Re: [Clamav-users] custom signatures not working
On Tue, 28 Feb 2006 00:16:47 -0500 BitFuzzy [EMAIL PROTECTED] wrote: I'm trying to add a couple of custom phishing signatures using .ndb files within clamav's database directory For testing purposes I've used a simple phrase Dear Paypal Members and created a hex key for it Email.Phishing.Paypal.Test.0227001:0:*:446561722050617950616c204d656d6265720a Your signature will only match Dear Paypal Members\n (0a == new line) and not Dear Paypal Members. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 28 10:40:45 CET 2006 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] custom signatures not working
Tomasz Kojm wrote: Your signature will only match Dear Paypal Members\n (0a == new line) and not Dear Paypal Members. Thanks for the reply. I knew that when I set it up. I figured if I can't get a simple word match to work, trying to get complex with it wouldn't be much use. But alas, It doesn't work. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] custom signatures not working
On Tue, 28 Feb 2006 09:15:23 -0500 BitFuzzy [EMAIL PROTECTED] wrote: Tomasz Kojm wrote: Your signature will only match Dear Paypal Members\n (0a == new line) and not Dear Paypal Members. Thanks for the reply. I knew that when I set it up. I figured if I can't get a simple word match to work, trying to get complex with it wouldn't be much use. But alas, It doesn't work. I decoded the hex string and it actually matches Dear PayPal Member\n (PayPal instead of Paypal) -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 28 15:38:01 CET 2006 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Fwd: Re: [Clamav-users] custom signatures not working]
I decoded the hex string and it actually matches Dear PayPal Member\n (PayPal instead of Paypal) Yea, I caught that, it doesn't make any difference ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Fwd: Re: [Clamav-users] custom signatures not working]
BitFuzzy wrote: I decoded the hex string and it actually matches Dear PayPal Member\n (PayPal instead of Paypal) Yea, I caught that, it doesn't make any difference Hi, In your first post you said you'd tried these: Email.Phishing.Paypal.Test.0227001:0:*:446561722050617950616c204d656d6265720a Email.Phishing.Paypal.Test.0227001:446561722050617950616c204d656d6265720a Firstly, make sure you don't use the 2nd one in an ndb file... it will cause you problems and won't match anything. In fact, it's a bug in ClamAV. If you add in the 2nd line above... nothing at all gets detected using any signature, which is a bit worrying so... you've discovered a feature ;) Okay... Phish text to match: Dear Paypal Members Some example sigs... Note the case of the text Sig eg 1: Html.Phishing.Pay.Gen017.Sanesecurity.06022800:3:*:646561722070617970616c206d656d626572 Note: type 3 is used (HTML) which means the file is normalised so : 646561722070617970616c206d656d626572 is (dear paypal member) will match: Dear PayPal Member and : Dear Paypal member and : dear paypal member and : Dear PayPal Members Sig eg 2: Html.Phishing.Pay.Gen017.Sanesecurity.06022800:0:*:446561722050617950616c204d656d626572 Note: type 0 is used (ALL) which means the file isn't normalised so : 446561722050617970616c204d656d626572 is (Dear PayPal Member) will match: Dear PayPal Member but not : Dear Paypal member but not : dear paypal member will match: Dear PayPal Members Hope that's right, it's been a long day... Cheers, Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Fwd: Re: [Clamav-users] custom signatures not working]
On Tue, 28 Feb 2006 18:07:38 + Steve Basford [EMAIL PROTECTED] wrote: BitFuzzy wrote: I decoded the hex string and it actually matches Dear PayPal Member\n (PayPal instead of Paypal) Yea, I caught that, it doesn't make any difference Hi, In your first post you said you'd tried these: Email.Phishing.Paypal.Test.0227001:0:*:446561722050617950616c204d656d6265720a Email.Phishing.Paypal.Test.0227001:446561722050617950616c204d656d6265720a Firstly, make sure you don't use the 2nd one in an ndb file... it will cause you problems and won't match anything. In fact, it's a bug in ClamAV. If you add in the 2nd line above... nothing at all gets detected using any signature, which is a bit worrying so... you've discovered a feature ;) It's not worrying at all. It would be worrying if ClamAV was silently using a broken signature somehow but it properly reports an error: [EMAIL PROTECTED]:/tmp$ echo Email.Phishing.Paypal.Test.0227001:446561722050617950616c204d656d6265720a test.ndb [EMAIL PROTECTED]:/tmp$ clamscan -d test.ndb /tmp LibClamAV Error: Problem parsing database at line 1 LibClamAV Error: Can't load test.ndb: Malformed database ERROR: Malformed database -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 28 19:35:33 CET 2006 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Fwd: Re: [Clamav-users] custom signatures not working]
Tomasz Kojm wrote: It's not worrying at all. It would be worrying if ClamAV was silently using a broken signature somehow but it properly reports an error: Thanks for confirming checking. Well, under cygwin, this is what it does: C:\CLAMAV~1\binclamscan c:\samples C:\CLAMAV~1\bin That's it... no warning and doesn't scan :( More info.. C:\CLAMAV~1\binclamscan --version ClamAV devel-20060215/1303/Sun Feb 26 10:10:11 2006 C:\CLAMAV~1\binclamscan --debug LibClamAV debug: Initializing the engine structure LibClamAV debug: Loading databases from C:/clamav-devel/share/clamav LibClamAV debug: Loading C:/clamav-devel/share/clamav/phish.ndb snip LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Not supported target type in signature for Email.Phishing.Paypal.Test.0227001 Sorry about the false alarm.. Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [ [Clamav-users] custom signatures not working]
- Original Message - From: Steve Basford [EMAIL PROTECTED] To: ClamAV users ML clamav-users@lists.clamav.net Sent: Tuesday, February 28, 2006 1:07 PM Subject: Re: [Fwd: Re: [Clamav-users] custom signatures not working] Some example sigs... Note the case of the text Sig eg 1: Html.Phishing.Pay.Gen017.Sanesecurity.06022800:3:*:646561722070617970616c206 d656d626572 Note: type 3 is used (HTML) which means the file is normalised so : 646561722070617970616c206d656d626572 is (dear paypal member) will match: Dear PayPal Member and : Dear Paypal member and : dear paypal member and : Dear PayPal Members Sig eg 2: Html.Phishing.Pay.Gen017.Sanesecurity.06022800:0:*:446561722050617950616c204 d656d626572 Thanks for the help Steve. Well, I've noticed something that doesn't quite make sense Sending a message containing only Dear PayPal Member does not get flagged However, a message containing only Dear PayPal Member and a attachment (a simple blank txt file works) and message gets flagged as intended. In other words, the only time Dear PayPal Member gets detected is if there's an attachment, empty or otherwise ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Fwd: Re: [Clamav-users] custom signatures not working]
On Tue, 28 Feb 2006 19:01:29 + Steve Basford [EMAIL PROTECTED] wrote: Tomasz Kojm wrote: It's not worrying at all. It would be worrying if ClamAV was silently using a broken signature somehow but it properly reports an error: Thanks for confirming checking. Well, under cygwin, this is what it does: C:\CLAMAV~1\binclamscan c:\samples C:\CLAMAV~1\bin That's it... no warning and doesn't scan :( Cygwin compilations are known to be seriously broken. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 28 20:39:12 CET 2006 signature.asc Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] custom signatures not working
I'm trying to add a couple of custom phishing signatures using .ndb files within clamav's database directory For testing purposes I've used a simple phrase Dear Paypal Members and created a hex key for it Email.Phishing.Paypal.Test.0227001:0:*:446561722050617950616c204d656d6265720a I've also tried Email.Phishing.Paypal.Test.0227001:446561722050617950616c204d656d6265720a Both with no success, all test email messages pass undetected. I'm running clamav with the default db directory (/usr/local/shar/clamav) Email is scanned using trashscan via procmail using /usr/local/bin/clamscan Any suggestions would be greatly appreciated ___ http://lurker.clamav.net/list/clamav-users.html
