On Thu, Jan 26, 2006 at 01:09:28PM +0100, Diego d'Ambra wrote:
> Erik Corry wrote:
> >On Thu, Jan 26, 2006 at 11:50:00AM +0100, Erik Corry wrote:
> > >
> > > How about:
> > >
> > >
> >JS.Feebs-C.variant-ec:3:*:756e6573636170652822(253636|66
On Thu, Jan 26, 2006 at 11:50:00AM +0100, Erik Corry wrote:
>
> How about:
>
> JS.Feebs-C.variant-ec:3:*:756e6573636170652822(253636|66)(253735|75)(25363e|6e)(253633|63)*(253237|27)(253237|27)(25323c|2c)??(25323c|2c)??(25323c|2c)??(25323c|2c)
Sheesh, this sig making stuff isn'
On Thu, Jan 26, 2006 at 10:24:57AM +0100, Diego d'Ambra wrote:
> Erik Corry wrote:
> >On Wed, Jan 25, 2006 at 09:55:10PM +0100, Diego d'Ambra wrote:
> > > Erik Corry wrote:
> > > >
> > > >Suspicious.HTML.javascript2=756e6573636170652822253636
&g
On Wed, Jan 25, 2006 at 09:55:10PM +0100, Diego d'Ambra wrote:
> Erik Corry wrote:
> >
> >Suspicious.HTML.javascript2=756e6573636170652822253636
> >
> >Put it in a file called local.db in the same directory as your main.cvd
> >and daily.cvd files. It searches
On Wed, Jan 25, 2006 at 01:19:58PM -0500, Mike Robinson wrote:
> Erik Corry wrote:
> >
> > The following signature seems to detec the Mytob variants on my system:
> >
> > Suspicious.HTML.javascript2=756e6573636170652822253636
> >
> > Put it in a file called
nts on my system:
Suspicious.HTML.javascript2=756e6573636170652822253636
Put it in a file called local.db in the same directory as your main.cvd
and daily.cvd files. It searches for the string:
unescape ("%66
(only without the space) in a mail, so it will get some false positives.
--
Erik Corry In
On Sun, Mar 21, 2004 at 08:43:19PM +, Antony Stone wrote:
> On Sunday 21 March 2004 6:37 pm, Erik Corry wrote:
>
> > You need to distinguish between Worms and Viruses. Worms are just
> > propagating themselves. There's never any harm in dropping a worm
> >
ly to the SMTP engine of
the worm (since all MX hosts are running the software) and so the
error code cannot cause a bounce.
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed.
ggestion:
Add a web form field for typing in the password, then you can scan
inside the zip, or reject an encrypted zip without a password.
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed.
-
On Tue, Mar 02, 2004 at 09:38:11PM -0800, Shawn Tayler wrote:
> On Tue, 2 Mar 2004 17:07:53 +0100 Erik Corry <[EMAIL PROTECTED]> exclaimed:
>
> > The question is how much of a problem it really is. Are users
> > really that dumb?
> >
> > What I'm wond
e .pif, etc.
ending without the password.
That's probably not a task for clamav though, more like MIMEDefang:
http://www.mimedefang.org/
Someone seems to have been giving this some thought:
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html
--
Erik Corry I
the
encrypted versions of the virus we have seen have all been
produced by actual encrypted-zip infections. Anyone know?
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-
On Tue, Mar 02, 2004 at 03:07:31PM +0800, kengheng wrote:
> Hi, Can clamav detected those virus that is protected by a password in a zipped file?
No
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners.
seems
to be all you can do right now. In the somewhat longer run perhaps
the engine needs to be able to get a list of possible passwords so it
can have a go at decrypting the zip file.
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAI
y just look at the clock at the moment you edit the
crontab file and use that...
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed.
--
n use that to trigger freshclam.
Alternatively I could install freshclam setuid and trigger it
directly with procmail, but I'm not sure freshclam is safe to
use in setuid mode.
--
Erik Corry
---
SF.Net is sponsored by: Speed Start Your
thread_id=3839743&forum_id=34617
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed.
---
The SF.Net email is sponsored by EclipseCon 2004
On Wed, Feb 04, 2004 at 12:56:30PM +0200, Dinko Ivanov wrote:
> When clamav will detect MyDoom?
> I hope soon?!
Clamav detects MyDoom just fine right now, but it calls it
SCO.A.
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunc
of the
SCO virus and the virus was correctly detected. Also, standalone copies
of the decompression bombs could be scanned: Clamav stopped scanning after a
few Mbytes.
So that's nice.
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch
d 4
Thread ID 4 not known.
I am running on Linux 2.4.20 SMP on a dual PPro with glibc-2.3.2-11.9
(Red Hat)
Any ideas?
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed.
--
20 matches
Mail list logo
