Re: [clamav-users] clamav-milter reject and quarantine?

2016-02-18 Thread Dennis Peterson
This isn't the place for this debate, but if you accept a message you own it and are compelled to deliver it. If you reject it before the final protocol ". [cr] you can to anything you want with it forensically, but you can't deliver it. The sender still owns it. If people don't accept this

Re: [clamav-users] clamav-milter reject and quarantine?

2016-02-18 Thread Noel Jones
On 2/18/2016 7:25 PM, Gene Heskett wrote: > On Thursday 18 February 2016 12:48:42 Michael Grant wrote: > >> Then let me be more clear... >> >> I want to reject the message. I do not want the message arriving at >> the recipient. However, the message that is passed to clamd, if this >> is

Re: [clamav-users] clamav-milter reject and quarantine?

2016-02-18 Thread Gene Heskett
On Thursday 18 February 2016 12:48:42 Michael Grant wrote: > Then let me be more clear... > > I want to reject the message. I do not want the message arriving at > the recipient. However, the message that is passed to clamd, if this > is discovered to contain a virus, I want to save that into a

Re: [clamav-users] Filename Regex

2016-02-18 Thread Noel Jones
You may have more luck with the POSIX character class [[:space:]] rather than shorthand \s. -- Noel Jones On 2/18/2016 5:22 PM, Dennis Peterson wrote: > ^New\ Doc.* (<- that is from the below example but is actually a > poorly constructed regex because it will search to end of > line/string)

Re: [clamav-users] Filename Regex

2016-02-18 Thread Steven Morgan
Whoops, I take that back. The code used in ClamAV appears more similar to the "BSD library." Comments state: * This code is derived from OpenBSD's libc/regex, original license follows: * * Copyright (c) 1992, 1993, 1994 Henry Spencer. * Copyright (c) 1992, 1993, 1994 *The Regents of the

Re: [clamav-users] Filename Regex

2016-02-18 Thread Dennis Peterson
^New\ Doc.* (<- that is from the below example but is actually a poorly constructed regex because it will search to end of line/string) should work to escape the space char but that is one of the oddities of regex - knowing which implementation is being used. dp On 2/18/16 3:13 PM, Steven

Re: [clamav-users] Filename Regex

2016-02-18 Thread Steven Morgan
Please see https://garyhouston.github.io/regex/. Looks like ClamAV uses what is called the "old library." I don't think this is POSIX compliant with regard to regular expressions. Hope this helps, Steve On Thu, Feb 18, 2016 at 3:12 PM, Mehmet Avcioglu wrote: > > > On Feb

Re: [clamav-users] Filename Regex

2016-02-18 Thread Steve basford
On 18 February 2016 20:14:14 Mehmet Avcioglu wrote: For example I am able to use "^New.Doc.*" to match for "New Doc.xls" but "^New\sDoc.*" or "^New Doc.*" does not. > http://www.clamav.net/contact.html#ml If you look at foxhole databases it should give you an

Re: [clamav-users] Filename Regex

2016-02-18 Thread Mehmet Avcioglu
> On Feb 18, 2016, at 8:14 PM, Steven Morgan wrote: > > cdb signatures use a regex library known as "Henry Spencer's regular > expressions." Googling documentation for that should give what you want. Thank you for the information. I searched out for that and found

Re: [clamav-users] Filename Regex

2016-02-18 Thread Steven Morgan
cdb signatures use a regex library known as "Henry Spencer's regular expressions." Googling documentation for that should give what you want. Steve On Thu, Feb 18, 2016 at 6:39 AM, Mehmet Avcioglu wrote: > > What is the format for Filename Regex pattern used in cdb

Re: [clamav-users] BlackEnergy malware detection

2016-02-18 Thread Alain Zidouemba
Here are some I could quickly identify: Win.Trojan.DropBear Win.Trojan.BlackEnergy2Driver Win.Trojan.BlackEnergy3 - Alain On Thu, Feb 18, 2016 at 7:37 AM, Volcy, Georges wrote: > Good Morning, > > Does ClamAV detect the Blackenergy malware and is there any way for me

Re: [clamav-users] clamav-milter reject and quarantine?

2016-02-18 Thread Dennis Peterson
You could try (man clamd.conf) *LeaveTemporaryFiles BOOL* Do not remove temporary files (for debug purpose). Default: no dp On 2/18/16 9:48 AM, Michael Grant wrote: Then let me be more clear... I want to reject the message. I do not want the message arriving at the recipient.

Re: [clamav-users] clamav-milter reject and quarantine?

2016-02-18 Thread Dennis Peterson
Nobody is questioning that - it is the desire to deliver it after rejecting it that is wrong on several levels. For example the sender will get a reject message and the recipient will not know that. dp On 2/18/16 9:48 AM, Noel Jones wrote: It is not a violation of protocol to reject a

Re: [clamav-users] clamav-milter reject and quarantine?

2016-02-18 Thread Michael Grant
Then let me be more clear... I want to reject the message. I do not want the message arriving at the recipient. However, the message that is passed to clamd, if this is discovered to contain a virus, I want to save that into a file in a directory so that I can come back later and look at it.

Re: [clamav-users] clamav-milter reject and quarantine?

2016-02-18 Thread Noel Jones
It is not a violation of protocol to reject a message during SMTP, and save a copy for forensic inspection. Be aware it is likely to cause confusion if you later deliver that message. clamav-milter does not currently have a reject+inspect option, but it probably wouldn't be much effort to add.

Re: [clamav-users] clamav-milter reject and quarantine?

2016-02-18 Thread Dennis Peterson
On 2/18/16 9:21 AM, Michael Grant wrote: The reason I want to do this is that I want to reject virus messages while >>the smtp connection is still alive, but after the fact, if there was a >>false positive, I'd like to be able to send the message on through anyway >>after the fact. You say here

Re: [clamav-users] clamav-milter reject and quarantine?

2016-02-18 Thread Michael Grant
I don't want to deliver the message, I want to quarantine it (like put it in a directory somewhere), and then refuse it at the milter/smtp level. There is not a violation of the protocol here. On 18 February 2016 at 17:59, Dennis Peterson wrote: > What you want to do is

Re: [clamav-users] clamav-milter reject and quarantine?

2016-02-18 Thread Dennis Peterson
What you want to do is best done using the local mailer and not SMTP. Technically and literally you have accepted the message in your scheme and are therefore responsible for delivery. You can't both send a reject and deliver the mail - it violates the protocol and integrity of the messaging

Re: [clamav-users] BlackEnergy malware detection

2016-02-18 Thread Steve Basford
On Thu, February 18, 2016 12:37 pm, Volcy, Georges wrote: > Good Morning, > > > Does ClamAV detect the Blackenergy malware and is there any way for me to > verify it. Thanks, Just added Sanesecurity_BlackEnergy.yara to the Sanesecurity mirrors, if that's a help. It hit on a sample I downloaded.

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

2016-02-18 Thread Groach
The original topic has been 'discussed' enough and reached its natural end. On 18/02/2016 16:41, Joel Esler (jesler) wrote: Yeah, I know, it unfortunately has nothing to do with how I read the email, it has to do with whatever changes they made to handling quoting in the newer versions.

Re: [clamav-users] BlackEnergy malware detection

2016-02-18 Thread Al Varnell
daily.cvd Win.Trojan.Blackenergy daily.cvd PUA.Win32.Packer.BlackenergyDdos But I have submitted a False Positive sample against the first one. -Al- On Feb 18, 2016, at 4:37 AM, Volcy, Georges wrote: > Does ClamAV detect the Blackenergy malware and is there

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

2016-02-18 Thread Joel Esler (jesler)
Yeah, I know, it unfortunately has nothing to do with how I read the email, it has to do with whatever changes they made to handling quoting in the newer versions. Well, I think we’ve drifted far enough off topic now ;) -- Joel Esler Manager, Talos Group On Feb 18, 2016, at 10:37 AM, Mark

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

2016-02-18 Thread Mark Allan
> On 18 Feb 2016, at 3:28 pm, Joel Esler (jesler) wrote: > > > Bottom posting with Mail.app now. > > Yeah, it’s how I did it that was the problem. I tried to make the email nice > and neat, and Mail.app (prior to… I’d say.. Yosemite?) dealt with how I did > it fine.

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

2016-02-18 Thread Joel Esler (jesler)
SEE. Didn’t do it right! Stupid mail.app. -- Joel Esler Manager, Talos Group On Feb 18, 2016, at 10:28 AM, Joel Esler (jesler) > wrote: On Feb 18, 2016, at 4:01 AM, Mark Allan

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

2016-02-18 Thread Joel Esler (jesler)
On Feb 18, 2016, at 4:01 AM, Mark Allan > wrote: On 17 Feb 2016, at 11:21 pm, Joel Esler (jesler) > wrote: For my, I use Mail.app the majority of the time. Apparently if I delete lines and inline

[clamav-users] clamav-milter reject and quarantine?

2016-02-18 Thread Michael Grant
Using clamav-milter, is there anyway to reject virus infected messages AND put them into a quarantine directory? The reason I want to do this is that I want to reject virus messages while the smtp connection is still alive, but after the fact, if there was a false positive, I'd like to be able to

Re: [clamav-users] BlackEnergy malware detection

2016-02-18 Thread Yuri Voinov
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 BlackEnergy uses cryptor and, therefore, can't have stable signature. 18.02.16 18:37, Volcy, Georges ?: -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWxcJSAAoJENNXIZxhPexGrp4H/1u0Pf/+avO//BUnB9OjiEC8

Re: [clamav-users] BlackEnergy malware detection

2016-02-18 Thread Yuri Voinov
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 BlackEnergy uses cryptor and, therefore, can't have stable signature. 18.02.16 18:37, Volcy, Georges ?: > Good Morning, > > Does ClamAV detect the Blackenergy malware and is there any way for me to verify it. > Thanks, > > Georges Volcy >

[clamav-users] BlackEnergy malware detection

2016-02-18 Thread Volcy, Georges
Good Morning, Does ClamAV detect the Blackenergy malware and is there any way for me to verify it. Thanks, Georges Volcy SCADA Engineer - EMS PSEG Long Island CNI - EMS Provisioning & Support (516) 949-7417(Desk) (516) 949-7400 (Office) (516) 492-9773 (Cell)

[clamav-users] Filename Regex

2016-02-18 Thread Mehmet Avcioglu
What is the format for Filename Regex pattern used in cdb signature files? I have not been able to find a documentation for this and some of the valid regex strings I use are not recognized. For example I cannot find a way to match for '@' character, or use '\s' for white space. Thanks --

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

2016-02-18 Thread Gene Heskett
On Thursday 18 February 2016 04:06:07 Groach wrote: > Hi Gene, I will clarify my terminology for you, if it helps > > On 18/02/2016 09:48, Gene Heskett wrote: > > I > > > >> Receive notification of someones reply, click REPLY, write > >> answer...SEND. > > > > Notification? I have used t-bird

Re: [clamav-users] Threading (Was: How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?)

2016-02-18 Thread Simon Hobson
Mark Allan wrote: > >> For my, I use Mail.app the majority of the time. Apparently if I delete >> lines and inline reply like I do in Thunderbird, Mail.app just tells me to >> eat dust and unthreads the whole thing. Guess I should file a bug with >> Apple. > > That's

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

2016-02-18 Thread Mark Allan
> On 17 Feb 2016, at 11:21 pm, Joel Esler (jesler) wrote: > > For my, I use Mail.app the majority of the time. Apparently if I delete > lines and inline reply like I do in Thunderbird, Mail.app just tells me to > eat dust and unthreads the whole thing. Guess I should file

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

2016-02-18 Thread Gene Heskett
On Thursday 18 February 2016 02:59:56 Groach wrote: > Nope. > > Im using thunderbird. Only thunderbird, and nothing else but > thunderbird. > I see that in the header, I must have missed it previously. My bad. > Receive notification of someones reply, click REPLY, write > answer...SEND.

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

2016-02-18 Thread Groach
Nope. Im using thunderbird. Only thunderbird, and nothing else but thunderbird. Receive notification of someones reply, click REPLY, write answer...SEND. My original question really was how to REPLY to a thread thats already started when you dont have a notification for it in the first