Re: [Clamav-users] Many Javascript false - positives
Hi there, On Sat, 12 Apr 2008 Dennis Peterson wrote: > [snip] leaves us with no means to evaluate the message further if > ClamAV is to be a go no-go tool. A work-around is to not use ClamAV > as a go no-go tool and evaluate every message further regardless of > the presence of a virus. I'd prefer to not do that. I would like to > evaluate certain image and scam messages further, though, and of > course the way to do that is to disable that kind of filtering in > ClamAV. And I'd prefer to not do that, too. I'd like all the tools > to contribute to the score of a message and make the go no-go > decision on that score. I'd like all the tools to contribute to the > score of a message and make the go no-go decision on that score. [snip] Have I missed something here? In some situations a simple go/no-go from ClamAV might not be The Right Answer, but I don't see that it's necessary to prevent ClamAV from scanning for any particular type of characteristic to get a better fit to your needs. ClamAV can accept all messages but report its findings. The findings are inserted into the message headers. So you can process the message, and all headers, including those which have been added, using tools capable of scoring, further manipulating headers, content, etc. etc. until you reach some kind of conclusion about it. If necessary you could change the text descriptions of variously undesirable patterns in the ClamAV database to make routing through subsequent tools easier. Sure, it might be a pain, but then I think that might well describe everything we discuss on this List. :( I use MIMEDefang for this sort of more complex mail processing, it's flexible but a little chubby for some situations. There, depending on the headers found, the relatively lightweight 'chainmail' milter adds recipients to incoming mail, and subsequently different milters are called (or the same milters are called but they behave differently) depending on the recipients. Using features to do things for which they weren't designed is a pleasing improvisation. :) -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
Tilman Schmidt wrote: > Dennis Peterson schrieb: >> James E. Pratt wrote: >> >>> > I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit >>> a load of legitimate sites. >>> >>> Hello . I ran into this " Trojan.Downloader.JS.Agent-2" issue yesterday >>> on our web server. When notified, the webmaster replied with "these are >>> coming from compressed js files using Dean Edwards' javascript "packer" >>> [http://dean.edwards.name/packer/], which compresses js and usually >>> reduces the file size by 30-40 percent." >> >> If the principal users of this service are spammers trying to >> obfuscate their content then I see no reason not to use a tool to >> block that content. A lesson that has been hard to teach is that when >> legitimate users create content that is indistinguishable from common >> spam it will be blocked. That takes into consideration the source - >> sales and marketing types in any corporation have a particular problem >> as almost all of what they create could be considered spam by someone. >> Best effort rules apply. I've never had a manager reverse me on this. > > Sorry, but that's completely beside the point. > > a) We are not talking about spam filtering here, but about classification > as malware. > > b) Applying spam blocking rules to web content is quite inappropriate, as > websites are actively requested, as opposed to spam which is forced on > the recipient through her mailbox slot. > > c) Whether "the principal users" of Dean Edwards' JavaScript packer are > spammers is open to debate, although IMHO it doesn't even matter in the > light of a) and b). > > Generally speaking, I am quite wary of the increasing tendency of ClamAV > to try and detect spam in addition to malware. These two categories need > to be treated quite differently for many reasons, among them legal ones. > mixing them up like this makes my life and work more difficult. Please > don't do it. > > Thanks, > T. We don't disagree on much, here. The last point you make is why I suggested some kind of scoring system. I've not examined the return codes from clamd but I suspect it is the same for every kind of match. Code Red would return the same thing as an Ebay scam, and if so then that right there is the problem. It leaves us with no means to evaluate the message further if ClamAV is to be a go no-go tool. A work-around is to not use ClamAV as a go no-go tool and evaluate every message further regardless of the presence of a virus. I'd prefer to not do that. I would like to evaluate certain image and scam messages further, though, and of course the way to do that is to disable that kind of filtering in ClamAV. And I'd prefer to not do that, too. I'd like all the tools to contribute to the score of a message and make the go no-go decision on that score. If you read Tomasz' interview by the SANS Tech Institute you'll learn that this business of going beyond malware is going to expand. I'm not real crazy about that. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
Dennis Peterson schrieb: James E. Pratt wrote: I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a load of legitimate sites. Hello . I ran into this " Trojan.Downloader.JS.Agent-2" issue yesterday on our web server. When notified, the webmaster replied with "these are coming from compressed js files using Dean Edwards' javascript "packer" [http://dean.edwards.name/packer/], which compresses js and usually reduces the file size by 30-40 percent." If the principal users of this service are spammers trying to obfuscate their content then I see no reason not to use a tool to block that content. A lesson that has been hard to teach is that when legitimate users create content that is indistinguishable from common spam it will be blocked. That takes into consideration the source - sales and marketing types in any corporation have a particular problem as almost all of what they create could be considered spam by someone. Best effort rules apply. I've never had a manager reverse me on this. Sorry, but that's completely beside the point. a) We are not talking about spam filtering here, but about classification as malware. b) Applying spam blocking rules to web content is quite inappropriate, as websites are actively requested, as opposed to spam which is forced on the recipient through her mailbox slot. c) Whether "the principal users" of Dean Edwards' JavaScript packer are spammers is open to debate, although IMHO it doesn't even matter in the light of a) and b). Generally speaking, I am quite wary of the increasing tendency of ClamAV to try and detect spam in addition to malware. These two categories need to be treated quite differently for many reasons, among them legal ones. mixing them up like this makes my life and work more difficult. Please don't do it. Thanks, T. -- Tilman Schmidt Phoenix Software GmbH Tel. +49 228 97199 0 Adolf-Hombitzer-Str. 12Fax +49 228 97199 99 53227 Bonn, Germany www.phoenixsoftware.de signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
James E. Pratt wrote: > >>> I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit > a >> load of legitimate sites. > > Hello . I ran into this " Trojan.Downloader.JS.Agent-2" issue yesterday > on our web server. When notified, the webmaster replied with "these are > coming from compressed js files using Dean Edwards' javascript "packer" > [http://dean.edwards.name/packer/], which compresses js and usually > reduces the file size by 30-40 percent." If the principal users of this service are spammers trying to obfuscate their content then I see no reason not to use a tool to block that content. A lesson that has been hard to teach is that when legitimate users create content that is indistinguishable from common spam it will be blocked. That takes into consideration the source - sales and marketing types in any corporation have a particular problem as almost all of what they create could be considered spam by someone. Best effort rules apply. I've never had a manager reverse me on this. However - without some kind of scoring system that weighs various parts of the content, it cannot be determined if the entire content is acceptable or not and to make that decision based only on the presence of compressed javascript patterns is probably unreliable. Well, the pattern is gone now so that seems to be a widely accepted notion :) This pattern might work better in a milter that does scoring and which is capable of considering a wider range of criterion. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
> -Original Message- > From: [EMAIL PROTECTED] [mailto:clamav-users- > [EMAIL PROTECTED] On Behalf Of aCaB > Sent: Wednesday, April 09, 2008 11:28 AM > To: ClamAV users ML > Subject: Re: [Clamav-users] Many Javascript false - positives > > Henrik K wrote: > > On Wed, Apr 09, 2008 at 04:49:17PM +0200, aCaB wrote: > >> Henrik K wrote: > >>> On Wed, Apr 09, 2008 at 03:53:16PM +0200, aCaB wrote: > >>>> Henrik K wrote: > >>>>>> But I have another one, also without PUA ;-) > >>>>>> http://www.beta.wetter.com/lib/js/1d7c7a52.js --> > >>>>>> Trojan.Downloader.JS.Agent-2 > >>>>>> This is also a "ajax - jquery - lib" from a popular, german - > >>>>>> website. > >>>>> I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a > load of legitimate sites. Hello . I ran into this " Trojan.Downloader.JS.Agent-2" issue yesterday on our web server. When notified, the webmaster replied with "these are coming from compressed js files using Dean Edwards' javascript "packer" [http://dean.edwards.name/packer/], which compresses js and usually reduces the file size by 30-40 percent." Regards, Jamie ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
Henrik K wrote: > On Wed, Apr 09, 2008 at 04:49:17PM +0200, aCaB wrote: >> Henrik K wrote: >>> On Wed, Apr 09, 2008 at 03:53:16PM +0200, aCaB wrote: Henrik K wrote: >> But I have another one, also without PUA ;-) >> http://www.beta.wetter.com/lib/js/1d7c7a52.js --> >> Trojan.Downloader.JS.Agent-2 >> This is also a "ajax - jquery - lib" from a popular, german - website. > I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a load of > legimate sites. Haven't bothered to report since noone has complained that > surfing is affected. Guys, You should update your virus db more often. This has been fixed 2 days ago. >>> What makes you think we don't? >> Mostly the fact that there's currently no signature for >> Trojan.Downloader.JS.Agent-2. > > It was removed 2 days ago? Ah well, bug hunting on the reload code then.. If you find something please open a ticket on the bugzilla which you can find at http://bugs.clamav.net Thanks, -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
On Wed, Apr 09, 2008 at 04:49:17PM +0200, aCaB wrote: > Henrik K wrote: > > On Wed, Apr 09, 2008 at 03:53:16PM +0200, aCaB wrote: > >> Henrik K wrote: > But I have another one, also without PUA ;-) > http://www.beta.wetter.com/lib/js/1d7c7a52.js --> > Trojan.Downloader.JS.Agent-2 > This is also a "ajax - jquery - lib" from a popular, german - website. > >>> I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a load of > >>> legimate sites. Haven't bothered to report since noone has complained that > >>> surfing is affected. > >> Guys, > >> You should update your virus db more often. > >> This has been fixed 2 days ago. > > > > What makes you think we don't? > > Mostly the fact that there's currently no signature for > Trojan.Downloader.JS.Agent-2. It was removed 2 days ago? Ah well, bug hunting on the reload code then.. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
Henrik K wrote: > On Wed, Apr 09, 2008 at 03:53:16PM +0200, aCaB wrote: >> Henrik K wrote: But I have another one, also without PUA ;-) http://www.beta.wetter.com/lib/js/1d7c7a52.js --> Trojan.Downloader.JS.Agent-2 This is also a "ajax - jquery - lib" from a popular, german - website. >>> I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a load of >>> legimate sites. Haven't bothered to report since noone has complained that >>> surfing is affected. >> Guys, >> You should update your virus db more often. >> This has been fixed 2 days ago. > > What makes you think we don't? Mostly the fact that there's currently no signature for Trojan.Downloader.JS.Agent-2. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
On Wed, Apr 09, 2008 at 03:53:16PM +0200, aCaB wrote: > Henrik K wrote: > >> But I have another one, also without PUA ;-) > >> http://www.beta.wetter.com/lib/js/1d7c7a52.js --> > >> Trojan.Downloader.JS.Agent-2 > >> This is also a "ajax - jquery - lib" from a popular, german - website. > > > > I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a load of > > legimate sites. Haven't bothered to report since noone has complained that > > surfing is affected. > > Guys, > You should update your virus db more often. > This has been fixed 2 days ago. What makes you think we don't? 08/04/2008 12:08:33 ClamAV: Reloaded 243723 signatures (engine 0.92.1) 08/04/2008 13:08:37 ClamAV: Reloaded 243747 signatures (engine 0.92.1) 08/04/2008 13:38:41 ClamAV: Reloaded 243768 signatures (engine 0.92.1) 08/04/2008 14:08:44 ClamAV: Reloaded 243768 signatures (engine 0.92.1) 08/04/2008 14:38:47 ClamAV: Reloaded 243816 signatures (engine 0.92.1) 08/04/2008 15:38:51 ClamAV: Reloaded 243828 signatures (engine 0.92.1) 08/04/2008 18:08:58 ClamAV: Reloaded 243839 signatures (engine 0.92.1) 08/04/2008 21:39:07 ClamAV: Reloaded 243846 signatures (engine 0.92.1) 09/04/2008 02:39:19 ClamAV: Reloaded 243849 signatures (engine 0.92.1) 09/04/2008 07:09:30 ClamAV: Reloaded 243869 signatures (engine 0.92.1) 09/04/2008 08:09:34 ClamAV: Reloaded 244861 signatures (engine 0.92.1) 09/04/2008 09:39:40 ClamAV: Reloaded 245630 signatures (engine 0.92.1) 09/04/2008 11:09:45 ClamAV: Reloaded 245634 signatures (engine 0.92.1) 09/04/2008 12:09:50 ClamAV: Reloaded 245640 signatures (engine 0.92.1) 09/04/2008 13:09:55 ClamAV: Reloaded 245708 signatures (engine 0.92.1) 09/04/2008 13:39:59 ClamAV: Reloaded 245735 signatures (engine 0.92.1) 09/04/2008 15:10:05 ClamAV: Reloaded 245755 signatures (engine 0.92.1) 09/04/2008 15:40:08 ClamAV: Reloaded 245768 signatures (engine 0.92.1) 09/04/2008 16:40:13 ClamAV: Reloaded 245783 signatures (engine 0.92.1) 08/04/2008 12:28:45 http://www.cec.jyu.fi/portal_javascripts/Jytkk/ploneScripts1448.js 740+93022 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 08/04/2008 13:50:20 http://www.macnews.de/ajax.php? 372+26270 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 08/04/2008 14:55:01 http://acadia.ur.gcion.com/Scripts/GCION.js 324+30161 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 08:35:39 http://www.abstractfonts.com/js.php? 532+26262 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 09:43:22 http://mapstats.blogflux.com/button.js.php? 228+3578 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 11:50:24 http://www.predictad.com/scripts/molosky/combined.js 356+102630 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 12:34:52 http://search.dell.com/scripts/chili-1.7.pack.js 372+7321 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 14:31:24 http://www.cdcovers.cc/server/server.php? 260+88862 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 14:33:55 http://www.oulujarvileader.com/2007/mambots/system/jceutils/jscripts/utils.js 324+8121 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 15:16:14 http://www.panoramio.com/photo/240 484+19258 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 15:50:33 http://www.csc.fi/portal_javascripts/Plone%20Default/ploneScripts5448.js 452+93027 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 And no, I'm not going to upload every one of those. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
Henrik K wrote: >> But I have another one, also without PUA ;-) >> http://www.beta.wetter.com/lib/js/1d7c7a52.js --> >> Trojan.Downloader.JS.Agent-2 >> This is also a "ajax - jquery - lib" from a popular, german - website. > > I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a load of > legimate sites. Haven't bothered to report since noone has complained that > surfing is affected. Guys, You should update your virus db more often. This has been fixed 2 days ago. -aCaB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
Le mercredi 9 avril 2008 15:26, Alexander Siebnich a écrit : > Arnaud Jacques schrieb: > > At the moment, PUA should not be used in production environment. > > See FAQ (http://www.clamav.org/support/faq/) for details. > > Thank you for this advice. I just wondered that this problem only > occured since the last main.cvd - update, but we can change this. > > But I have another one, also without PUA ;-) > http://www.beta.wetter.com/lib/js/1d7c7a52.js --> > Trojan.Downloader.JS.Agent-2 > This is also a "ajax - jquery - lib" from a popular, german - website. Please, send it at http://cgi.clamav.net/sendvirus.cgi and flag it as False Positive. -- Cordialement / Best regards, Arnaud Jacques Consultant Sécurité SecuriteInfo.com http://www.securiteinfo.com http://www.securiteinfo.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
On Wed, Apr 09, 2008 at 03:26:48PM +0200, Alexander Siebnich wrote: > Arnaud Jacques schrieb: > > At the moment, PUA should not be used in production environment. > > See FAQ (http://www.clamav.org/support/faq/) for details. > > > Thank you for this advice. I just wondered that this problem only > occured since the last main.cvd - update, but we can change this. > > But I have another one, also without PUA ;-) > http://www.beta.wetter.com/lib/js/1d7c7a52.js --> > Trojan.Downloader.JS.Agent-2 > This is also a "ajax - jquery - lib" from a popular, german - website. I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a load of legimate sites. Haven't bothered to report since noone has complained that surfing is affected. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
Arnaud Jacques schrieb: > At the moment, PUA should not be used in production environment. > See FAQ (http://www.clamav.org/support/faq/) for details. > Thank you for this advice. I just wondered that this problem only occured since the last main.cvd - update, but we can change this. But I have another one, also without PUA ;-) http://www.beta.wetter.com/lib/js/1d7c7a52.js --> Trojan.Downloader.JS.Agent-2 This is also a "ajax - jquery - lib" from a popular, german - website. Best regards, Alex ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
Hi, Le mercredi 9 avril 2008 14:26, Alexander Siebnich a écrit : > Hello, > > we use clamav to scan http - traffic. Since the main.cvd - update we > have many false - positives with widespread used js - libs. > > For example: > http://www.cisco.com/swa/j/global.js > --> PUA.JS.Packed > > http://i.dell.com/images/global/js/lib/jquery-1.2.2.js > --> PUA.JS.Packed > > http://www.hp.com/cma/metrics/sc/h_code_migration/s_code_remote.js > --> PUA.JS.Packed At the moment, PUA should not be used in production environment. See FAQ (http://www.clamav.org/support/faq/) for details. -- Cordialement / Best regards, Arnaud Jacques Consultant Sécurité SecuriteInfo.com http://www.securiteinfo.com http://www.securiteinfo.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Many Javascript false - positives
Hello, we use clamav to scan http - traffic. Since the main.cvd - update we have many false - positives with widespread used js - libs. For example: http://www.cisco.com/swa/j/global.js --> PUA.JS.Packed http://i.dell.com/images/global/js/lib/jquery-1.2.2.js --> PUA.JS.Packed http://www.hp.com/cma/metrics/sc/h_code_migration/s_code_remote.js --> PUA.JS.Packed It is possible to change this signature to prevent this false - positives? Thank you and best regards, Alex ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html