The signature causing this FP alert has been dropped earlier today. This
should be reflected in the next signature definitions update.
Thanks for reporting the issue.
-Alain
On Fri, Sep 10, 2021 at 4:48 PM Andreas Rulle wrote:
> Hi,
>
> a detection of Pdf.Phishing.CWS4c384287-9890237-0 has be
Thanks for reporting. Will be addressed in the next CVD update.
-Alain
On Fri, Jun 11, 2021 at 10:44 AM Douglas Stinnette wrote:
>
> It has been over a year since there was a wide false positive across
> ClamAV.
> "/Library/Application Support/Quest/KACE/bin/klog"
> "Unix.Malware.Macos-9867919-
It means that you are using ClamAV version 0.102, with the main.cvd
signature file version 59, and the daily.cvd signature file version 25920.
-Alain
On Thu, Sep 17, 2020 at 1:12 PM Jeff Koch
wrote:
>
> HI
>
> Looking through our scanning logs we see what appears to be a signature
> that looks
Confirming that those are false positives, thanks for reporting. The
offending signature has been dropped. This should be reflected in the next
signature update.
- Alain
On Thu, Jan 9, 2020 at 12:29 PM Douglas Stinnette wrote:
> This definition is detecting many files that appear to be safe.
>
The alert was a false positive, and the offending signature has been
removed.
Thanks,
-Alain
On Tue, Nov 12, 2019 at 10:35 AM Maarten Broekman via clamav-users <
clamav-users@lists.clamav.net> wrote:
> That's a hash signature. My guess is that there's 315 byte file inside the
> jar that was mar
The signature needs a little tweaking, and will be revised. Revision 0
(Txt.Coinminer.Generic-7132166-0) has been dropped and this will be
reflected in the next signature update.
- Alain
On Tue, Aug 27, 2019 at 11:25 AM Brian Cole via clamav-users <
clamav-users@lists.clamav.net> wrote:
>
>
> H
Check out http://www.immunet.com/. It includes the ClamAV engine.
-Alain
On Mar 16, 2019, at 9:31 AM, Turritopsis Dohrnii Teo En Ming <
c...@teo-en-ming-corp.com> wrote:
Good evening from Singapore,
Are there any plans to develop ClamAV Endpoint Antivirus in the near future?
Like Symantec
Both signatures we dropped on 2/4/19.
- Alain
On Tue, Feb 5, 2019 at 10:21 AM Orion Poplawski wrote:
> We are starting to see a bunch of these being flagged. Anyone else
> seeing issues with these?
>
> *INFECTED*:
>
> * Txt.Packed.Generic-6840866-0 :
> https://cdn.onesignal.com/
> When a new
cdiff is released, is a new daily.cvd also released at the same time?
Yes.
-Alain
> On Dec 15, 2018, at 4:26 PM, J.R. wrote:
>
> When a new
> cdiff is released, is a new daily.cvd also released at the same time?
___
clamav-users mailing l
The Phistank URLs being dropped from daily.cvd have nothing to do with
false positives. We are just rotating in and out the top phishing URLs
based on number DNS lookups per hour.
- Alain
On Wed, Dec 12, 2018 at 6:23 AM Joel Esler (jesler)
wrote:
> Not sure. Perhaps Alain can chime in. My tea
Do you have the specific signature name that alerted?
-Alain
On Oct 13, 2018, at 11:12 AM, Matthes, Marc wrote:
Same here
Marc Matthes
Director of Computer Networking Programs
Iowa Central CC
5155741099
--
*From:* clamav-users on behalf of
Jean-Francois Tasse
*Se
The next CVD should correct this FP. Thanks for reporting.
- Alain
On Sun, Sep 2, 2018 at 5:18 AM, Al Varnell wrote:
> Found in the current (and probably several previous versions) of Skype for
> Mac.
>
> Found here /Applications/Skype.app/Contents/Frameworks/Electron
> Framework.framework/Vers
Win.Malware.Agent-6641126-0 is set to be removed from the next CVD.
- Alain
On Mon, Aug 13, 2018 at 5:28 AM, Tilman Schmidt
wrote:
> Am 08.08.2018 um 10:40 schrieb Tilman Schmidt:
> > Am 07.08.2018 um 22:24 schrieb Alain Zidouemba:
> >> We do not have the sample. Please
Tilman:
What's the MD5 or SHA256 of the file, so I can see if we already have it?
Thanks,
- Alain
On Tue, Aug 7, 2018 at 9:50 AM, Tilman Schmidt wrote:
> The problem is back, this time with two bytecodes: 2 and 90.
> ClamAV version is 0.100.1.
> The last clamscan run without the error was on
No need to create a CVD. Just put the files you want to use (.hdb, .mdb,
.ldb, etc...) in a directory and point clamscan or clamd to that directory.
You can also put your custom signature files in the same directory has
main.cvd and daily.cvd and ClamAV will pick those up.
- Alain
On Tue, Jul 24,
An update should be out momentarily.
Thanks,
- Alain
On Wed, Jul 18, 2018 at 12:49 PM, Michael Da Cova
wrote:
> Hi
>
> do we know if there is a problem with updates, I not seen any also
>
> Michael
>
>
>
> On 18/07/18 13:52, Paul Kosinski wrote:
>
>> Judging by the DNS TXT record, we have seen
This issue should be resolved now. If the issue persists for you, let us
know.
- Alain
On Mon, Jul 9, 2018 at 12:14 AM, wrote:
> On my debian 9, clamav 0.100.0+dfsg-0+deb8u1) I got following error:
>
> clamscan /media/6b300944-6e7c-493e-b9c9-faeebb70a415/nastenka
> /srv/dev-disk-by-label-white/
We actually got another FP report for the signature
Xml.Exploit.CVE_2018_4975-6545149-0 triggering on AutoCAD DWFx files. We
dropped Xml.Exploit.CVE_2018_4975-6545149-0 from the signature set earlier
today pending further investigation on how the signature could be
re-written to avoid FPs on these
We have enough information to state that Img.Malware.Agent-6499558-0 is a
false positive. The signature has been dropped, and this should be
reflected shortly in a new CVD.
Thanks,
- Alain
On Mon, May 7, 2018 at 9:38 AM, Benny Pedersen wrote:
> Joel Esler (jesler) skrev den 2018-05-07 03:27:
>
Ideally just the information requested by these forms:
http://www.clamav.net/reports/malware
http://www.clamav.net/reports/fp
In particular, for FPs, the exact name of the signature that alerted, as
requested by the "Virus Name" field, would help expedite resolution.
Thanks,
- Alain
On Thu, M
The alert with the signature Doc.Dropper.Agent-6447876-0 is not a false
positive. The signature alerted on a Microsoft Word document. The hash for
that document is
f614c9664f566becb3bdf5a52027088407a3a73d5de8f2a5ec1da2b47438d156.
The Word document has a macro that launches powershell, downloads an
And...Pdf, Rtf, Doc, Xls, Ppt, Html etc... and I could go on. There are
some vulnerabilities that affect applications across platforms. Something
to keep in mind.
Might be better to exclude "Win.", rather than chose what to include.
- Alain
On Wed, Dec 20, 2017 at 9:53 AM, Joel Esler (jesler)
w
Thanks for reporting this FP Maarten. We are in the process of fixing this
and will replace this signature.
- Alain
On Wed, Dec 6, 2017 at 11:54 AM, Maarten Broekman <
maarten.broek...@gmail.com> wrote:
> VIRUS NAME: Html.Trojan.Iframe-6390207-0
> TDB: Engine:51-255,FileSize:16384-65536,Target:3
Not sure that this is a FP.
- Alain
On Tue, Dec 5, 2017 at 2:05 AM, Al Varnell wrote:
> That said, here is some info on the signature itself.
>
> It was added to the ClamAV database on Oct 3 of this year. It appears to
> be malformed in the first subsig where the Offset and Sigmod are missing
>
They were replaced with:
Osx.Malware.Proton-6377366-1
- Alain
On Fri, Nov 24, 2017 at 7:08 AM, Al Varnell wrote:
> > Begin forwarded message:
> >
> > From: nore...@sourcefire.com
> > Subject: [clamav-virusdb] Signatures Published daily - 24065
> > Date: November 22, 2017 at 5:10:11 PM PST
> >
Should be fixed in the next few DB updates.
-Alain
On Oct 9, 2017, at 2:48 PM, Shaw Terwilliger <
sterwilli...@patternhealthtech.com> wrote:
Java.Malware.Agent-6297845-0:73 matches a file that's part of the
OWASP Dependency Check tool, dependency-check-core-1.4.5.jar.
bbeddbad91868290103ed3990
Routing appropriately.
-Alain
On Sun, Sep 24, 2017 at 8:11 AM Michael D. wrote:
> Hi,
>
> I twice tried to reach out to the ClamAV Developers regarding this
> error, but been ignored.
>
> Anyone?
>
> Best regards
>
> Michael
>
>
> Latest segfaults since rebooting 8 days ago:
>
> Sep 21 16:4
A new bytecode CVD will be out shortly to address this.
Thanks,
- Alain
On Fri, Sep 15, 2017 at 8:18 AM, Leonardo Rodrigues <
leolis...@solutti.com.br> wrote:
>
> i have had ZERO matches on the CVE_2017_11241 signature on the last
> days. Had several hundreds (which i believe are all FPs) o
Dropped on Tuesday.
-Alain
> On Sep 15, 2017, at 1:45 AM, Al Varnell wrote:
>
> Haven't seen any notification that it's been dropped yet.
>
> -Al-
>
>> On Wed, Sep 13, 2017 at 11:52 AM, Alain Zidouemba wrote:
>> BC.Win.Exploit.CVE_2017_11244-6335828-0 has
BC.Win.Exploit.CVE_2017_11244-6335828-0 has been dropped and will be
modified to avoid the FPs you've reported.
Thanks,
- Alain
On Wed, Sep 13, 2017 at 1:13 PM, Kees Theunissen
wrote:
> On Wed, 13 Sep 2017, Kees Theunissen wrote:
>
> >On Wed, 13 Sep 2017, lukn wrote:
> >
> >>Hello List
> >>
>
We are shipping sha256 signatures now. See contents of daily.hsb. We
are no longer shipping new hdb (md5) signatures.
-Alain
> On Sep 8, 2017, at 7:28 AM, Al Varnell wrote:
>
> I'm struggling to understand how that would improve the DB? It's not a
> security issue and it would seemingly involve
$ wget http://www.eicar.org/download/eicar.com.txt
--2017-08-30 14:35:48-- http://www.eicar.org/download/eicar.com.txt
Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
HTTP request sent, awaiting response... 200
$ sigtool -fHtml.Exploit.CVE_2017_0266-6311814-0
[daily.ndb]
Html.Exploit.CVE_2017_0266-6311814-0:3:*:6e65776461746176696577286e657761727261796275657228*2e73657475696e7433322e63616c6c28{-50}2e73657475696e7433322e63616c6c28
On Thu, Jul 20, 2017 at 3:15 PM, Krishna Pandey
wrote:
> Hi All,
>
>
Signature will be going out shortly.
On Wed, Jul 12, 2017 at 2:52 PM, Alex wrote:
> Hi, we've received a word virus that isn't currently being detected by
> any scanners. I've submitted the FN, but would like to see if we can
> get that pushed out as soon as possible.
>
> $ sha1sum Invoice_SKMBT
This went out yesterday to address the latest variant:
Win.Ransomware.Agent-6331177-0
Additionally, there are over 70 signatures that contain the keyword "Petya"
in their name.
Alain
On Wed, Jun 28, 2017 at 2:51 AM, Dmitry Melekhov wrote:
> Hello!
>
> Looks like there is no signature for pe
nsomware: http://blog.talosintelligence.com/2017/05/wannacry.html
Alain
On Sun, May 14, 2017 at 11:09 AM, Alex wrote:
> Hi,
>
> On Sat, May 13, 2017 at 1:32 PM, Alain Zidouemba
> wrote:
> > For "WannaCry", look for ClamAV signatures:
> > Win.Ransomware.WannaCry-*
>
>
A few quick answers:
- CVD: ClamAV Virus Database, signed
- CLD: ClamAV Virus Database, to which a diff update has been applied
- CUD: ClamAV Virus Database, unsigned
Use "sigtool -u" to decompress.
Alain
On Sat, May 13, 2017 at 2:52 PM, Jörg Jenderek
wrote:
> Hello,
> i found several file n
, 2017 at 1:24 PM, Alain Zidouemba
> wrote:
> > Yara rules have been supported by ClamAV since 2015:
> > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
>
> Yes, I saw that, but maybe I'm misunderstanding the benefit of yara.
>
> Are the signatures not
For "WannaCry", look for ClamAV signatures:
Win.Ransomware.WannaCry-*
Alain
On Sat, May 13, 2017 at 1:24 PM, Alain Zidouemba
wrote:
> Yara rules have been supported by ClamAV since 2015:
> http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
>
> - Alain
>
>
Yara rules have been supported by ClamAV since 2015:
http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
- Alain
On Sat, May 13, 2017 at 1:16 PM, Alex wrote:
> Hi,
>
> So you've probably heard of the latest ransomware dubbed WannaCry. I'm
> wondering if anyone has figured out a way to in
Thanks for reporting, we'll tweak the signature.
- Alain
On Sat, Apr 22, 2017 at 2:44 AM, Al Varnell wrote:
> Confirming that I am getting similar results after a quick update. I
> uploaded one message to the FP site which just happens to be a Security
> Update notice from Apple:
> 7ed54ef4cff5
They come out every 6h.
-Alain
> On Apr 13, 2017, at 9:57 PM, Rafael Ferreira wrote:
>
> Hey folks, I've noticed that new sig databases are coming out at a fairly
> inconsistent frequency lately, is this accidental or for a particular reason?
>
> Rafael
> __
:34 PM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:
>
> On Fri, March 3, 2017 7:20 pm, Alain Zidouemba wrote:
> > We're pulling the signature causing the issue now, while we investigate
> > the cause.
> >
> > - Alain
> Hi Alain,
>
> I th
We're pulling the signature causing the issue now, while we investigate the
cause.
- Alain
On Fri, Mar 3, 2017 at 12:38 PM, Aaron C. Bolch wrote:
> Greetings,
>
> After Daily Update 23161 was applied, the following error happened:
>
> Database initialization error: can’t compile engine: Malform
That alert caused by Win.Trojan.DarkKomet-5711346-0 is an FP. The signature
is being dropped.
Thanks for reporting,
- Alain
On Thu, Feb 16, 2017 at 3:17 PM, Mark Foley wrote:
> I am running a scheduled clamscan on the IMAP mail folders. The command is:
>
> /usr/local/bin/clamscan -a --detect-p
The signature Unix.Trojan.Mirai-5607459-1 has been marked to be dropped
earlier tonight. Expect this to be reflected in the CVD shortly.
- Alain
On Thu, Jan 26, 2017 at 11:15 PM, Mark Edwards
wrote:
> So far 150 of 300 CentOS 7 servers reporting:
>
> /usr/bin/systemd-nspawn: Unix.Trojan.Mirai-5
Thanks Mark. We're taking a look at this now.
- Alain
On Tue, Jan 24, 2017 at 5:53 AM, Mark Allan wrote:
> Hi,
>
> I've received a few reports of FPs with the signature
> Java.Exploit.CVE_2012_1723-8. I can't upload a sample because, of all
> places, it's being detected in the scan log which co
38 AM, Antonio Piccolomini d'Aragona <
antpiccda...@gmail.com> wrote:
> Actually, there is a 1 less. It is Win.Trojan.Agent-1812140 (I looked in my
> Mac Cronology...where I looked for some ways to fix)
>
> 2017-01-21 17:16 GMT+01:00 Alain Zidouemba :
>
> > Antonio
Antonio,
Unfortunately, I can't find any record of us having ever published
Win.Trojan.Agent-18112140.
Could the name of the signature that caused the FP be slightly different?
Alain
On Sat, Jan 21, 2017 at 9:07 AM, Antonio Piccolomini d'Aragona <
antpiccda...@gmail.com> wrote:
> Hi,
> I'm writ
It's been replaced by a different signature.
-Alain
On Wed, Jan 11, 2017 at 6:42 PM, Al Varnell wrote:
> Subject signature was added by daily - 22865 and then removed by daily -
> 22869.
>
> [daily.hsb] 52960200bf989064d77f0a158180e4ac:1101744:Osx.Malware.Agent-
> 5505694-0:73
>
> VirusTotal in
Unix.Malware.Agent-1847425 is not a heuristics detection.
- Alain
On Wed, Jan 11, 2017 at 12:28 PM, Tim Tepatti wrote:
> Sounds good to me, I'll submit them in an archive then.
>
> Also, another question: If a virus is picked up as a generic
> "Unix.Malware.Agent-1847425", does that mean that t
We are seeing the FPs and are in the process of addressing them. Please
keep reporting them.
- Alain
On Mon, Dec 26, 2016 at 8:11 AM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:
>
> On Mon, December 26, 2016 12:39 pm, Sierk Bornemann wrote:
>
> Just run freshclam...
>
> fp\Aston Villa
There's no need to create a CVD if all you want is to use official
clamav signatures and non-official signatures.
Use "sigtool -u" with a clamav cvd to unpack it and choose the
signatures you want.
You can then point clamscan or clamdscan to the directory that
contains your signatures, official
I've identified a few clean samples that this signature FP on. I'm dropping
BC.Legacy.Exploit.CVE_2012_4148-1. We'll rework it.
- Alain
On Mon, Dec 5, 2016 at 9:10 AM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:
> Hi,
>
> Just had a twitter user contact me regarding an fp that he repo
The FPs handled by Swf.Exploit.CVE_2016_7865-1 have been resolved and
this should be reflected in a CVD update later today.
-Alain
> On Nov 12, 2016, at 11:20 AM, Al Varnell wrote:
>
> Me? I'm a user like you and have no ability to solve your issues.
>
> There is really no need to post every FP
Thanks Al.
The signature has been removed.
- Alain
On Sun, Oct 23, 2016 at 2:00 AM, Al Varnell wrote:
> Have received a couple of reports of multiple WordPress site infected with
> Html.Exploit.CVE_2016_7190-1 over the past two days, which was added by
> daily - 22400 on 10/20/2016.
>
> Also f
Thanks for the FP report. The offending signature has been pulled.
- Alain
On Fri, Oct 21, 2016 at 4:16 AM, Al Varnell wrote:
> Html.Exploit.CVE_2016_3386-1 added today by daily - 22400 is identifying
> the following Main.js files as infected. They are all WebKit components
> included with mult
The signature "Html.Exploit.CVE_2016_3326-3" has been removed and will be
update to take into account the false positives reported.
Thanks,
- Alain
On Thu, Aug 11, 2016 at 6:36 AM, ancien compte
wrote:
> and http://www.kaspersky.fr/internet-security etc is accessible now
> :)
>
> 2016-08-
The offending signature has been dropped from the signature set. This
should be reflected shortly in an upcoming signature update.
- Alain
On Wed, Aug 10, 2016 at 6:10 AM, Al Varnell wrote:
> The only way to be notified is if you submit a sample to the ClamAV False
> Positive site that I refere
Xml.Exploit.CVE_2013_3860-1 has been dropped.
Thanks,
- Alain
On Sun, Jul 24, 2016 at 11:51 AM, Al Varnell wrote:
> There was a previous Xml.Exploit.CVE_2013_3860-1 signature added by daily:
> 20352 on Apr 20, 2015 which was found to be producing FP’s and was removed
> by daily: 20358.
>
> The
We usually acknowledge every community signature submission, and even work
with submitters to tweak the signature if needed.
I see that you submitted a few signatures in the past few hours, which we
will acknowledge and review in a few hours. If there are signatures that
you've submitted in the pa
On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
> azidoue...@sourcefire.com>
> wrote:
>
> > Jason:
> >
> > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was
> > dropped several weeks ago, but would only be reflected in your
>
Jason:
Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was
dropped several weeks ago, but would only be reflected in your installation
if you have both main.cvd and daily.cvd. Please confirm.
Thanks,
- Alain
On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
jasonjwwil
Confirming the FP on MD5: 585005690e530e8047374cf14e479281. The
signature Win.Trojan.Agent-1395367
has been removed.
- Alain
On Wed, Apr 20, 2016 at 3:02 AM, Hajo Locke wrote:
> Hello,
>
> there seems to be a new FP within a Wordpress Plugin.
> Download ist here:
> https://jetpack.com/install/?
Andrew:
Are you up to date with your signatures? Email.Phishing.DblDom-60 was
removed on 4/1/2016.
FYI:
$ echo -n 'Email.Phishing.DblDom-60:4:*:2f2e70617970616c2e636f6d' | sigtool
--decode-sigs
VIRUS NAME: Email.Phishing.DblDom-60
TARGET TYPE: MAIL
OFFSET: *
DECODED SIGNATURE:
/[dot]paypal[dot]c
Paul:
Thanks for reporting this FP. This will be fixed momentarily.
- Alain
On Wed, Mar 30, 2016 at 2:18 PM, Paul Kosinski
wrote:
> I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org, and,
> after downloading via HTTPS, ClamAV (0.99.1/21479) reports that the gz
> file contains Wi
$ sigtool -fEmail.Phishing.DblDom-60 | awk -F' ' '{print $2}' | sigtool
--decode-sigs
VIRUS NAME: Email.Phishing.DblDom-60
TARGET TYPE: MAIL
OFFSET: *
DECODED SIGNATURE:
/.www.my.if.com/
If you think you have a false positive, please submit it here:
http://www.clamav.net/reports/fp
- Alain
O
Kristen:
Are you sending in your samples using: http://www.clamav.net/reports/malware
?
FYI, I couldn't find the submission you made a few days ago for
SHA256(invoice_SCAN_fGYbuu.zip)= ba41513235b21783b9741b59ceb191
cc6e65f15cd15ba58ab1d9c648513419c0.
It seems like you are experiencing a similar
Your attachment didn't make it through.
Please send in your FPs here: http://www.clamav.net/reports/fp , or paste
the contents of your attachment in your email message body.
Thanks,
- Alain
On Sun, Feb 7, 2016 at 4:39 AM, Morten W. Petersen
wrote:
> Hi there.
>
> I run AVG and MalwareBytes on
Here are some I could quickly identify:
Win.Trojan.DropBear
Win.Trojan.BlackEnergy2Driver
Win.Trojan.BlackEnergy3
- Alain
On Thu, Feb 18, 2016 at 7:37 AM, Volcy, Georges
wrote:
> Good Morning,
>
> Does ClamAV detect the Blackenergy malware and is there any way for me to
> verify it.
> Thanks,
Were the files submitted through this form? http://www.clamav.net/reports/fp
Thanks,
- Alain
On Mon, Feb 8, 2016 at 9:33 AM, Klaas TJEBBES
wrote:
> Thanks for your answer.
>
> Here are the md5sums :
> acad82626e83064ce8792bb17f568726
> 21c85b53fccf0712aadad1127115f4ff
> 39cf4db0bba92ae1c188691
Arnaud:
Did you normalize your file? I.e. Clamscan--leave-temps?
- Alain
-Alain
> On Jan 26, 2016, at 6:55 AM, Arnaud Jacques / SecuriteInfo.com
> wrote:
>
> Hello Steve,
>
>> I've seen the same sometimes I've had to end up using type 0, instead
>> of 3/4/7 which isn't ideal.
>
> Even wit
The offending signature has been pulled as of daily: 21070, published on
Nov 18.
- Alain
On Thu, Nov 19, 2015 at 2:57 AM, Al Varnell wrote:
> I certainly agree with that.
>
> As I said in the original thread on this issue, I rarely come to the list
> with FP issues unless they appear to be impa
I believe the issue is around
5d2e{-11}*6973 <6973736574>
Remove the * and try again.
-Alain
On Nov 2, 2015, at 5:24 AM, Hajo Locke wrote:
5d2e{-11}*6973
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://
Check out
https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf,
section 3.2.4.
You should be able to write something like:
!(not)badfunction(
FYI, PCRE support is coming in ClamAV 0.99. There is a release candidate
here if you want to try it: http://www.clamav.net/downloads
Matter:
Coverage will be released later today.
-Alain
> On Oct 28, 2015, at 7:57 AM, Matthias Hank wrote:
>
> Hi,
>
> almost a week ago i uploaded a malware sample via ClamAV Website which was
> not detected by ClamAV.
>
> In the meantime, most of the scanners on Jottis Website are detecting
>
Send the sample here: http://www.clamav.net/reports/malware
Provide the MD5 or SHA256 of the sample on this mailing list.
Thanks,
- Alain
On Mon, Oct 19, 2015 at 7:28 PM, Alex wrote:
> Hi,
> I have a jar file that is apparently identified as a virus by
> Microsoft as "Trojan.Java.Adwind.af" b
Can you paste here the output of running "sigtool -i" against your
daily.cvd?
Thanks,
- Alain
On Thu, Oct 15, 2015 at 1:30 PM, Rafael Ferreira
wrote:
> 0.98.7
>
> > On Oct 15, 2015, at 8:46 AM, Steven Morgan
> wrote:
> >
> > Rafael,
> >
> > I don't see this. Which version of ClamAV are you us
Thanks Mark.
- Alain
On Thu, Aug 27, 2015 at 6:24 AM, Mark Allan wrote:
> Hi Alain,
>
> I've just submitted a small selection of the files being tagged as
> infected.
>
> Regards
> Mark
>
> > On 27 Aug 2015, at 11:09 am, Alain Zidouemba
> wrote:
>
Al,
I will be pulling the signature shortly. Could you please submit a few of
the file that are alerting here: http://www.clamav.net/report/report-fp.html
?
Thanks,
- Alain
On Wed, Aug 26, 2015 at 11:21 PM, Al Varnell wrote:
> Two Mac users so far are reporting a flood of files identified as
Thank you for reporting the FP and providing information. The signature
needs to be reworked as it is causing FPs. The current version of the
signature will be dropped shortly.
Thanks,
- Alain
On Fri, Aug 21, 2015 at 1:56 PM, Ángel González wrote:
> Al Varnell wrote:
> > I’ve had three users r
What are the MD5s or SHA256s of the 37 files you submitted?
Also, make sure you are using official ClamAV signatures in your set up.
Thanks,
- Alain
On Sat, Aug 8, 2015 at 8:00 AM, sebast...@debianfan.de <
sebast...@debianfan.de> wrote:
> You've got me wrong.
>
> I have early April 2015 transmi
be
helpful in order to determine that.
Thanks,
- Alain
On Tue, Jul 28, 2015 at 11:32 AM, P K wrote:
> Sure. I will submit but as per clamav Database this signature is already in
> database.
>
> Why we should submit sample again?
>
>
>
> On Tue, Jul 28, 2015 at 4:
Yes, please do so. Submit your sample here:
http://www.clamav.net/report/report-malware.html and provide the MD5 or
SHA256 of the sample you submitted as a reply to this email.
Thanks,
- Alain
On Tue, Jul 28, 2015 at 11:01 AM, Al Varnell wrote:
> It does not match the signature for Exploit.PDF
Not sure I understand the problem you are facing.
If you are asking if ClamAV with official signatures would detect the zip
file whose SHA256 is
eb495bcdfb517743ced48d1b165b046739fb621cc693cb09fed8c879684851f3,
then the answer is yes. The detection name you would see is
Win.Trojan.Banload-6198.
I
Can you provide the detection name that ClamAV displayed?
Thanks,
- Alain
On Thu, Jul 9, 2015 at 7:43 AM, Ingo Bente wrote:
> I am seeing the same finding. Since yesterday's daily update.
>
> I cross checked the respective file with Gmail, Avast, Avira and
> Windows Defender. None of them repo
If one of the documents doesn't contain sensitive information, can you
submit here? http://www.clamav.net/report/report-fp.html
Thanks,
- Alain
On Tuesday, July 7, 2015, Andrew Carter wrote:
>
>
> On 08/07/15 11:02, Andrew Carter wrote:
>
>> Hi ,
>>
>> I am seeing Word documents coming up with
This has been supported since the introduction of logical signatures (ldb)
in ClamAV 0.94.
- Alain
On Thu, Jun 11, 2015 at 11:00 AM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:
>
> On Thu, June 11, 2015 3:51 pm, Steven Morgan wrote:
> >
> > We've borrowed the yacc/lex code from yara p
On Tue, May 26, 2015 at 7:12 AM, Helmut Hullen wrote:
> Hallo, clamav-users,
>
> I've tried today and also last week to submit a file which contains a
> virus; it's named "t-online.ace".
> Before this try I had submitted many other "virulent" files without any
> problem.
>
> With the above mentio
Fred,
Signatures covering your samples will be released shortly.
Thanks,
- Alain
On Fri, May 22, 2015 at 10:16 AM, Fred Wittekind
wrote:
> Have recently run in to a large number of emails getting past my employers
> email filtering, all zip files, with executables inside, and all
> malicious.
Can you provide a checksum for your sample?
Thanks,
- Alain
On Wed, Apr 15, 2015 at 9:50 AM, sanes wrote:
> Why does clamscan show this file infection, but a scan with VirusTotal.com
> shows file is safe? Which source should I trust?
>
> c:\Windows\System32\mobsync.exe: Win.Trojan.Agent-86393
Coverage under the name "Php.Trojan.PCT4" will be released shortly.
Thanks,
- Alain
On Tue, Mar 24, 2015 at 5:40 PM, Steve Holdoway
wrote:
> Hi folks,
>
> I'm in the process of cleaning up an infected wordpress website and am
> finding a number of files that contain
>
> $sF="PCT4BA6ODSE_";
>
We had a network related issue over the weekend that affected outbound
emails. It should not have affected CVD releases though.
Email updates have resumed. If you encounter any other problems, please let
us know.
Thanks,
- Alain
On Mon, Dec 15, 2014 at 1:17 PM, Al Varnell wrote:
>
> Something
> If you think it needs to be quicker, then maybe you could volunteer your
> time to help with the analysis (I'm not sure how you'd go about this)
http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html
- Alain
___
Help us build a c
Thank you, the signature has been revised.
- Alain
On Fri, Sep 26, 2014 at 5:09 AM, Nathan Howard
wrote:
> >
> > I seem to be getting lots of hits on my browser cache when accessing some
> > several popular sites, including the Apple Support Community Forum. Looks
> > like it was just added ear
https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
"To whitelist a specific signature from the database you just add its name
into a local file called local.ign2 stored inside the database directory."
- Alain
On Thu, Sep 25, 2014 at 11:31 AM, Tim Edwards wrote:
> The rece
By using the tool "freshclam" that comes with ClamAV.
- Alain
On Tue, Sep 9, 2014 at 8:08 AM, McCarthy, John D. <
john.d.mccar...@leidos.com> wrote:
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http
Hajo,
Would you be interested in sharing the signatures you create with the
ClamAV community? If so, please check out the process here:
http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html
As for signatures for obfuscated PHP, it really does depend on the code you
are looki
A signature update just went out and will propagate shortly.
Thanks,
- Alain
On Thu, Aug 28, 2014 at 11:12 AM, Alain Zidouemba wrote:
> Thanks for reporting; we are aware of this. Some issues on our end that
> we are in process of resolving. Should be back up momentarily.
>
Thanks for reporting; we are aware of this. Some issues on our end that we
are in process of resolving. Should be back up momentarily.
- Alain
On Thursday, August 28, 2014, Julius Plenz wrote:
> Hi,
>
> Previously when there was no daily.cvd update for 48 hours this turned
> out to be an error.
1 - 100 of 218 matches
Mail list logo
