That particular signature is a community signature provided by Willian
Cruz.
More about community signatures:
http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html
On Wed, Apr 8, 2015 at 12:15 PM, Douglas Goddard
wrote:
> You can look the hash of the file up in VirusTo
You can look the hash of the file up in VirusTotal.
Here is the original file that signature is associated with:
https://www.virustotal.com/en/file/4E7496E13D437989E135090713EE10C740C290D2CD869DC5A8130EFE4EF2CD98/analysis/
Googling the term OutBrowse will bring up some write ups for it explaining
Try this page:
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-virusdb
On Sun, Mar 8, 2015 at 10:16 PM, Shawn Reynolds
wrote:
> How do I unsubscribe from the ClamAV update list? I currently have about
> 80 emails of it in my inbox, and it is keeping me from important e-mails.
>
>
> _
I've dropped .js, .html, and .lnk as top level extensions from those
signatures as they were causing too many problems.
Zip.Suspect.MiscDoubleExtension-zippwd-8:*:(?i)((\.doc)|([
_.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|
Do you have some examples of files that are still causing problems?
I removed the .js extension - I'm happy to revise things further if it is
still causing problems.
On Wed, Sep 17, 2014 at 9:22 AM, James Meason wrote:
>
>
> Hi Steve,
>
>
> Thanks for your quick reply,
>
>
> This appears to aff
Thank you for the submissions James.
It looks like it is alerting on this:
libraries/gantry/js/belated-png.js
I removed the 'top level' extension .html from this signature, and
considered removing .js but didn't. I'll revise these later today to not
have .js, as that is not a huge threat in term
Maybe VT hasn't updated their DB since it was published.
FP handled, signature dropped.
Thanks,
Doug
On Tue, Sep 16, 2014 at 5:28 PM, Al Varnell wrote:
> The following file was found in Adobe PhotoShop CS6 infected with
> Win.Worm.Chir-681 (apparently added to the database earlier today):
>
>
This signature is in the process of being dropped. The signature is a ZMD
and PUA is not supported for this type. Once it is dropped it will be
re-published under a non PUA name.
If you would still like to ignore these alerts you can add the new
signatures' names to a whitelist.ign file in your Cl
Sep 4, 2014 at 11:45 AM, Douglas Goddard
wrote:
> I'm looking into the PUA issue and will follow up about that.
>
>
> On Thu, Sep 4, 2014 at 11:43 AM, Douglas Goddard
> wrote:
>
>> That is a zip signature looking for double extension files. So, it is
>> intere
I'm looking into the PUA issue and will follow up about that.
On Thu, Sep 4, 2014 at 11:43 AM, Douglas Goddard
wrote:
> That is a zip signature looking for double extension files. So, it is
> interesting that it is alerting on a .txt file, unless that is a zip file
> in disguis
That is a zip signature looking for double extension files. So, it is
interesting that it is alerting on a .txt file, unless that is a zip file
in disguise.
You can whitelist the signature by adding a whitelist.ign file to your
ClamAV database directory (for me, the path is: /usr/local/share/clama
We're working on some signatures for our users who run ClamAV on their mail
servers. We'll be tweaking them over the next few weeks to minimize false
positives, but with loose signatures like this, it is difficult to
eliminate them completely.
If you're not concerned about double extension files i
> Thanks,
> Manoj Chitrala
>
>
> --
> Manoj Chitrala
> Unix Administrator & Postmaster
>
> Tel: +44 207 084 3142 | Fax: +44 207 084 3001 | Mobile: +44 7971 312075
>
>
>
> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lis
Confirmed the false positive. The signature should be dropped by the end of
the day.
On Tue, Aug 19, 2014 at 5:34 AM, Manoj Chitrala
wrote:
> Hi,
>
> Here is the MD5 sum output.
>
> root@RSNUKLT146:~/Desktop# md5sum show.html.erb
> 16e3a74703c22cce728bb523439c1d02 show.html.erb
> root@RSNUKLT1
Can you contact the previous owner and ask them if there is something
custom running at boot?
Is there anything too important on the computer to do a fresh install?
Are you at a terminal prompt, can you type commands?
On Fri, May 2, 2014 at 12:07 PM, Gene Heskett wrote:
> On Friday 02 May 201
You can also write your own signatures.
[PDF]
https://github.com/vrtadmin/clamav-devel/raw/master/docs/signatures.pdf
On Mon, Apr 21, 2014 at 3:21 PM, Charles Swiger wrote:
> Hi--
>
> On Apr 21, 2014, at 12:12 PM, Dave Shevett wrote:
> > Hi everyone - we have clamav now running happily via cr
Thanks. These are all mine. I'll drop the FPs right away.
On Wed, Feb 12, 2014 at 12:06 AM, Al Varnell wrote:
> I very much appreciate the obvious hard work from the signature team in
> more than doubling the number of OSX signatures in the database today.
>
> Unfortunately it would appear that
Looking at the original file and what was uploaded to VT, this signature is
the md5sum of 43180 null bytes. While I would say this is definitely
Junk.Corrupted, it's not malicious. I'll drop it.
Thanks for the report.
On Thu, Feb 6, 2014 at 6:12 AM, Steve Basford <
steveb_cla...@sanesecurity.com
This might help shed some light:
https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-safebrowsing.md
If you can locate the safebrowsing.cvd on your computer, you can unpack it
with sigtool and view at the contents.
On Tue, Jan 21, 2014 at 1:40 PM, Alex wrote:
> Hi,
>
> I received a num
It was an oversight on our end. Thank you for being persistent. The
offending bytecode has been dropped and the fixed code has been published.
On Thu, Dec 12, 2013 at 4:22 AM, Al Varnell wrote:
> On Wed, Dec 11, 2013 at 06:56 AM, Douglas Goddard wrote:
> > When was your last signatu
When was your last signature update? Could you run freshclam and then
rescan? That version of the bytecode signature has been dropped and should
no longer be alerting, the current version is BC.Exploit.CVE_2013_3906-3.
If that version is still alerting after an update then we will do some
deeper in
You would put the signature (Ziptest:0:.*\.exe:*:*:*:*:*:*) into the file
virusexe.zmd. You can put all your signatures in that file, just put each
one on a new line.
Then, when you want to scan with it, just use:
clamscan -d virusexe.zmd
If you would like to scan a specific file or directory, j
It is a regular expression. So you could replace exe with something like
(exe|EXE) to detect both uppercase and lowercase.
- Doug
On Tue, Sep 17, 2013 at 3:05 PM, Alejandro Rodriguez wrote:
> How I can ignore uppercase in a filename.
> Right now i´m using foxhole_all.cdb to block .exe files ins
You can use a zmd signature detailed in this doc:
http://www.clamav.net/doc/latest/signatures.pdf
Here is an example signature for detecting files with the .sh extension:
Ziptest:0:.*\.sh:*:*:*:*:*:*
- Doug
On Tue, Sep 17, 2013 at 7:08 AM, Rajesh M <24x7ser...@24x7server.net> wrote:
> hi
>
>
I often get the locked by another process error when freshclam is running
in daemon mode.
$ sudo freshclam
ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile =
/var/log/clamav/freshclam.log)
$ ps aux | grep clam
clamav2733 0.0
25 matches
Mail list logo
