Re: [clamav-users] False Positive for BC.Exploit.CVE_2012_1885-1
Hi David On 10.12.2012 17:03, David Raynor wrote: So let's try the easiest one first: how big is the file? If you have raised it past the filescan max size, then default installations will skip it and report OK. Any suggestion what i could do about that? Best regards Matthias -- Matthias Egger ETH Zurich Department of Information Technology maeg...@ee.ethz.ch and Electrical Engineering IT Support Group (ISG.EE), ETL/F/24.1 Phone +41 (0)44 632 03 90 Physikstrasse 3, CH-8092 Zurich Fax +41 (0)44 632 11 95 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False Positive for BC.Exploit.CVE_2012_1885-1
Matthias, What architecture are you running ClamAV on? x86/64, PowerPC, SPARC, etc..? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False Positive for BC.Exploit.CVE_2012_1885-1
Hello Alain Am 12.12.2012 18:38, schrieb Alain Zidouemba: Matthias, What architecture are you running ClamAV on? x86/64, PowerPC, SPARC, etc..? SPARC (SunOS 5.10) Best regards Matthias -- Matthias Egger IT Support Gruppe D-ITET (ISG.EE) ETH Zürich, ETL F 24.1 Physikstrasse 3 8092 Zürich +41 (0)44 632 03 90 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False Positive for BC.Exploit.CVE_2012_1885-1
Hi David Thank you for the reply On 10.12.2012 17:03, David Raynor wrote: So let's try the easiest one first: how big is the file? If you have raised * The quarantined email is 21'503'810 Bytes. * The attached Zip File is 15'916'684 Bytes * and the extracted .pptx is 22'415'087 Bytes in size. it past the filescan max size, then default installations will skip it and report OK. Good Shot! We have other settings as we allow emails up to 100'000'000 Bytes. Also, can you tell me what your clamscan settings or clamd.conf file settings are? Here the clamd.conf Settings which we have set LogSyslog yes LogFacility LOG_MAIL LogVerbose yes PidFile /var/run/amavis/clamd.pid TemporaryDirectory /var/tmp LocalSocket /var/run/amavis/clamd.sock LocalSocketGroup amavis LocalSocketMode 660 FixStaleSocket yes StreamMaxLength 250M MaxThreads 15 ReadTimeout 600 MaxQueue 50 SelfCheck 600 User amavis ScanPE yes ScanELF yes ScanOLE2 yes ScanPDF yes ScanMail yes ScanPartialMessages no PhishingSignatures yes PhishingAlwaysBlockSSLMismatch no PhishingAlwaysBlockCloak no ScanHTML yes ScanArchive yes ArchiveBlockEncrypted no MaxScanSize 100M MaxFileSize 30M MaxRecursion 8 MaxFiles 15000 Bytecode yes BytecodeSecurity TrustSigned BytecodeTimeout 6 Best regards Matthias -- Matthias Egger ETH Zurich Department of Information Technology maeg...@ee.ethz.ch and Electrical Engineering IT Support Group (ISG.EE), ETL/F/24.1 Phone +41 (0)44 632 03 90 Physikstrasse 3, CH-8092 Zurich Fax +41 (0)44 632 11 95 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] False Positive for BC.Exploit.CVE_2012_1885-1
Hello List I have a zip file containing a .pptx file which ClamAV claims to be BC.Exploit.CVE_2012_1885-1. But virustotal and virscan.org have no complain at all. https://www.virustotal.com/file/09c5de164928c88b6ee370677242a4d69a00a88ecbd044af656f17fc54665fea/analysis/1355131094/ http://r.virscan.org/report/45504bdcc2b03dc967c5fedc3e609c4c.html Therefore i beleive it is a false positive. But: http://www.clamav.net/lang/en/sendvirus/submit-fp tells me: -- Result: This file is not detected by ClamAV. Please update your CVD database before reporting false-positives. If you are using third-party databases/unofficial signatures, please contact the author of the signature. We can only process false-positives generated by ClamAV Official signatures. Please correct the above errors and retry. Thank you for helping the ClamAV project. -- * ClamAV 0.97.6/15708/Mon Dec 10 04:27:19 2012 * bytecode.cvd: Clam AntiVirus database 07 Dec 2012 11-56 -0500, version 203, gzipped * daily.cvd:Clam AntiVirus database 09 Dec 2012 22-27 -0500, version 1570, gzipped * main.cvd: Clam AntiVirus database 11 Oct 2011 10-34 -0400, version 54, gzipped * Here some Debug Output LibClamAV debug: Bytecode found virus: BC.Exploit.CVE_2012_1885-1 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: BC.Exploit.CVE_2012_1885-1 found in descriptor 4 LibClamAV debug: FP SIGNATURE: 5f0acbdb343776f56a64efae302cb581:177664:BC.Exploit.CVE_2012_1885-1 LibClamAV debug: cli_magic_scandesc: returning 1 at line 2388 LibClamAV debug: FP SIGNATURE: c7054cb8e0d78fbb65929c5fbed889ab:22415087:BC.Exploit.CVE_2012_1885-1 LibClamAV debug: cli_magic_scandesc: returning 1 at line 2350 Can somebody tell me anything more? Best regards Matthias -- Matthias Egger ETH Zurich Department of Information Technology maeg...@ee.ethz.ch and Electrical Engineering IT Support Group (ISG.EE), ETL/F/24.1 Phone +41 (0)44 632 03 90 Physikstrasse 3, CH-8092 Zurich Fax +41 (0)44 632 11 95 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False Positive for BC.Exploit.CVE_2012_1885-1
It is not the CVD files. The versions you list are the same versions as we have up to date [and the daily.cvd is 15708]. I'd wager there is some kind of non-default scan option that is changing the results. So let's try the easiest one first: how big is the file? If you have raised it past the filescan max size, then default installations will skip it and report OK. Also, can you tell me what your clamscan settings or clamd.conf file settings are? Dave R. On Mon, Dec 10, 2012 at 9:52 AM, Matthias Egger maeg...@ee.ethz.ch wrote: Hello List I have a zip file containing a .pptx file which ClamAV claims to be BC.Exploit.CVE_2012_1885-1. But virustotal and virscan.org have no complain at all. https://www.virustotal.com/**file/**09c5de164928c88b6ee370677242a4** d69a00a88ecbd044af656f17fc5466**5fea/analysis/1355131094/https://www.virustotal.com/file/09c5de164928c88b6ee370677242a4d69a00a88ecbd044af656f17fc54665fea/analysis/1355131094/ http://r.virscan.org/report/**45504bdcc2b03dc967c5fedc3e609c**4c.htmlhttp://r.virscan.org/report/45504bdcc2b03dc967c5fedc3e609c4c.html Therefore i beleive it is a false positive. But: http://www.clamav.net/lang/en/**sendvirus/submit-fphttp://www.clamav.net/lang/en/sendvirus/submit-fp tells me: -- Result: This file is not detected by ClamAV. Please update your CVD database before reporting false-positives. If you are using third-party databases/unofficial signatures, please contact the author of the signature. We can only process false-positives generated by ClamAV Official signatures. Please correct the above errors and retry. Thank you for helping the ClamAV project. -- * ClamAV 0.97.6/15708/Mon Dec 10 04:27:19 2012 * bytecode.cvd: Clam AntiVirus database 07 Dec 2012 11-56 -0500, version 203, gzipped * daily.cvd:Clam AntiVirus database 09 Dec 2012 22-27 -0500, version 1570, gzipped * main.cvd: Clam AntiVirus database 11 Oct 2011 10-34 -0400, version 54, gzipped * Here some Debug Output LibClamAV debug: Bytecode found virus: BC.Exploit.CVE_2012_1885-1 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: BC.Exploit.CVE_2012_1885-1 found in descriptor 4 LibClamAV debug: FP SIGNATURE: 5f0acbdb343776f56a64efae302cb5** 81:177664:BC.Exploit.CVE_2012_**1885-1 LibClamAV debug: cli_magic_scandesc: returning 1 at line 2388 LibClamAV debug: FP SIGNATURE: c7054cb8e0d78fbb65929c5fbed889** ab:22415087:BC.Exploit.CVE_**2012_1885-1 LibClamAV debug: cli_magic_scandesc: returning 1 at line 2350 Can somebody tell me anything more? Best regards Matthias -- Matthias Egger ETH Zurich Department of Information Technology maeg...@ee.ethz.ch and Electrical Engineering IT Support Group (ISG.EE), ETL/F/24.1 Phone +41 (0)44 632 03 90 Physikstrasse 3, CH-8092 Zurich Fax +41 (0)44 632 11 95 __**_ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/**ml http://www.clamav.net/support/ml -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml