subject:"\[clamav\-users\] Win.Exploit.Unicode

Re: [clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

2018-05-23 Thread Al Varnell

Resending in case the first doesn't get through...

On Wed, May 23, 2018 at 07:38 AM, Noel Jones wrote:
> On 5/23/2018 4:43 AM, Tilman Schmidt wrote:
>> We're getting frequent false positives from ClamAV for
>> Win.Exploit.Unicode_Mixed-1 in tcpdump files from our IDS.
>> Googling that virus name only turns up a few hits on virscan.org 
>>  which
>> seem to be indicating a tendency of that signature to trigger on
>> logfiles and the like, but no actual information about the threat.
>> 
>> What is that signature trying to detect?
>> Is this a Known Problem?
>> What's the best way handle it?
>> 
> 
> This signature looks for a string of binary characters.

It could also be a string of ASCII characters (not included to prevent this 
e-mail as being detected as infected) but the same advise would apply.

> It's not generally useful to run clamscan on pseudo-random data such
> as a tcpdumps, logfiles, raw disk images, etc. False positives can
> be expected from signatures that look for strings of binary characters.
> 
> You can tell clam to ignore this particular signature by adding the
> name to a text file named local.ign2 (or any name ending in .ign2)
> in the same directory where the clam databases live.
> 
> # local.ign2
> Win.Exploit.Unicode_Mixed-1
> 
> However, I wouldn't be surprised if the dump starts hitting some
> other binary signature if you ignore this one.
> 
> I think the best way to handle this is "don't scan pseudo-random files"
> 
> 
> 
>  -- Noel Jones
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

2018-05-23 Thread Tilman Schmidt

Am 23.05.2018 um 18:07 schrieb G.W. Haywood:
> My advice would be a more general "use your loaf". :)

Cute idiom. I had to google that. :-)

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

2018-05-23 Thread G.W. Haywood


Hi there,

On Wed, 23 May 2018, Noel Jones wrote:


I think the best way to handle this is "don't scan pseudo-random files"


My advice would be a more general "use your loaf". :)

--

73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

2018-05-23 Thread Noel Jones

On 5/23/2018 4:43 AM, Tilman Schmidt wrote:
> We're getting frequent false positives from ClamAV for
> Win.Exploit.Unicode_Mixed-1 in tcpdump files from our IDS.
> Googling that virus name only turns up a few hits on virscan.org which
> seem to be indicating a tendency of that signature to trigger on
> logfiles and the like, but no actual information about the threat.
> 
> What is that signature trying to detect?
> Is this a Known Problem?
> What's the best way handle it?
> 

This signature looks for a string of binary characters.

It's not generally useful to run clamscan on pseudo-random data such
as a tcpdumps, logfiles, raw disk images, etc. False positives can
be expected from signatures that look for strings of binary characters.

You can tell clam to ignore this particular signature by adding the
name to a text file named local.ign2 (or any name ending in .ign2)
in the same directory where the clam databases live.

# local.ign2
Win.Exploit.Unicode_Mixed-1

However, I wouldn't be surprised if the dump starts hitting some
other binary signature if you ignore this one.

I think the best way to handle this is "don't scan pseudo-random files"

  -- Noel Jones
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

2018-05-23 Thread Al Varnell

On Wed, May 23, 2018 at 02:43 AM, Tilman Schmidt wrote:
> We're getting frequent false positives from ClamAV for
> Win.Exploit.Unicode_Mixed-1 in tcpdump files from our IDS.
> Googling that virus name only turns up a few hits on virscan.org 
>  which
> seem to be indicating a tendency of that signature to trigger on
> logfiles and the like, but no actual information about the threat.

It's a relatively old signature as indicated by the fact it's in the main.cvd.

> What is that signature trying to detect?

$ sigtool -fWin.Exploit.Unicode_Mixed-1
[main.ndb] 
Win.Exploit.Unicode_Mixed-1:0:*:6a5841514144415a41424152414c41594149415141494151414941684141415a3141494149414a31314149414941424142414251493141495149414951493131314149414a5159415a4241424142414241426b4d4147423975344a42

> Is this a Known Problem?

Probably not since you are the first to report it here, after all this time.

Here's an example where 33 other scanners found one such file to be infected, 
which may give you a better idea of what the threat is:


-Al-
-- 
Al Varnell
Mountain View, CA
ClamXAV User


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

2018-05-23 Thread Tilman Schmidt

We're getting frequent false positives from ClamAV for
Win.Exploit.Unicode_Mixed-1 in tcpdump files from our IDS.
Googling that virus name only turns up a few hits on virscan.org which
seem to be indicating a tendency of that signature to trigger on
logfiles and the like, but no actual information about the threat.

What is that signature trying to detect?
Is this a Known Problem?
What's the best way handle it?

-- 
Tilman Schmidt
Head of System and Network Engineering

Tel. 0221 / 95 64 95 .417
Fax 0221 / 95 64 95 .999
e-Mail tschm...@cardtech.de

cardtech
Card & POS Service GmbH
Richard-Byrd-Straße 37
50829 Köln
www.cardtech.de

AG Köln, HRB 20164
Geschäftsführer: Dr. Dietrich Gottwald, Christof Kohns, Jens Mahlke,
Marcus W. Mosen
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

Re: [clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

Re: [clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

Re: [clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

Re: [clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

[clamav-users] Win.Exploit.Unicode_Mixed-1 false positives

6 matches

Site Navigation

Mail list logo

Footer information