Re: [clamav-users] 18+ hours since last signature

2017-05-15 Thread Al Varnell
Just a note that there were two minor bytecode updates (299 & 300) posted between 10 and 11 AM PDT, so at least that part of the system was in operation twelve hours ago. $ host -t txt current.cvd.clamav.net current.cvd.clamav.net descriptive text "0.99.2:57:23389:1494905340:1:63:45939:300" -A

[clamav-users] 18+ hours since last signature

2017-05-15 Thread Rafael Ferreira
Hey folks, just a heads up that it looks like signatures are “stuck” again, the last daily (23389) came out at 2AM PST: http://lists.clamav.net/pipermail/clamav-virusdb/2017-May/004726.html Anyone knows what is going on? T

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Joel Esler (jesler)
To be clear let me link to our blog post on the subject: http://blog.talosintelligence.com/2017/05/wannacry.html There has been No email vector seen in WannaCry to date. Almost everyone that has claimed this, has retracted it. Please read the above blog post for all the facts as we know them.

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

2017-05-15 Thread Kishore Pawar
Btw, can you please share your output of the command 'clamd status'? Thanks Kishore On Mon, May 15, 2017 at 4:53 PM, Kishore Pawar wrote: > Yes, I see the clamd process. I tried to kill and restart it many times, > but when I run the 'clamd status' I get the same error about the socket > file.

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

2017-05-15 Thread Kishore Pawar
Yes, I see the clamd process. I tried to kill and restart it many times, but when I run the 'clamd status' I get the same error about the socket file. Earlier when I was running the older version, I used to see the complete details about the clamd status including the version number I was running

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

2017-05-15 Thread Steven Morgan
'kill -9 6776', verify the 6776 is gone, followed by starting clamd again should fix this. Steve On Mon, May 15, 2017 at 5:22 PM, Kishore Pawar wrote: > Thanks Steve. Here's the output of lsof. > > # clamd status > ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by another > pr

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

2017-05-15 Thread Reindl Harald
Am 15.05.2017 um 23:22 schrieb Kishore Pawar: Thanks Steve. Here's the output of lsof. # clamd status ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by another process. # lsof | grep clamd.socket clamd 6776clamav5u unix 0xc3692480 0t0 72993 /var

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

2017-05-15 Thread Kishore Pawar
Thanks Steve. Here's the output of lsof. # clamd status ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by another process. # lsof | grep clamd.socket clamd 6776clamav5u unix 0xc3692480 0t0 72993 /var/run/clamav/clamd.socket # ps -ef | grep 6776 cla

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Steven Morgan
For some additional info about running YARA rules in ClamAV, please see section 3.11 in the ClamAV signatures manual: https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf On Mon, May 15, 2017 at 4:04 PM, Mark Foley wrote: > On Mon May 15 15:06:07 2017 "Eric Tykwinski" >

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

2017-05-15 Thread Steven Morgan
OK, try the 'lsof' command to identify what is using /var/run/clamav/clamd.socket. Steve On Mon, May 15, 2017 at 1:29 PM, Kishore Pawar wrote: > Thanks Steve. Yes, I tried removing them and kill the running clamd process > and start it again but still the clamd status doesn't show anything othe

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Mark Foley
On Mon May 15 15:06:07 2017 "Eric Tykwinski" wrote: > > Here's links to sample files, ie use at your own risk: > https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 > > Sincerely, > > Eric Tykwinski > TrueNet, Inc. > P: 610-429-8300 > Well, it does seem to try and use the yara rule. U

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Eric Tykwinski
Just as a side note, normal rules are catching the samples, so I don't know if it would display both YARA and the others. Here's what the samples show without YARA: ./CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE: Win.Ransomware.WannaCry-6313053-0 FOUND ./CYBERed01ebfbc9

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Eric Tykwinski
Here's links to sample files, ie use at your own risk: https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Mark Foley Sen

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Mark Foley
On Sat May 13 13:25:07 2017 From: Alain Zidouemba wrote: > > Yara rules have been supported by ClamAV since 2015: > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html > > - Alain I'm following these instructions now. The instruction say, "just place your YARA rule files into the ClamAV

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

2017-05-15 Thread Kishore Pawar
Thanks Steve. Yes, I tried removing them and kill the running clamd process and start it again but still the clamd status doesn't show anything other than the error. # clamd status ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by another process. There is probably another

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

2017-05-15 Thread Steven Morgan
There is probably another clamd running. If not, try deleting /var/run/clamav/clamd.socket. Steve On Mon, May 15, 2017 at 12:58 PM, Kishore Pawar wrote: > Hi Steve > > Thank you very much for the reply and your suggestion. I rebuild it with > the options (--enable-llvm=no) provided by you and i

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

2017-05-15 Thread Kishore Pawar
Hi Steve Thank you very much for the reply and your suggestion. I rebuild it with the options (--enable-llvm=no) provided by you and it seems to be ok now. But now I am unable to stop/start the clamd and am not able to get the status of clamd. # clamd status ERROR: LOCAL: Socket file /var/run/cl

[clamav-users] Signature specifics (was Re: Malware/ransomware and Yara signatures with clamav)

2017-05-15 Thread Kris Deugau
Cedric Knight wrote: Devs - is it possible to block PDFs based on containing '/JavaScript' and '/OpenAction' (or '/Launch')? I wish ClamAV has a hierarchy from definite signatures first to secondly checking heuristics... Not a ClamAV developer, but yes, you can create a signature for this. Y

Re: [clamav-users] WannaCry

2017-05-15 Thread SCOTT PACKARD
Thanks for posting this Steve. Regards, Scott > -Original Message- > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf > Of Steve Basford > Sent: Monday, May 15, 2017 3:12 AM > To: clamav-users@lists.clamav.net > Cc: sanesecur...@freelists.org > Subject: [clamav

[clamav-users] WannaCry

2017-05-15 Thread Steve Basford
Sorry for the slightly off-topic post but just in case this helps... MS17-01 Summary 1. malwarehash.hsb 175+ hashes in malwarehash.hsb (Sanesecurity.MalwareHash.WannaCry) added over the weekend 2. MS17-010 nmap network scan script https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/maste