Re: [clamav-users] Grizzly Steppe

2017-01-06 Thread Joel Esler (jesler) 
http://blog.talosintel.com/2017/01/grizzly-steppe.html


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 5, 2017, at 11:40 AM, Joel Esler (jesler) 
> wrote:

AMP has far more coverage than ClamAV.  As the coverage can be generated much 
more quickly and without a DB to download, it happens in real time.

As far as coverage for ClamAV, and Alain can correct me if I am wrong, I 
believe coverage has been pushed out.

--
Joel Esler | Talos: Manager | 
jes...@cisco.com






On Jan 4, 2017, at 6:52 PM, Eric Tykwinski 
>
 wrote:

This was my concern about Cisco’s AMP product on ASA’s and NGIPS’s.  I’m going 
to be beta testing stuff out shortly, but don’t have high hopes besides the 
Snort rules.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

On Jan 4, 2017, at 6:23 PM, Reindl Harald 
>
 wrote:



Am 04.01.2017 um 23:12 schrieb Al Varnell:
Can somebody with access to those samples run them against a virgin ClamAV 
signature database to answer the question?  I'd be happy to if there are 
samples I can access.

official, virgin signatures don't and probably will never recognize recent 
malware and following this list you should know this already


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

2017-01-05 Thread Joel Esler (jesler) 
AMP has far more coverage than ClamAV.  As the coverage can be generated much 
more quickly and without a DB to download, it happens in real time.

As far as coverage for ClamAV, and Alain can correct me if I am wrong, I 
believe coverage has been pushed out.

--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 4, 2017, at 6:52 PM, Eric Tykwinski 
> wrote:

This was my concern about Cisco’s AMP product on ASA’s and NGIPS’s.  I’m going 
to be beta testing stuff out shortly, but don’t have high hopes besides the 
Snort rules.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

On Jan 4, 2017, at 6:23 PM, Reindl Harald 
> wrote:



Am 04.01.2017 um 23:12 schrieb Al Varnell:
Can somebody with access to those samples run them against a virgin ClamAV 
signature database to answer the question?  I'd be happy to if there are 
samples I can access.

official, virgin signatures don't and probably will never recognize recent 
malware and following this list you should know this already


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

2017-01-05 Thread Joel Esler (jesler) 
Where did you sent them?


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 4, 2017, at 7:12 PM, TR Shaw > 
wrote:

I have offered sigs to ClamAV official but have heard nothing back yet.

On Jan 4, 2017, at 6:52 PM, Eric Tykwinski 
> wrote:

This was my concern about Cisco’s AMP product on ASA’s and NGIPS’s.  I’m going 
to be beta testing stuff out shortly, but don’t have high hopes besides the 
Snort rules.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

On Jan 4, 2017, at 6:23 PM, Reindl Harald 
> wrote:



Am 04.01.2017 um 23:12 schrieb Al Varnell:
Can somebody with access to those samples run them against a virgin ClamAV 
signature database to answer the question?  I'd be happy to if there are 
samples I can access.

official, virgin signatures don't and probably will never recognize recent 
malware and following this list you should know this already


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

2017-01-04 Thread Al Varnell 
I have checked VirusTotal and none of the 23 samples submitted yesterday were 
detected at the time of submission by ClamAV. I'd estimate that an average of 
20 of 55 scanners did detect them as infected. On the basis of that I would 
have to guess that ClamAV signatures will not detect Grizzly Steppe at this 
time, but will probably be able to shortly.

-Al-

On Wed, Jan 04, 2017 at 04:12 PM, TR Shaw wrote:
> 
> I have offered sigs to ClamAV official but have heard nothing back yet.
> 
>> On Jan 4, 2017, at 6:52 PM, Eric Tykwinski  wrote:
>> 
>> This was my concern about Cisco’s AMP product on ASA’s and NGIPS’s.  I’m 
>> going to be beta testing stuff out shortly, but don’t have high hopes 
>> besides the Snort rules.
>> 
>> Sincerely,
>> 
>> Eric Tykwinski




smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

2017-01-04 Thread TR Shaw 
I have offered sigs to ClamAV official but have heard nothing back yet.

> On Jan 4, 2017, at 6:52 PM, Eric Tykwinski  wrote:
> 
> This was my concern about Cisco’s AMP product on ASA’s and NGIPS’s.  I’m 
> going to be beta testing stuff out shortly, but don’t have high hopes besides 
> the Snort rules.
> 
> Sincerely,
> 
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
> 
>> On Jan 4, 2017, at 6:23 PM, Reindl Harald  wrote:
>> 
>> 
>> 
>> Am 04.01.2017 um 23:12 schrieb Al Varnell:
>>> Can somebody with access to those samples run them against a virgin ClamAV 
>>> signature database to answer the question?  I'd be happy to if there are 
>>> samples I can access.
>> 
>> official, virgin signatures don't and probably will never recognize recent 
>> malware and following this list you should know this already
>> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

2017-01-04 Thread Eric Tykwinski 
This was my concern about Cisco’s AMP product on ASA’s and NGIPS’s.  I’m going 
to be beta testing stuff out shortly, but don’t have high hopes besides the 
Snort rules.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Jan 4, 2017, at 6:23 PM, Reindl Harald  wrote:
> 
> 
> 
> Am 04.01.2017 um 23:12 schrieb Al Varnell:
>> Can somebody with access to those samples run them against a virgin ClamAV 
>> signature database to answer the question?  I'd be happy to if there are 
>> samples I can access.
> 
> official, virgin signatures don't and probably will never recognize recent 
> malware and following this list you should know this already
> 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

2017-01-04 Thread Reindl Harald 



Am 04.01.2017 um 23:12 schrieb Al Varnell:

Can somebody with access to those samples run them against a virgin ClamAV 
signature database to answer the question?  I'd be happy to if there are 
samples I can access.


official, virgin signatures don't and probably will never recognize 
recent malware and following this list you should know this already



On Wed, Jan 04, 2017 at 07:33 AM, TR Shaw wrote:


I added detection in winnow_extended_malware.hdb which is distributed is the 
sanesecurity feed the day after the JAR was released.  I also searched for the 
RAT and added signatures for that as well in winnow_malware_links.ndb

Signatures are identified as winnow.Trojan.GRIZZLY_STEPPE.

Tom



On Jan 4, 2017, at 10:26 AM, Andrew McGrath  wrote:

I'm being asked a question by our security team that I am struggling
to answer. The question is "Does ClamAV detect Grizzly Steppe?".

I've hunted around the archives, support pages and google, but do not
see any discussion about this, could anyone comment?

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

2017-01-04 Thread Al Varnell 
Tom,

It's not that I don't want to use your sigs, but in order to assist ClamXav 
users I need my setup to match theirs and it currently only uses ClamXav 
macOS/OS X specific unofficial. There is talk of adding others in the future, 
but not now.

-Al-

On Wed, Jan 04, 2017 at 02:17 PM, TR Shaw wrote:
> 
> Doesn’t detect to RAT
> 
> Al, if you don’t want to run my unofficial sigs I would be happy to provide 
> them to Joel for incorporation into official db.
> 
> 
> 
>> On Jan 4, 2017, at 5:12 PM, Al Varnell  wrote:
>> 
>> Can somebody with access to those samples run them against a virgin ClamAV 
>> signature database to answer the question?  I'd be happy to if there are 
>> samples I can access.
>> 
>> -Al-
>> 
>> On Wed, Jan 04, 2017 at 07:33 AM, TR Shaw wrote:
>>> 
>>> I added detection in winnow_extended_malware.hdb which is distributed is 
>>> the sanesecurity feed the day after the JAR was released.  I also searched 
>>> for the RAT and added signatures for that as well in 
>>> winnow_malware_links.ndb
>>> 
>>> Signatures are identified as winnow.Trojan.GRIZZLY_STEPPE.
>>> 
>>> Tom
>>> 
>>> 
 On Jan 4, 2017, at 10:26 AM, Andrew McGrath  wrote:
 
 I'm being asked a question by our security team that I am struggling
 to answer. The question is "Does ClamAV detect Grizzly Steppe?".
 
 I've hunted around the archives, support pages and google, but do not
 see any discussion about this, could anyone comment?
 
 Thank you!


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

2017-01-04 Thread TR Shaw 
Doesn’t detect to RAT

Al, if you don’t want to run my unofficial sigs I would be happy to provide 
them to Joel for incorporation into official db.



> On Jan 4, 2017, at 5:12 PM, Al Varnell  wrote:
> 
> Can somebody with access to those samples run them against a virgin ClamAV 
> signature database to answer the question?  I'd be happy to if there are 
> samples I can access.
> 
> -Al-
> 
> On Wed, Jan 04, 2017 at 07:33 AM, TR Shaw wrote:
>> 
>> I added detection in winnow_extended_malware.hdb which is distributed is the 
>> sanesecurity feed the day after the JAR was released.  I also searched for 
>> the RAT and added signatures for that as well in winnow_malware_links.ndb
>> 
>> Signatures are identified as winnow.Trojan.GRIZZLY_STEPPE.
>> 
>> Tom
>> 
>> 
>>> On Jan 4, 2017, at 10:26 AM, Andrew McGrath  wrote:
>>> 
>>> I'm being asked a question by our security team that I am struggling
>>> to answer. The question is "Does ClamAV detect Grizzly Steppe?".
>>> 
>>> I've hunted around the archives, support pages and google, but do not
>>> see any discussion about this, could anyone comment?
>>> 
>>> Thank you!
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

2017-01-04 Thread Al Varnell 
Can somebody with access to those samples run them against a virgin ClamAV 
signature database to answer the question?  I'd be happy to if there are 
samples I can access.

-Al-

On Wed, Jan 04, 2017 at 07:33 AM, TR Shaw wrote:
> 
> I added detection in winnow_extended_malware.hdb which is distributed is the 
> sanesecurity feed the day after the JAR was released.  I also searched for 
> the RAT and added signatures for that as well in winnow_malware_links.ndb
> 
> Signatures are identified as winnow.Trojan.GRIZZLY_STEPPE.
> 
> Tom
> 
> 
>> On Jan 4, 2017, at 10:26 AM, Andrew McGrath  wrote:
>> 
>> I'm being asked a question by our security team that I am struggling
>> to answer. The question is "Does ClamAV detect Grizzly Steppe?".
>> 
>> I've hunted around the archives, support pages and google, but do not
>> see any discussion about this, could anyone comment?
>> 
>> Thank you!


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

2017-01-04 Thread TR Shaw 
I added detection in winnow_extended_malware.hdb which is distributed is the 
sanesecurity feed the day after the JAR was released.  I also searched for the 
RAT and added signatures for that as well in winnow_malware_links.ndb

Signatures are identified as winnow.Trojan.GRIZZLY_STEPPE.

Tom


> On Jan 4, 2017, at 10:26 AM, Andrew McGrath  wrote:
> 
> I'm being asked a question by our security team that I am struggling
> to answer. The question is "Does ClamAV detect Grizzly Steppe?".
> 
> I've hunted around the archives, support pages and google, but do not
> see any discussion about this, could anyone comment?
> 
> Thank you!
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

2017-01-04 Thread Ralf Hildebrandt 
* Andrew McGrath :
> I'm being asked a question by our security team that I am struggling
> to answer. The question is "Does ClamAV detect Grizzly Steppe?".
> 
> I've hunted around the archives, support pages and google, but do not
> see any discussion about this, could anyone comment?

They probably mean the exploit code used in operation Grizzly Steppe
ATP 29, APT 28, Cozybear, Fancybear, Sandworm, Sofacy etc.
https://www.dhs.gov/news/2016/12/30/executive-summary-grizzly-steppe-findings-homeland-security-assistant-secretary

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Grizzly Steppe

2017-01-04 Thread Andrew McGrath 
I'm being asked a question by our security team that I am struggling
to answer. The question is "Does ClamAV detect Grizzly Steppe?".

I've hunted around the archives, support pages and google, but do not
see any discussion about this, could anyone comment?

Thank you!
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml