Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
Back to the original problem. Is Simon's answer the cause (only broken PE headers are detected not broken somewhere else executables)? Hopefully Arnaud will be able to catch one soon so we can clear up the mystery!. I catched two diffrent samples (NetSky.Y and Sober.gen) not catched by ClamAV but well by TrendMicro VirusWall. I submitted them through the site but I get a message saying 'already recognized'. What should I do to submit them to the team for further analysis ? Arnaud ContactOffice ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
Arnaud Huret [EMAIL PROTECTED] wrote: I catched two diffrent samples (NetSky.Y and Sober.gen) not catched by ClamAV but well by TrendMicro VirusWall. I submitted them through the site but I get a message saying 'already recognized'. What should I do to submit them to the team for further analysis ? If you send me the samples in a password protected zip archive (password 'virus') I will take a look :o) Regards, Simon ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
Arnaud Huret [EMAIL PROTECTED] wrote: Here you are. Many thanks, Arnaud Thanks for the samples Arnaud, they are both viable and run on my test kit - and they are both detected using ClamAV devel-20050413/840/Tue Apr 19 02:42:09 2005. mail.document.Datex-packed.exe: Worm.Sober.N FOUND WORM_NETSKY.Y_www.yahoo.fr.stlouissec.session-02D3.com: Worm.SomeFool.Y FOUND --- SCAN SUMMARY --- Known viruses: 33129 Engine version: devel-20050413 Scanned directories: 0 Scanned files: 2 Infected files: 2 Data scanned: 0.08 MB Time: 0.621 sec (0 m 0 s) The Sober signature is new (this variant was discovered yesterday), but the SomeFool/Netsky signature has been in for a while. Which version of Clam are you using?. Regards, Simon ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
On Tue, 19 Apr 2005 08:44:45 +0200 (CEST) Arnaud Huret [EMAIL PROTECTED] wrote: Back to the original problem. Is Simon's answer the cause (only broken PE headers are detected not broken somewhere else executables)? Hopefully Arnaud will be able to catch one soon so we can clear up the mystery!. I catched two diffrent samples (NetSky.Y and Sober.gen) not catched by ClamAV but well by TrendMicro VirusWall. I submitted them through the site but I get a message saying 'already recognized'. What should I do to submit them to the team for further analysis ? We don't want them. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Apr 19 14:44:20 CEST 2005 pgpyvMzKUbn3j.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
On Mon, 18 Apr 2005 14:10:35 -0500 René Berber [EMAIL PROTECTED] wrote: does not enable detecting them. Why? because you have to uncomment DisableDefaultScanOptions to enable or disable the other options; even if you have DetectBrokenExecutables uncommented the default value of disabled is in effect... This is wrong. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Apr 18 21:19:21 CEST 2005 pgpsgkX0FyHMA.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
René Berber wrote: Tomasz Kojm wrote: On Mon, 18 Apr 2005 14:10:35 -0500 René Berber [EMAIL PROTECTED] wrote: does not enable detecting them. Why? because you have to uncomment DisableDefaultScanOptions to enable or disable the other options; even if you have DetectBrokenExecutables uncommented the default value of disabled is in effect... This is wrong. From version 0.83 clamd.conf man page: DisableDefaultScanOptions By default clamd uses scan options recommended by lib- clamav. This option disables recommended options and allows you to enable selected options. DO NOT ENABLE IT unless you know what you are doing. Default: disabled ScanPE PE stands for Portable Executable - it's an executable file format used in all 32-bit versions of Windows oper- ating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX. Default: enabled DetectBrokenExecutables With this option clamd will try to detect broken exe- cutables and mark them as Broken.Executable. Default: disabled What is wrong? To enable detecting broken executables you have to change two options in the clamd.conf file (not only one as shown in the posted options), one is uncommenting DisableDefaultScanOptions, the second is uncommenting DetectBrokenExecutables. What is wrong? Your explanation is wrong, thats what. You only have to uncomment DetectBrokenExecutables to enable the option. The default is disabled. To enable it, uncomment it. You are thinking about options that are by default enabled but commented out. To disable these options, this is where you must enable DisableDefaultScanOptions. Your thinking is correct, but youre applying it to the wrong circumstance. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
On Mon, 18 Apr 2005 14:39:02 -0500 René Berber [EMAIL PROTECTED] wrote: Tomasz Kojm wrote: On Mon, 18 Apr 2005 14:10:35 -0500 René Berber [EMAIL PROTECTED] wrote: does not enable detecting them. Why? because you have to uncomment DisableDefaultScanOptions to enable or disable the other options; even if you have DetectBrokenExecutables uncommented the default value of disabled is in effect... This is wrong. From version 0.83 clamd.conf man page: DisableDefaultScanOptions By default clamd uses scan options recommended by lib- clamav. This option disables recommended options and allows you to enable selected options. DO NOT ENABLE IT unless you know what you are doing. Default: disabled ScanPE PE stands for Portable Executable - it's an executable file format used in all 32-bit versions of Windows oper- ating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX. Default: enabled DetectBrokenExecutables With this option clamd will try to detect broken exe- cutables and mark them as Broken.Executable. Default: disabled What is wrong? To enable detecting broken executables you have to change two options in the clamd.conf file (not only one as shown in the posted options), one is uncommenting DisableDefaultScanOptions, the second is uncommenting DetectBrokenExecutables. No. DisableDefaultScanOptions disables features enabled by default and DetectBrokenExecutables is not. Anyway, DisableDefaultScanOptions will be removed in clamav-devel in the next week. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Apr 18 22:25:36 CEST 2005 pgphBfylgN0DB.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
On Tue, 19 Apr 2005 06:22:31 +1000 Owen [EMAIL PROTECTED] wrote: I used to get the same thing when I set up Clamav. I will point out that I run Clamav for Windows and call clamscan.exe, not clamdscan. I have a pretty low volume mail server so the overhead is ot a concern to me. The solution for me was to use the --mbox parameter. I'm unsure if that has any effec when calling clamdscan, but you may want to try scanning the same message using thse settings. --mbox is no longer needed since 0.80 -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Apr 18 22:26:43 CEST 2005 pgpgT2EmwgXy3.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
On Mon, Apr 18, 2005 at 02:39:02PM -0500, René Berber said: Tomasz Kojm wrote: On Mon, 18 Apr 2005 14:10:35 -0500 René Berber [EMAIL PROTECTED] wrote: does not enable detecting them. Why? because you have to uncomment DisableDefaultScanOptions to enable or disable the other options; even if you have DetectBrokenExecutables uncommented the default value of disabled is in effect... This is wrong. From version 0.83 clamd.conf man page: DisableDefaultScanOptions By default clamd uses scan options recommended by lib- clamav. This option disables recommended options and allows you to enable selected options. DO NOT ENABLE IT unless you know what you are doing. Default: disabled There is a set of options, DefaultScanOptions, that includes a subset of the total options. All options in the set DefaultScanOptions are enabled by default. The only way to disable them in the 0.8x series is to use the option DisableDefaultScanOptions. The problem is that in the 0.8x series, the options are not boolean (there is no on/off or yes/no argument to most options). So the question arises, how do you disable something that is enabled by default? Commenting it out won't work, since then the library will use the default. The only way currently is with DisableDefaultScanOptions. ScanPE PE stands for Portable Executable - it's an executable file format used in all 32-bit versions of Windows oper- ating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX. Default: enabled DetectBrokenExecutables With this option clamd will try to detect broken exe- cutables and mark them as Broken.Executable. Default: disabled What is wrong? To enable detecting broken executables you have to change two options in the clamd.conf file (not only one as shown in the posted options), one is uncommenting DisableDefaultScanOptions, the second is uncommenting DetectBrokenExecutables. This option is by default disabled, and is not part of the set DefaultScanOptions. If you see Default: enabled, it is a member of the set. Does that make it more clear? -- -- | Stephen Gran | Feel disillusioned? I've got some | | [EMAIL PROTECTED] | great new illusions, right here!| | http://www.lobefin.net/~steve | | -- pgpoCQuady9WN.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
So the OP has a correct configuration but his setup seems to not detect broken executables... Back to the original problem. Is Simon's answer the cause (only broken PE headers are detected not broken somewhere else executables)? -- René Berber As the config seems to be OK (or at least not too faulty ;-) , I'll try to catch some of these 'non-detected' examples and submit them for further analysis. Arnaud Huret ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.83 potentially not catching some NetSky/SomeFool virus
René Berber [EMAIL PROTECTED] wrote: So the OP has a correct configuration but his setup seems to not detect broken executables... Back to the original problem. Is Simon's answer the cause (only broken PE headers are detected not broken somewhere else executables)? It really depends on the state of the sample, but it does sound like it's an issue with the content of the executable - rather than it's structure. Hopefully Arnaud will be able to catch one soon so we can clear up the mystery!. Regards, Simon ___ http://lurker.clamav.net/list/clamav-users.html