engine?

Thanks!
Axb
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml








___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[Steve Basford]

On Thu, August 11, 2016 10:07 am, ancien compte wrote:
> Also, the mirror clamav.securiteinfo.com not work, can't resolv it
>
That's an old 3rd party signature domain... it's been gone a while..

Latest download scripts here:

http://sanesecurity.com/usage/linux-scripts/

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

[Steve Basford]

On Wed, August 10, 2016 7:22 am, ANANT S ATHAVALE wrote:
> Hi,
>
>
> Most of the mails are marked with  Win.Exploit.CVE_2016_3316-1.  Is
> this a false positive?

Finally got it... blank LibreOffice.doc file...

blank.doc: Win.Exploit.CVE_2016_3316-1

I've added a whitelist entry to Sanesecurity's sigwhitelist.ign2 file and
pushed out an update for 3rd Party download script user, until it's fixed
officially.

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

[Steve Basford]

On Wed, August 10, 2016 10:52 am, Jan-Pieter Cornet wrote:
> On 10-8-16 08:22, ANANT S ATHAVALE wrote:
>
>> Hi,
>>
>>
>> Most of the mails are marked with  Win.Exploit.CVE_2016_3316-1.  Is
>> this a false positive?
>
> Created a completely empty .doc file using LibreOffice on linux, and the
> resulting file was recognized as Win.Exploit.CVE_2016_3316-1.
>
If you have a sample could you throw me a copy, as I've created a few
blank files on libreoffice and scanned with clamav and no hits.

create a ticket and upload:

http://sanesecurity.org/hesk/

If it is an fp, then I've like to add this "blank" file to my ham folder
so Sanesecurity sigs won't hit in the future either.

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Yara and base64 encoded body

[Steve basford]

Hi,

If it helps, could you email the YARA rule and test email offlist and I'll 
have a quick look.


I seem to remember hitting that issue.

Cheers,

Steve
Web: sanesecurity.com
Twitter: @sanesecurity



On 27 July 2016 08:35:53 kionez  wrote:


Hi all,

I'm using custom Yara rules to detect many kind of spam directed to my
customers, it's very effective and gives me many ways to intercept
localized messages (i.e.: spam in italian and french).

Lately those spammers are using base64 encoding in Subject: and body
part, making ineffective my rules.

I need to match some headers and the body part, because i don't want to
generate false positives.

I do some tests and i think that clamav is using this yara\pcre engine
only on the "original" message and then in every single message part
(excluding the mail headers), so if I want to run my rules on the
decoded body I have to give up on headers check and vice-versa (due the
base64 encoded body on original message).

Is there a way to decode the original message before scan, or something
which permits to run the yara engine on decoded message?

(I'm also RTFM'ing in amavisd-new, maybe with a custom filter...)

Thanks.


k.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] signature processing order

[Steve Basford]

On Tue, May 24, 2016 12:23 pm, Groach wrote:
> Out of interest, what does it matter?  Why is it important that an
> official CLAM definition stops the virus before the 3rd party definition
> stops the same virus (if they both have the same criteria)?  Surely a goal
> is a goal and it doesnt matter who kicked the ball.

I have to agree :)

a) if you *really* want to know what sigs matched a sample you
can use clamscan -z, which gives you this sort of output...

caution_lizr_58.zip: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND
caution_lizr_58.zip: Sanesecurity.Foxhole.Zip_fs208.UNOFFICIAL FOUND

Ok, so scanning will continue until ALL matches are found in official and
3rd party sigs, which would take a bit longer to scan... but at least
you'd know.

b) You can use clamscan  --official-db-only=yes to only use official ones

As for "removing" a 3rd party signature when official ones block it,
well... overall... it wouldn't really be a good idea.

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV+exim: scanner finds not a single malware

[Steve Basford]

On Mon, May 23, 2016 2:33 pm, Michael D. L. wrote:
>

>
> On 05/23/2016 02:44 PM, C.D. Cochrane wrote:
>
>> Hi Michael and Michael,
>> You may want to look at sanesecurity[.]org.  They have a supplemental
>> ClamAV database that
>> is supposed to be better at detecting the current scourge of ransomware
>> and malware.  It was recommended to me when I noted that ClamAV seems to
>> miss a LOT of the current malware, but I have not tried it yet. ...Chris
>>
>>
>>
 On 05/23/2016 01:43 PM, Michael Heseltine wrote:
 Hello all,
 I have recently modified my exim (4.82) configuration so that all
 messages pass through clamav (0.99.2) first. Anything labeled as
 malware should be rejected while the incoming SMTP connection is
 still open (using an *acl_smtp_data* in exim).

 But so far, this setup has not detected a single malware. All
 messages pass though without any notices:

>>>
> Hi Chris,
>
>
> Excellent - just installed it, and it's already working it's magic :)

The views and opinions expressed by Michael in the above post that
Sanesecurity possesses magic, are solely his own and do not necessarily
represent the views of the ministry of magic(tm).

Having said that.. glad they are helping...

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Synology DSM 4.2 support

[Steve Basford]

On Mon, April 18, 2016 7:44 am, Rene van der Linden wrote:
> Antivirus Essential on Synology NAS with DSM 4.2 does not get any updates
> anymore. Even de-installing and re-installing does not help. Message i get
>

DSM 4.2 came out 5 Mar 2013, can you update to a higher DSM, my nas has
just updated to v6.x and the Antivirus Essential is still being updated.

Latest version history...
https://www.synology.com/en-us/releaseNote/AntiVirus

Might be worth a post in the synology forum too...

https://forum.synology.com/enu/

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Block files based on their types

[Steve Basford]

On Mon, April 18, 2016 6:12 am, Kianoosh Kashefi wrote:
>
>
> I was wondering if clamav has such feature to stop certain file types,
> for example executable files even if they are not malware.
Hi,

You can use foxhole database(s) as a starting point and add more types
if needed...

http://sanesecurity.com/foxhole-databases/

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] winnow FP

[Steve Basford]

On Thu, April 14, 2016 8:22 am, Paul Whelan wrote:
> On 13 Apr 2016 at 11:20, Alex wrote:
>
>
>> Hi,
>>
>>
>> I don't understand why themastersbaker.com would be tagged?

Quick update: FP has already been removed.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] zip, rar, jar, ... how to delete all exe's and others files?

[Steve Basford]

On Thu, April 14, 2016 7:48 am, ìÉ×ÉÔÉÎ óÅÒÇÅÊ àÒØÅ×ÉÞ wrote:
> Hi.
> Use clamav + spamassassin + postfix.
> Use /var/lib/archive.zmd and archive.rmd]
>
> Tried to sent exe-file in rar archive - clamd said "CLEAN" :(
> Where is detailed documentation about possibilities of clamav?

A few things:

1) .rmd/.zmd databases are obsolete, they are replaced with .cdb

More details:
https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf

2) Foxhole databases can be used to sort out most of what you are trying
to do:

http://sanesecurity.com/foxhole-databases/

3) unrar will need to be installed correctly on your system before
these rules will work.

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Quick scan via command-line

[Steve Basford]

On Fri, April 1, 2016 2:19 am, Andrew Wright wrote:
> Hi,
>
>
> I''m trying to create a rescue Live USB with Fedora and ClamAV for
> Windows
> PCs. I've read this guide for speeding up ClamAV:
> https://www.clamav.net/documents/how-to-speed-up-clamwin
>
>
> But, specifically, how would you do this via command-line?

Hi Andrew,

Something like this would be quick (you could add zip|rar|html|htm|php)


clamscan -r --include="\.(exe|dll|src|sys|msi|scr|com|js)$" --max-file
size=5M -l log.txt g ­­--detect-pua --infected c:\

note:  ­­-detect-pua may create high FP's which you'd need to check.

>
>
> Is my regular expression correct for the extensions? How do I include
> Memory and Registry, along with the other directories (appdata, system32,
> systemwow64)?

ClamWin (windows only version of clamdscan) I think has extra features to
scan memory and registry... clamscan (fedora) doesn't...

There is also a couple of pre-built live-cd's in case this helps..

http://antiviruslivecd.4mlinux.com/
http://4mlinux.com/index.php?page=help

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

[Steve Basford]

On Thu, March 31, 2016 7:56 pm, Paul Kosinski wrote:
> I disable Javascript in our PDF viewer. PostScript (which underlies
> PDF) is a Turing-complete executable language, and even has a mechanism
> to read and write files, so it could cause some trouble on its own.

Good idea!

For windows users, http://www.sumatrapdfreader.org/free-pdf-reader.html
doesn't use JavaScript at all, even better ;)

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Email.Phishing.DblDom-60 -- issue

[Steve Basford]

On Thu, March 31, 2016 4:01 pm, Alessandro Vesely wrote:
> This was a false positive itself.  I got:
> Virus-Found: Email.Phishing.DblDom-53
> Sanesecurity.Phishing.Cur.744.UNOFFICIAL
>
Thanks for the FP report. Fixed

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

[Steve Basford]

On Thu, March 31, 2016 2:33 pm, polloxx wrote:
> Since the new Clamav database we have a lot more false positives for
> PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1.
> What can we do about this, except disabling PUA?

Create a local.ign2 with the following lines:

PUA.Pdf.Trojan.EmbeddedJS-1
PUA.Win.Trojan.EmbeddedPDF-1

Place in ClamAV database folder and restart clamd

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] no new signatures

[Steve basford]

On 18 March 2016 13:46:42 polloxx  wrote:


Dear,

Since the migration we have no new >signatures:

It's not your config, it's just that sig updates were put on hold on Friday.

I would think it's wise to have hold off updates until the team know all 
went well with the sig changes and until the load on the mirrors drops a 
little.


So, just need to wait a little longer :]


Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] no new signatures

[Steve Basford]

On Fri, March 18, 2016 2:05 pm, Helmut Hullen wrote:
> Hallo, polloxx,
>
>
> Du meintest am 18.03.16:
>
>
>> Fri Mar 18 14:34:15 2016 -> ClamAV update process started at Fri Mar
>> 18 14:34:15 2016
>> Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is
>> OUTDATED!
>>
>
>
> So what - updated or not updated?

> Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is OUTDATED!
> Fri Mar 18 14:34:15 2016 -> WARNING: Local version: 0.98.1 Recommended
> version: 0.99.1

The above just means that 0.98.1 is currently being used, but should
be upgraded to 0.99.1 which is the latest version of the engine.

The signatures haven't been updated since Friday.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] javascript ZIP virus not caught?

[Steve Basford]

On Tue, March 15, 2016 4:25 am, Al Varnell wrote:

>> Scanning these ZIP/.js viruses has a hit rate of about 35%.  35% of all
>> antivirus packages will say they are viruses.  For example running one
>> through https://www.virustotal.com will say out of about 53 antivirus
>> programs, 16 flag it as a virus.
>>
>> They are definitely malware and should be stopped.

Hi Scott,

Thanks for the link to the samples, these are being detected, using
phish.ndb as Sanesecurity.Malware.25834.JsHeur.

They would also be detected using foxhole_filename.cdb

Latest download scripts here:
http://sanesecurity.com/usage/linux-scripts/

In case anyone is wondering these .js files, if run, are going off to
download Teslacrypt ransomware which would pretty much ruin your day :(

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Filename Regex

[Steve basford]

On 18 February 2016 20:14:14 Mehmet Avcioglu  wrote:





For example I am able to use "^New.Doc.*" to match for "New Doc.xls" but 
"^New\sDoc.*" or "^New Doc.*" does not.


> http://www.clamav.net/contact.html#ml


If you look at foxhole databases it should give you an idea, if you want to 
block macro malware try badmacro.ndb


Sorry this is brief , I'm on my mobile

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] BlackEnergy malware detection

[Steve Basford]

On Thu, February 18, 2016 12:37 pm, Volcy, Georges wrote:
> Good Morning,
>
>
> Does ClamAV detect the Blackenergy malware and is there any way for me to
> verify it. Thanks,

Just added Sanesecurity_BlackEnergy.yara to the Sanesecurity mirrors,
if that's a help.

It hit on a sample I downloaded.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] FP System

[Steve Basford]

"Houston, we have a problem" aka The FP reporting system is broken.

Here's a windows file which is repoting...

ieinstal.exe: Win.Trojan.Win64-226 FOUND

I ran freshclam...

freshclam

ClamAV update process started at Tue Feb 16 09:00:52 2016
main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder:
neo)
daily.cld is up to date (version: 21375, sigs: 1844208, f-level: 63,
builder: ne
o)
bytecode.cld is up to date (version: 271, sigs: 47, f-level: 63, builder:
anvill

I found the hash...

sigtool --md5 ieinstal.exe
4ba4770d890b320dab575b07c7daf59d:481280:ieinstal.exe

I checked with VirusTotal...

"Probably harmless! There are strong indicators suggesting that this file
is safe to use. "
Source:
https://www.virustotal.com/en/file/9a857951b9c3c38b63403c28b7c3a23749c7cef2c3876d203ae8abca45496e8f/analysis/

Ok, so let's report the file as a FP...

http://www.clamav.net/reports/fp


Try 1 (using firefox) - Uploaded ieinstal.exe

Returns:

The sample is empty.
This file is not detected by ClamAV

Try 2 (using firefox) - Uploaded Zipped version (password: virus)

The sample is empty.
Please encrypt your ZIP files with password virus

ClamWin users were getting hit over the weekend with a FP they just
couldn't report... now I can see why.


As a side note... if a ClamWin user reports a false positive like this..

C:\Windows\SysWOW64\msdt.exe: [Win.Trojan.Win64-149] FALSE POSITIVE FOUND

What is means is that ClamWin has checked the certificate of the exe file
and found it to belong to Microsoft.  It will then tell you that a FALSE
POSITIVE has been FOUND and that the ClamAV sig hitting it called
Win.Trojan.Win64-149.

In theory this is a nice feature... however, there's a bug... if ClamAV
aleady has Win.Trojan.Win64-149 in it's .fp database (ie. it's
whitelisted) ClamWin still reports the FALSE POSITIVE FOUND message, even
though it's been fixed.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Ramnit FPs

[Steve Basford]

On Mon, February 15, 2016 11:22 am, Mark Allan wrote:
> I'm still getting the email saying "your sample was empty", so I'm
> posting here too.
>
> The Ramnit series of sigs is hitting a bunch of files which have been
> resident on users' HDs and scanned as clean for many years. VT also
> reports ClamAV as the only vendor detecting an infection. To clear the
> infections, I'm having to add the following sig names in an ign2 file.
>
> Win.Trojan.Ramnit-7261
>
> Hashes of the samples I uploaded are:
> f3c174edcbaef7cb947d6357cdfde7ff:422912:m3jp2k32.dll

Just to confirm...

"Probably harmless! There are strong indicators suggesting that this file
is safe to use."

https://www.virustotal.com/en/file/838208ca73fe8dcc116c8b5b76a21a61dd75182e1133b717079ee085d722c4c7/analysis/

> 881c86b65b44d8033575a402a2aa1ab1:454656:vsshdsd.dll

https://www.virustotal.com/en/file/9031534974a857e51626830e7580a8195331697a121ff34cb5db6cb0678de886/analysis/

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

[Steve basford]

Hi,

Here's the entry for
Zip.Suspect.MacroDoubleExtension-zippwd

(?i)((\.doc)|([ 
_.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[ 
_.-]*\.(action|air|apk|app|as|awk|bin|command|csh|deb|dmg|hta|htm|html|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh|swf):*:*:*:*


Which is covering a lot of combinations in one sig... personally I split 
foxhole ones into smaller subsections...


Use --debug and grep for cdbname in the output.

You can whitelist sig name using a .ign2 database.

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com



On 14 February 2016 19:00:12  wrote:

Hi,false positives started coming after update to (daily.cvd version: 
21360)my submissions for false-positive reports on clamav.net keep 
reporting "The sample is empty."


How to reproduce:
mkdir /tmp/test_dir
touch /tmp/test_dir/txt_csv.jar.0
jar cf test_dir.jar /tmp/test_dir
# or
zip -r test_dir.zip /tmp/test_dir

# then scan the file
clamscan test_dir.jar test_dir.zip
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamscan doesn't have a BlockMacros option

[Steve Basford]

On Wed, February 10, 2016 9:05 am, David Shrimpton wrote:
> Hi,
>
>
> clamscan doesn't appear to have an option equivalent to the
> OLE2BlockMacros in clamd.conf for clamdscan.
>
Hi David,

Just for info...

I've already logged a bugzilla entry to add that option to Clamscan here:

https://bugzilla.clamav.net/show_bug.cgi?id=11436


Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ScanOLE2 yes disables macro virus detection

[Steve Basford]

On Mon, February 8, 2016 3:48 pm, David Shrimpton wrote:
> Hi Steve,
>
>
> When I remove all my local database files problem goes away.
> So problem appears to be in a local database.
>
Ah ok...

> BAD_SIGNATURE.ldb.macro.19;Target:2;1;41747472;0:(0)/./ri

For info, I've used this against my *ham* folder full good word/excel
macro docs and it hits a few of them :(

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ScanOLE2 yes disables macro virus detection

[Steve Basford]

On Sun, February 7, 2016 10:28 pm, David Shrimpton wrote:

>
> clamscan -z --scan-ole2=yes
>
> no signatures from badmacro are detected

Can you do this and output the debug to a pastebin... (leave off -z)

clamscan --scan-ole2=yes --debug

I've tried to re-produce but can't.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] False positives submitted but still viewed as viruses

[Steve Basford]

On Mon, February 8, 2016 1:27 pm, Klaas TJEBBES wrote:
> Hi.
>
>
> I've submitted several false positives but at the end of the submission
> form I don't get any "submission-ID" so I cannot track my submissions.
>
> The files I've submitted (a week ago) are still detected as viruses.
>
Hi,

If you don't know the ID, can you post a list of md5(s) for the team to
lookup (I think that's currently how it works)

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] New request created with ID: ##136## from Steve basford

[Steve Basford]

On Sun, February 7, 2016 9:08 am, Walter H. wrote:
> On 04.02.2016 00:55, G <vuln-wa...@thefeeds.info> wrote:
> /\
> invalid e-mail address

No idea where the above header comes from, other that a "person" called "G"

>> A new request with request id 136 has been created by Steve basford.
>> Short info on the request is :
>>
No idea where the above comes from?

> not really trustworth when wanting me doing the same x times without them
> being added to the official signatures ...

Just in case anyone is *just* joining the list and it slightly put off by
the above statement...

Sanesecurity.com (domain created 29-dec-2004).

"...Since 2006, SaneSecurity have provide hourly updated ClamAV
signatures..." (source: sanesecurity.com)

databases are signed and I'm usually around somewhere on the list(s) or
via email.

Still, if you don't want to trust me that's ok... others do however.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ScanOLE2 yes disables macro virus detection

[Steve Basford]

On Sun, February 7, 2016 8:30 am, David Shrimpton wrote:
> Hi,
>
>
> But most of the badmacro or other unofficial virus signatures written to
> detect macro virus are written against the container itself which has the
> compressed macro code in it.  They are not written against the
> uncompressed macro code, so setting ScanOLE2 yes will disable these
> signatures.

Hi David,

Just doing a *very* quick look:

Using badmacro.ndb and either ScanOLE2 no (clamd.conf) *or* using
--scan-ole2=no (clamscan) still result in the bad work document being
detected...

clamscan --database=badmacro.ndb *.doc --scan-ole2=no

Copy_100_of_imex.prcl.I806015.doc:
Sanesecurity.Badmacro.Doc.CreObj.UNOFFICIAL FOUND
Copy_101_of_imex.prcl.I806015.doc:
Sanesecurity.Badmacro.Doc.CreObj.UNOFFICIAL FOUND

Well, at least that's what I'm seeing here...


> These viruses are completely missed when ScanOLE2 is yes , no matter what
>  signature you write, as the non macro files in the OLE2 container are not
> scanned and the scanned files ie the uncompressed macro vba code, don't
> contain the malicious code.

Can you scan these viruses with badmacro.ndb with --scan-ole2=no and
--scan-ole2=yes... are they detected?

If the document malware you have isn't detected by badmacro.ndb or
phish.ndb then please send me a sample... and I'll check...

http://sanesecurity.org/hesk/

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam Non-repudiation

[Steve Basford]

On Thu, January 28, 2016 10:29 pm, Brad Scalio wrote:
> Is there any integrity or authenticity checks within freshclam when it
> connects to the clamAV servers to download the virus signature databases?

Hi Brad,

Just to cover 3rd Party (.UNOFFICIAL) signatures.

Signatures produced by Sanesecurity and/or distributed by Sanesecurity
mirrors are first created and/or downloaded then checked against a HAM
folder and finally signed with GPG.

In addition, md5/sha256 hashes are also produced.

Download scripts check the GPG and/or hashes depending on which script
you use.

As Sanesecurity have been doing this for 10 years this year, hopefully
the GPG key can be trusted ;)

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] SaneSecurity SpearL signatures

[Steve Basford]

On Tue, January 26, 2016 4:21 pm, Ian Eiloart wrote:

> 3. If 'yes' to either, is it possible to prevent this in order to make it
> easier to investigate problems?
>

As there's been no post regarding the FP's on the Sanesecurity list, I
thought I'd publicly update here... (sorry folks)

a) The FP concerned was actually fixed on the 22nd Jan

b) Taking the your points on board I've changed the signature name to
be static therefore helping pin-point any future issues:

eg:

spearl.ndb: Sanesecurity.SpearL.c8623d
jurlbl.ndb: Sanesecurity.Jurlbl.cd3a7c

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Tooooo sloooooooow startup clamd on Solaris SPARC

[Steve Basford]

On Wed, January 27, 2016 10:30 am, Yuri Voinov wrote:
> Hi gents,
>
>
> I found one issue. On SPARC server (4 CPU SPARC-IV+, 16 Gb RAM, two 15k
> RPM disks) clamd starts very slow:

> Wed Jan 27 16:23:05 2016 -> Reading databases from /var/lib/clamav
> Wed Jan 27 16:23:05 2016 -> Not loading PUA signatures.

What databases do you have in /var/lib/clamav ?

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamav cannot detect a malware using a signature based on html comment

[Steve Basford]

On Tue, January 26, 2016 11:54 am, Arnaud Jacques / SecuriteInfo.com wrote:
> Hello Steve,
>
>
>> I've seen the same sometimes I've had to end up using type 0,
>> instead of 3/4/7 which isn't ideal.
>
> Even with filetype 0 this doesn't match :
Hi Arnaud,

Can you attach a sample... see if I can confirm this end...

http://sanesecurity.org/hesk/

(Submit a ticket, attach file)

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] SaneSecurity SpearL signatures

[Steve Basford]

On Tue, January 26, 2016 4:21 pm, Ian Eiloart wrote:
> Hi,
>
>
> I had a spate of reports about an FP in the SaneSecurity SpearL list. It
> included a URL that’s attached by MessaageLabs when it scans outbound
> mail from the University of Brighton (which is just over the road from
> us).
Hi Ian,

I'll take a look...

But I'll contact you off-list... or move to sanesecurity mailing list...

http://sanesecurity.com/support/mailing-list/

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus-Datebase-Updates?

[Steve basford]

Hi Walter,

Could you post a hash or two or
maybe a Virustotal link to one of the
Submitted ones.

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com



On 18 January 2016 04:46:07 "Walter H."  wrote:


Hello,

I want an explanation, why not adding?
(as this would bring ClamAV into a total wrong view: "A Antivirus detecting 
only wanted Threats and not any")


"ClamAV database updated (17 Jan 2016 19-07 -0500): daily.cvd
Version: 21274

Submission-ID: 5023165
Sender: Virus Total
Sender: John Golden
Sender: Anonymous
Added: No

Submission-ID: 9572364
Sender: Virus Total
Sender: Jamie Cox
Sender: VirScan.org
Sender: ShadowServer
Sender: Tom Garman
Sender: Juergen Kosel
Sender: Anonymous
Sender: ELETTROCASA
Sender: Bruce Kohl
Sender: Sergio
Sender: Marco
Added: No

Submission-ID: 15935626
Sender: Virus Total
Sender: Sunbelt
Sender: Anonymous
Sender: OC
Sender: Gary Myers
Added: No

Submission-ID: 18712580
Sender: Virus Total
Sender: VirScan.org
Sender: Anonymous
Sender: Paul Olejniczak
Sender: Brad Blake
Added: No

Submission-ID: 20896459
Sender: Virus Total
Sender: Immunet
Sender: tones
Sender: Anonymous
Sender: Constantinos Simserides
Sender: Edwin Parker
Sender: Simon Whittam
Sender: max
Added: No

Submission-ID: 25541582
Sender: Virus Total
Sender: VirScan.org
Sender: Tom Garman
Sender: Anonymous
Sender: Robert Gierzinger
Sender: Nicolas Ouellette
Added: No

Submission-ID: 26892363
Sender: Virus Total
Sender: Jamie Cox
Sender: Anonymous
Sender: Derik Vega
Sender: Brad Blake
Added: No

Submission-ID: 33258905
Sender: Virus Total
Sender: Anonymous
Sender: Andreas Wetzel
Added: No

Submission-ID: 33736781
Sender: Virus Total
Sender: Anonymous
Sender: Michael Burns
Added: No

Submission-ID: 9415744
Sender: Virus Total
Sender: VirScan.org
Sender: ShadowServer
Sender: SonicWALL
Sender: Sunbelt
Sender: Anonymous
Sender: Brad Blake
Added: No

Submission-ID: 40032907
Sender: Anonymous
Sender: Comodo
Added: No

Submission-ID: 40032929
Sender: Virus Total
Sender: Anonymous
Sender: Comodo
Added: No

Submission-ID: 40032940
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40033026
Sender: Virus Total
Added: No

Submission-ID: 40033066
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40033092
Sender: Virus Total
Added: No

Submission-ID: 40033099
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40033107
Sender: Anonymous
Added: No

Submission-ID: 40033114
Sender: Virus Total
Added: No

Submission-ID: 40033116
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40033152
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40033231
Sender: Virus Total
Added: No

Submission-ID: 40033244
Sender: Virus Total
Sender: Sunbelt
Sender: Anonymous
Added: No

Submission-ID: 40033245
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40033258
Sender: Virus Total
Added: No

Submission-ID: 40033294
Sender: Virus Total
Sender: Sunbelt
Sender: Anonymous
Added: No

Submission-ID: 40033297
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40033317
Sender: Virus Total
Added: No

Submission-ID: 40033398
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40033593
Sender: Virus Total
Sender: Anonymous
Sender: Comodo
Added: No

Submission-ID: 40033603
Sender: Virus Total
Added: No

Submission-ID: 40033655
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40033700
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40033738
Sender: Anonymous
Added: No

Submission-ID: 40033763
Sender: Anonymous
Sender: Comodo
Added: No

Submission-ID: 40033779
Sender: Anonymous
Added: No

Submission-ID: 40033942
Sender: Virus Total
Sender: Anonymous
Sender: Comodo
Added: No

Submission-ID: 40033952
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40034010
Sender: Anonymous
Added: No

Submission-ID: 40034015
Sender: Virus Total
Added: No

Submission-ID: 40034171
Sender: Anonymous
Added: No

Submission-ID: 40034199
Sender: Anonymous
Added: No

Submission-ID: 40034243
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40034360
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40034456
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40034501
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40034544
Sender: Virus Total
Added: No

Submission-ID: 40034579
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40034704
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40034734
Sender: Anonymous
Added: No

Submission-ID: 40034883
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40034940
Sender: Virus Total
Sender: ShadowServer
Added: No

Submission-ID: 40034961
Sender: Virus Total
Added: No

Submission-ID: 40035060
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40035061
Sender: Virus Total
Sender: Anonymous
Added: No

Submission-ID: 40035105
Sender: Virus Total

Re: [clamav-users] crdf threatcenter

[Steve Basford]

On Wed, December 30, 2015 7:27 pm, sebast...@debianfan.de wrote:
> Hi @all,
>
>
> does anybody know, whats up with the crdf threatcenter ?
>
> I am not able to download the crdfam.clamav.hdb database.
>
Hi Sebastian,

I tweeted them a few days ago, they said they were having a few issues
and would be fixed after their vacation.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Detection in windows but not Linux

[Steve Basford]

On Sun, December 13, 2015 2:25 am, Kurt Fitzner wrote:
>


> The file is definitely malware - it was injected through a WordPress
> vulnerability. I have a virus scan that runs hourly on my wordpress folder
> just for that reason, but this one slipped through the cracks. I want to
> find out what support is missing so it can be reported to the Debian
> ClamAv package maintainers.

Hi Kurt,

It does look like an old signature and is located in main.ndb, so
not easily corrected.

Hopefully a modified version can be added to daily.ndb.

In the mean time, here's a version to test...

http://pastebin.com/cYw39kdp

Just copy to test.ndb and re-scan

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Sanesecurity news: Scripts 0.99

[Steve Basford]

Just in case anyone isn't subscribed to the Sanesecurity list,
a re-post of download script news for 0.99 and Yara:

http://www.freelists.org/post/sanesecurity/Sanesecurity-News

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] mail follow url

[Steve Basford]

On Thu, November 26, 2015 4:00 pm, polloxx wrote:
> In http://www.clamav.net/documents/installing-clamav#requirements I read:
>
>
> Optional:
>
>
> GMP: for digital signatures
> *cURL: for mail follow url*
>
>
>
> Does this mean that clamav scans URL's in mails?
Hi,

It *used* to a long time ago.

But that option it's used any more.

Denial of service etc. etc. and performance. I seem to remember.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] mail follow url

[Steve Basford]

On Thu, November 26, 2015 4:00 pm, polloxx wrote:
> In http://www.clamav.net/documents/installing-clamav#requirements I read:
>
>
> Optional:
>
>
> GMP: for digital signatures
> *cURL: for mail follow url*
>
>
>
> Does this mean that clamav scans URL's in mails?
>

Thu Aug  6 22:26:30 CEST 2009 (tk)
--
 * clamd, clamscan, libclamav: drop support for MailFollowURLs (bb#1677)


Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] handling multiple hits on CVE-2015-7645?

[Steve basford]

Create a localfp.ign2 file with the following line in it in your ClamAV 
database folder:


Swf.Exploit.CVE_2015_7645

Restart clamd

Hopefully the FP will be officially fixed soon.

Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com



On 22 November 2015 12:52:04 "Orrick, Diana"  wrote:


Hello,

I haven't has any response to filing a number of False Positive reports,
should I have?
I do appreciate the limits of the support folks, really. Just trying to
understand
how FP are handled and what the expectations should be.

We've had another round of scans and the same servers,
same files are flagged by ClamAV (only) again for Swf.Exploit.CVE_2015_7645.
These are showing up on Linux servers that do not have the flash rpm
referenced in the CVE.

I've looked through the archives and the admin manual for some reference to
creating a 'local whitelist record' but don't find much. Would someone
point
me to the terms I should search on for the whitelist creation process,
please?

Thanks for your assistance.

--



Diana Mayer Orrick

Florida State University



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml