Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-21 Thread Steven Morgan 
The problem report for this issue is
https://bugzilla.clamav.net/show_bug.cgi?id=11651.

Steve

On Wed, Oct 19, 2016 at 5:29 PM, Joel Esler (jesler) 
wrote:

> Yup, that’s one of mine.  Glad to see my system is working ;)
>
> As far as why it didn’t work, I’ll have to defer this to Steve on the dev
> team.
>
> --
> Joel Esler | Talos: Manager| jes...@cisco.com
>
>
>
>
>
> On Oct 19, 2016, at 10:16 AM, Steve Basford  com> wrote:
>
>
> On Wed, October 19, 2016 3:12 pm, Joel Esler (jesler) wrote:
> Heino,
>
>
> Can you clarify which sig caught it?
>
>
> Doc.Dropper.Agent-177659 is not an actual sig number.
>
> Damn cut and paste... it's: Doc.Dropper.Agent-1776597
> (a hash)
>
> --
> Cheers,
>
> Steve
> Twitter: @sanesecurity
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-19 Thread Joel Esler (jesler) 
Yup, that’s one of mine.  Glad to see my system is working ;)

As far as why it didn’t work, I’ll have to defer this to Steve on the dev team.

--
Joel Esler | Talos: Manager| jes...@cisco.com





On Oct 19, 2016, at 10:16 AM, Steve Basford 
mailto:steveb_cla...@sanesecurity.com>> wrote:


On Wed, October 19, 2016 3:12 pm, Joel Esler (jesler) wrote:
Heino,


Can you clarify which sig caught it?


Doc.Dropper.Agent-177659 is not an actual sig number.

Damn cut and paste... it's: Doc.Dropper.Agent-1776597
(a hash)

--
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-19 Thread Steve Basford 

On Wed, October 19, 2016 3:12 pm, Joel Esler (jesler) wrote:
> Heino,
>
>
> Can you clarify which sig caught it?
>
>
> Doc.Dropper.Agent-177659 is not an actual sig number.

Damn cut and paste... it's: Doc.Dropper.Agent-1776597
(a hash)

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-19 Thread Joel Esler (jesler) 
So to be clear, it is not detected or it is detected?


--
Joel Esler | Talos: Manager| jes...@cisco.com





On Oct 19, 2016, at 9:50 AM, Heino Backhaus 
mailto:heino.backh...@fink-computer.de>> wrote:

Hello List,

we've received totay early in the morning mails with a word document
containing a malicius macro,
which was not detected by clamav. It is now detected as
Doc.Dropper.Agent-177659.
I've set up clamd with the OLE2BlockMacros yes option which normaly
works fine, but not with this file.
Even though i've reported this as a bug, i just whanted to ask if
somebody knows more about this.

--
Mit freundlichen Gruessen

H. Backhaus

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backh...@fink-computer.de
Web: www.fink-computer.de
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gießen
GF: Fredi Fink

"In retrospect it becomes clear that hindsight is definitely overrated!"

 -Alfred E. Neumann

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-19 Thread Joel Esler (jesler) 
Heino,

Can you clarify which sig caught it?

Doc.Dropper.Agent-177659 is not an actual sig number.


--
Joel Esler | Talos: Manager| jes...@cisco.com





On Oct 19, 2016, at 10:08 AM, Steve Basford 
mailto:steveb_cla...@sanesecurity.com>> wrote:


On Wed, October 19, 2016 3:05 pm, Joel Esler (jesler) wrote:
So to be clear, it is not detected or it is detected?

I think here's saying...

* It *should* have been blocked with OLE2BlockMacros yes option but *wasn't*
* It is now detected as Doc.Dropper.Agent-177659

--
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-19 Thread Steve Basford 

On Wed, October 19, 2016 3:05 pm, Joel Esler (jesler) wrote:
> So to be clear, it is not detected or it is detected?

I think here's saying...

* It *should* have been blocked with OLE2BlockMacros yes option but *wasn't*
* It is now detected as Doc.Dropper.Agent-177659

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-19 Thread Heino Backhaus 
Hello List,

we've received totay early in the morning mails with a word document
containing a malicius macro,
which was not detected by clamav. It is now detected as
Doc.Dropper.Agent-177659.
I've set up clamd with the OLE2BlockMacros yes option which normaly
works fine, but not with this file.
Even though i've reported this as a bug, i just whanted to ask if
somebody knows more about this.

-- 
Mit freundlichen Gruessen

H. Backhaus 

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backh...@fink-computer.de
Web: www.fink-computer.de
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gießen
GF: Fredi Fink

"In retrospect it becomes clear that hindsight is definitely overrated!"
  
  -Alfred E. Neumann

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml