This isn't the place for this debate, but if you accept a message you own it and
are compelled to deliver it. If you reject it before the final protocol ". [cr]
you can to anything you want with it forensically, but you can't deliver it. The
sender still owns it. If people don't accept this
On 2/18/2016 7:25 PM, Gene Heskett wrote:
> On Thursday 18 February 2016 12:48:42 Michael Grant wrote:
>
>> Then let me be more clear...
>>
>> I want to reject the message. I do not want the message arriving at
>> the recipient. However, the message that is passed to clamd, if this
>> is
On Thursday 18 February 2016 12:48:42 Michael Grant wrote:
> Then let me be more clear...
>
> I want to reject the message. I do not want the message arriving at
> the recipient. However, the message that is passed to clamd, if this
> is discovered to contain a virus, I want to save that into a
You may have more luck with the POSIX character class [[:space:]]
rather than shorthand \s.
-- Noel Jones
On 2/18/2016 5:22 PM, Dennis Peterson wrote:
> ^New\ Doc.* (<- that is from the below example but is actually a
> poorly constructed regex because it will search to end of
> line/string)
Whoops, I take that back. The code used in ClamAV appears more similar to
the "BSD library." Comments state:
* This code is derived from OpenBSD's libc/regex, original license follows:
*
* Copyright (c) 1992, 1993, 1994 Henry Spencer.
* Copyright (c) 1992, 1993, 1994
*The Regents of the
^New\ Doc.* (<- that is from the below example but is actually a poorly
constructed regex because it will search to end of line/string) should work to
escape the space char but that is one of the oddities of regex - knowing which
implementation is being used.
dp
On 2/18/16 3:13 PM, Steven
Please see https://garyhouston.github.io/regex/.
Looks like ClamAV uses what is called the "old library." I don't think this
is POSIX compliant with regard to regular expressions.
Hope this helps,
Steve
On Thu, Feb 18, 2016 at 3:12 PM, Mehmet Avcioglu
wrote:
>
> > On Feb
On 18 February 2016 20:14:14 Mehmet Avcioglu wrote:
For example I am able to use "^New.Doc.*" to match for "New Doc.xls" but
"^New\sDoc.*" or "^New Doc.*" does not.
> http://www.clamav.net/contact.html#ml
If you look at foxhole databases it should give you an
> On Feb 18, 2016, at 8:14 PM, Steven Morgan wrote:
>
> cdb signatures use a regex library known as "Henry Spencer's regular
> expressions." Googling documentation for that should give what you want.
Thank you for the information. I searched out for that and found
cdb signatures use a regex library known as "Henry Spencer's regular
expressions." Googling documentation for that should give what you want.
Steve
On Thu, Feb 18, 2016 at 6:39 AM, Mehmet Avcioglu
wrote:
>
> What is the format for Filename Regex pattern used in cdb
Here are some I could quickly identify:
Win.Trojan.DropBear
Win.Trojan.BlackEnergy2Driver
Win.Trojan.BlackEnergy3
- Alain
On Thu, Feb 18, 2016 at 7:37 AM, Volcy, Georges
wrote:
> Good Morning,
>
> Does ClamAV detect the Blackenergy malware and is there any way for me
You could try (man clamd.conf)
*LeaveTemporaryFiles BOOL*
Do not remove temporary files (for debug purpose).
Default: no
dp
On 2/18/16 9:48 AM, Michael Grant wrote:
Then let me be more clear...
I want to reject the message. I do not want the message arriving at the
recipient.
Nobody is questioning that - it is the desire to deliver it after rejecting it
that is wrong on several levels. For example the sender will get a reject
message and the recipient will not know that.
dp
On 2/18/16 9:48 AM, Noel Jones wrote:
It is not a violation of protocol to reject a
Then let me be more clear...
I want to reject the message. I do not want the message arriving at the
recipient. However, the message that is passed to clamd, if this is
discovered to contain a virus, I want to save that into a file in a
directory so that I can come back later and look at it.
It is not a violation of protocol to reject a message during SMTP,
and save a copy for forensic inspection. Be aware it is likely to
cause confusion if you later deliver that message.
clamav-milter does not currently have a reject+inspect option, but
it probably wouldn't be much effort to add.
On 2/18/16 9:21 AM, Michael Grant wrote:
The reason I want to do this is that I want to reject virus messages while
>>the smtp connection is still alive, but after the fact, if there was a
>>false positive, I'd like to be able to send the message on through anyway
>>after the fact.
You say here
I don't want to deliver the message, I want to quarantine it (like put it
in a directory somewhere), and then refuse it at the milter/smtp level.
There is not a violation of the protocol here.
On 18 February 2016 at 17:59, Dennis Peterson wrote:
> What you want to do is
What you want to do is best done using the local mailer and not SMTP.
Technically and literally you have accepted the message in your scheme and are
therefore responsible for delivery. You can't both send a reject and deliver the
mail - it violates the protocol and integrity of the messaging
On Thu, February 18, 2016 12:37 pm, Volcy, Georges wrote:
> Good Morning,
>
>
> Does ClamAV detect the Blackenergy malware and is there any way for me to
> verify it. Thanks,
Just added Sanesecurity_BlackEnergy.yara to the Sanesecurity mirrors,
if that's a help.
It hit on a sample I downloaded.
The original topic has been 'discussed' enough and reached its natural end.
On 18/02/2016 16:41, Joel Esler (jesler) wrote:
Yeah, I know, it unfortunately has nothing to do with how I read the email, it
has to do with whatever changes they made to handling quoting in the newer
versions.
daily.cvd Win.Trojan.Blackenergy
daily.cvd PUA.Win32.Packer.BlackenergyDdos
But I have submitted a False Positive sample against the first one.
-Al-
On Feb 18, 2016, at 4:37 AM, Volcy, Georges wrote:
> Does ClamAV detect the Blackenergy malware and is there
Yeah, I know, it unfortunately has nothing to do with how I read the email, it
has to do with whatever changes they made to handling quoting in the newer
versions.
Well, I think we’ve drifted far enough off topic now ;)
--
Joel Esler
Manager, Talos Group
On Feb 18, 2016, at 10:37 AM, Mark
> On 18 Feb 2016, at 3:28 pm, Joel Esler (jesler) wrote:
>
>
> Bottom posting with Mail.app now.
>
> Yeah, it’s how I did it that was the problem. I tried to make the email nice
> and neat, and Mail.app (prior to… I’d say.. Yosemite?) dealt with how I did
> it fine.
SEE. Didn’t do it right!
Stupid mail.app.
--
Joel Esler
Manager, Talos Group
On Feb 18, 2016, at 10:28 AM, Joel Esler (jesler)
> wrote:
On Feb 18, 2016, at 4:01 AM, Mark Allan
On Feb 18, 2016, at 4:01 AM, Mark Allan
> wrote:
On 17 Feb 2016, at 11:21 pm, Joel Esler (jesler)
> wrote:
For my, I use Mail.app the majority of the time. Apparently if I delete lines
and inline
Using clamav-milter, is there anyway to reject virus infected messages AND
put them into a quarantine directory?
The reason I want to do this is that I want to reject virus messages while
the smtp connection is still alive, but after the fact, if there was a
false positive, I'd like to be able to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
BlackEnergy uses cryptor and, therefore, can't have stable signature.
18.02.16 18:37, Volcy, Georges ?:
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
iQEcBAEBCAAGBQJWxcJSAAoJENNXIZxhPexGrp4H/1u0Pf/+avO//BUnB9OjiEC8
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
BlackEnergy uses cryptor and, therefore, can't have stable signature.
18.02.16 18:37, Volcy, Georges ?:
> Good Morning,
>
> Does ClamAV detect the Blackenergy malware and is there any way for me
to verify it.
> Thanks,
>
> Georges Volcy
>
Good Morning,
Does ClamAV detect the Blackenergy malware and is there any way for me to
verify it.
Thanks,
Georges Volcy
SCADA Engineer - EMS
PSEG Long Island
CNI - EMS Provisioning & Support
(516) 949-7417(Desk)
(516) 949-7400 (Office)
(516) 492-9773 (Cell)
What is the format for Filename Regex pattern used in cdb signature files?
I have not been able to find a documentation for this and some of the valid
regex strings I use are not recognized. For example I cannot find a way to
match for '@' character, or use '\s' for white space.
Thanks
--
On Thursday 18 February 2016 04:06:07 Groach wrote:
> Hi Gene, I will clarify my terminology for you, if it helps
>
> On 18/02/2016 09:48, Gene Heskett wrote:
> > I
> >
> >> Receive notification of someones reply, click REPLY, write
> >> answer...SEND.
> >
> > Notification? I have used t-bird
Mark Allan wrote:
>
>> For my, I use Mail.app the majority of the time. Apparently if I delete
>> lines and inline reply like I do in Thunderbird, Mail.app just tells me to
>> eat dust and unthreads the whole thing. Guess I should file a bug with
>> Apple.
>
> That's
> On 17 Feb 2016, at 11:21 pm, Joel Esler (jesler) wrote:
>
> For my, I use Mail.app the majority of the time. Apparently if I delete
> lines and inline reply like I do in Thunderbird, Mail.app just tells me to
> eat dust and unthreads the whole thing. Guess I should file
On Thursday 18 February 2016 02:59:56 Groach wrote:
> Nope.
>
> Im using thunderbird. Only thunderbird, and nothing else but
> thunderbird.
>
I see that in the header, I must have missed it previously. My bad.
> Receive notification of someones reply, click REPLY, write
> answer...SEND.
Nope.
Im using thunderbird. Only thunderbird, and nothing else but thunderbird.
Receive notification of someones reply, click REPLY, write answer...SEND.
My original question really was how to REPLY to a thread thats already
started when you dont have a notification for it in the first
35 matches
Mail list logo