Arnaud Jacques via clamav-users wrote:
Hello Kris,
[...]
> /(n\d+).htmldomstuff;function(\1);/
>
> Do any of Clam's signature types support something like this?
I use :
6e3?3?3?
that matches n000, n003, n024, n781 ...
Right, and I've used that in cases where tracking a particular
normal
So, I've been creating local signatures for a variety of obfuscated
Javascript for a while.
But I've been missing a way to more precisely target malicious actions
based on surrounding variables.
With my latest sample, I want to match "[variable].[htmldomstuff]",
"function([variable])", acros
steven aldenkamp via clamav-users wrote:
Thanks.
Apparently the info I gave earlier was older.
We noticed also
ClamAV 0.103.5
This is still three minor patch releases behind the current one in the
0.103 series, and IIRC there were some low-grade security fixes in that
span.
It should stil
clamav.mbou...@spamgourmet.com wrote:
Kris Deugau wrote:
I went to load a semi-bookmarked page for signature writing
(https://docs.clamav.net/manual/Signatures.html), but it failed and
kept reloading Cloudflare's "security check" voodoo.
ClamAV's site works for me, usi
I went to load a semi-bookmarked page for signature writing
(https://docs.clamav.net/manual/Signatures.html), but it failed and kept
reloading Cloudflare's "security check" voodoo.
(Side question to pass up the chain at Cisco/Talos - is there a knob
that can be twisted somewhere to force that
newcomer01 via clamav-users wrote:
no one can help me?
I think most of us have just about given up on this test, and are either
doing without or call ClamAV in a way that allows us to handle FP-prone
tests like this differently from other results (either by whitelisting
mail ahead of ClamAV
Andrew C Aitchison via clamav-users wrote:
On Mon, 12 Dec 2022, newcomer01 wrote:
Well on my PC I changed a lot because the naming was too messy for me.
I have "program" clam*d*scan for which I have a clam*d*.conf and a
"program" clamscan for which I have a clamscan.conf. And then the
normal
joe a wrote:
To semi-hijack, I was attempting to deal with my own occasional false
positive by using this thread as a clue.
Attempting to follow the docs, I hit a wall here:
"To help you identify what triggered a heuristic phishing alert,
clamscan or clamd will print a message indicating the
Matus UHLAR - fantomas wrote:
On 31.03.22 11:02, Petr Jurášek via clamav-users wrote:
https://www.mail-archive.com/clamav-users@lists.clamav.net/msg51769.html
It's the same situation. Vir is detected, but file is "clean", you can
see it in summary.
looks like that. I completely missed it.
I've been seeing a series of Excel files recently that seem to be
triggering a bug of some kind.
These are not matched by any stock signatures (yet), so I've been using
clamscan --leave-temps to extract components for signatures.
Most of the time I just create hashes of a component from one s
G.W. Haywood via clamav-users wrote:
Hi there,
On Mon, 21 Mar 2022, Kris Deugau wrote:
TBH I'd prefer if Clam *did* continue, just skipping malformed rules
(and also whinging loudly in the log).
I could live with that if it didn't *also* crash.
Either would be better than ju
G.W. Haywood via clamav-users wrote:
Hi Micah,
On Wed, 16 Mar 2022, Micah Snyder (micasnyd) wrote:
I'm not sure what you mean here. Can you elaborate? If you simply
want ClamAV ignore garbage rules on load and continue with the rest
of the file (see point #4) - that's something we can easily
Jorge Elissalde via clamav-users wrote:
Thank you for your answer.
I'm using Windows clamd release 0.104.2
I have double checked with wireshark and the data sent is ok.
suppose I just send: char *eicarTest =
"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
Result is ok: i
Kris Deugau wrote:
For some types of content, just allowing a plain ASCII string instead of
the hex-coded version of the same would be a big help. Or an
enhancement in the current file formats allowing embedded comments -
I've lost track of how many times I've created something co
Micah Snyder (micasnyd) via clamav-users wrote:
G.W. Haywood wrote:
Execution time will be important for scanning filesystems, less so for
scanning mail (at least for scanning low-volume mail) and readability
can be hugely important if you're writing a lot of rules. Perhaps we
should be aski
Alex via clamav-users wrote:
Hi,
I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I
have a newsletter from ncua.gov that keeps getting blocked because it
apparently contains links.gd in the body somewhere, although I can't
find it.
How do I exclude this email from being tagge
Laurent S. via clamav-users wrote:
Dear Kris,
I've had the same issue. In the last two years, I was regularly writing YARA
sigs in ClamAV and finding that it behaves in strange ways... Especially the
regex integration.
I specifically remember that counting regex wasn't possible and that I had
Maarten Broekman via clamav-users wrote:
There's not a lot that you can do in Yara rules that you can't do in LDB
sigs... for what it's worth, here's a logical sig that detects the same
thing as the Yara rules...
mbroekman@lothlorien:~$ grep MJB.JS.SendEmail
clamdb/javascript_sigs.ldb| sigtoo
After chasing docs back and forth and trying small variations, I think
I've found what's arguably a bug in Clam's YARA implementation.
These two YARA rules should both match exactly the same, but don't. The
first will only match if the condition is changed to indicate a single
match in some v
G.W. Haywood via clamav-users wrote:
Hi there,
On Fri, 14 Jan 2022, Kris Deugau wrote:
I've just come across a presumed-malicious .zip file of about 500K
that contains a ~315M ISO image, which in turn appears to contain a
~315M executable file.
After a bit of searching and testing
I've just come across a presumed-malicious .zip file of about 500K that
contains a ~315M ISO image, which in turn appears to contain a ~315M
executable file.
After a bit of searching and testing I see the --max-ratio option has
been removed from clamscan, and ArchiveMaxCompressionRatio in clam
G.W. Haywood via clamav-users wrote:
IMHO this is a pretty unconvincing reason to change your init system,
especially to one which is both as new as systemd, and as capable of
stupidity on a scale never before seen in any init system. A couple
of examples here (the wanton renaming of Ethernet in
novpenguincne via clamav-users wrote:
OEL = Oracle Enterprise Linux
Under /usr/lib/systemd/system, there are the four clam*.service files. But
since none of them are active or enabled, I don't think can be the source. I
scanned the entire file system for cl*.service and they are the only one
novpenguincne via clamav-users wrote:
I'm still experimenting with Clam and I've got 103.4 installed on an OEL
7.9 box.
What is "OEL"? I'm guessing it's some Red Hat derivative.
I've got freshclam configured to download new updates every
few hours. I can manually run freshclam and success
Vu, Hong-Duc V. via clamav-users wrote:
Hello,
How often does the main.cvd file get updated? According to this old post
they have seven changes in two years.
https://lists.clamav.net/pipermail/clamav-users/2014-September/000916.html
This will help me troubleshoot any issues with my freshclam
Hart, Steven A. via clamav-users wrote:
Hello all,
ClamAV documentation states that tar archives are supported. I've
created a small sample tar archive that includes an eicar sample.
Clamscan seems to only look at the tar archive as a single file and does
not hit on the eicar sample withi
Choate, Nathan via clamav-users wrote:
Hello,
Ive recently been experimenting with using the recently built ClamAV
Docker image in a Kubernetes deployment.
We want to utilize the ClamAV container in our deployment alongside a
basic server application running in a separate pod.
We think th
Michael Wang wrote:
I understand "more" is not clamscan, I was just showing that the file in
question cannot be opened with clamscan nor with "more" as
administrator. I also understand if clamscan cannot read a file, it
cannot scan it. My question is how I can let clamscan to read a file, as
I
I have a phishy PDF.
I want to match a string I've extracted from one of the files left by
clamscan --leave-temps, but ONLY if the outermost file being scanned is
a PDF.
The string on its own is just generic enough I don't want to rely on it
alone, so I want to limit matching to PDF files.
Wayne Florence via clamav-users wrote:
Hello,
I have recently updated my 4 ClamAV private mirrors to
version 0.103.0 to fix issues downloading the cvd files.
However I am still having issues I have the servers
setup to use freshclam via a cron once per day.
Joe Acquisto-j4 wrote:
In log find (snipped)
". . .infected by Heuristics.OLE2.ContainsMacros.VBA"
This is enabled by the AlertOLE2Macros directive in clamd.conf
". . .infected by Heuristics.Phishing.Email.SpoofedDomain"
This is enabled by the PhishingScanURLs directive in clamd.conf.
I
Vangelis Katsikaros via clamav-users wrote:
Hi Joel, thanks for the quick response. We already download once every
hour (the default ubuntu 18.04 behavior). However, we are using auto
scaling and we might be running a large number of EC2 instances (a few
hundreds), that could try to download si
G.W. Haywood via clamav-users wrote:
One of the reasons that malicious senders send so many malicious
password protected documents by email is that it is not always easy
to detect malware in them without knowledge of the password, so by
and large scanners like ClamAV don't attempt to do it (even
Orion Poplawski wrote:
Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
signature? We're seeing following URLs trigger it:
https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-
Sandeep Talla wrote:
Hi Mark/Kris,
Thank you for your responses. I have placed the *fireeye.ldb* file under
the directory /var/lib/clamav/ and modified the permission to 644 and
ownership to clamav. Then we have restarted the service
Clamav-Deamon and then started clamscan. However, Clamscam
Sandeep Talla wrote:
Hi All,
We have ClamAV installed on Ubuntu. On Ubuntu, the rules can be
specified or modified under the directory */var/lib/clamav/main.cvd*.
However, We are trying to consume ClamAV rules from the FireEye as
shown below link which is*.ldb* file and we are trying to conv
Dismas Axel (Thomas) via clamav-users wrote:
3) I ran the command:
cat Returned_Swift Copy,PDF.tar.xz | sigtool --hex-dump | head -c 2048 >
Returned_Swift_Copy.ndb
If you don't have multiple similar but not quite identical samples, and
you're not familiar with the structure of Windows execut
Robert Kudyba wrote:
Using Fedora 31, this has been happening for quite a while. After reboot
/var/run/clamav is removed, which is expected. However, wehn ClamAV was
installed the user created in /etc/passwd looks like this:
clamav:x:985:981::/var/run/clamav:/sbin/nologin
So Pulseaudio tries t
G.W. Haywood via clamav-users wrote:
It's quite possible that a scan could catch some
known problem in *any* file, no matter how compressed, containerized
and obfuscated, if there's already a signature which matches something
in the raw file (that is, before any extraction and/or decoding takes
Arjen de Korte via clamav-users wrote:
Citeren Paul Kosinski via clamav-users :
However, applying clamscan to this file (which was slightly renamed by
my download script to be more readable) results in the following output:
clamscan --alert-exceeds-max=yes --max-scantime=999
--max-scansize=4
Matus UHLAR - fantomas wrote:
On 30.03.20 18:09, Cheney, James via clamav-users wrote:
I did the sudo apt install clamav-daemon on a test 16.04 instance and
it worked perfectly!
This makes me think I've overcomplicated the centos & RHEL installs
we've done.
When I ran sudo yum install clama
micah anderson via clamav-users wrote:
Hi,
I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain because of Proofpoint.
I really didn't want to do this, but I added a few entries to the
local.wdb to whitelist it:
X:.+safelinks\.protection\.out
Douglas Stinnette wrote:
I have been getting reports of ClamAV using high CPU during full scans.
Well yes it's busy scanning the whole filesystem like it's been
told to do.
Also I am getting a complaint from faculty that ClamAV is heavily using
resources and causing loss of battery
Gerard E. Seibert via clamav-users wrote:
On Mon, 23 Dec 2019 08:04:13 +0100, Alessandro Vesely via clamav-users
stated:
Perhaps you could try and match From:snopescom-.*@cmail20.com?
Actually, it is the "@cmail20.com" part changes also.
I've also got cmail1 and cmail2 in my ham collection
Mark Parker via clamav-users wrote:
Hi all,
I'm investigating clamav as a solution for a couple hundred linux
boxes. We need onaccess scanning but I'm running into an issue. For
clamd to do onaccess scanning it needs to be run as root to use the
inotify components, but since we export our
G.W. Haywood via clamav-users wrote:
To find out what might work and what might not, here's what I did:
==
Using 'clamd':
8<--
1. I moved the 'main.cld' and 'd
Joel Esler (jesler) via clamav-users wrote:
I mean, it's possible not to download the official definitions and just point
at a custom file right?
*nod* This works fine. I have a secondary Clam instance set up to use
only a selection of third-party signatures that I do not absolutely
trust
Dorian ROSSE via clamav-users wrote:
Yes that doesn,’t works as Following…
*checking for llvm-config... /usr/bin/llvm-config*
*configure: Using external LLVM*
*checking for supported LLVM version... no (6.0.0)*
*configure: error: LLVM < 3.7 required, but "6.0.0"(600) found*
*configure: error
Avinash Sonawane via clamav-users wrote:
On Mon, 13 May 2019 16:21:15 +0200
Matus UHLAR - fantomas wrote:
loading takes time, much time.
How much time are we talking about here? I suppose by 'time' we mean
loading time (load binary and signatures) + processing time (comparing
signatures).
Paul wrote:
Hi
I have been looking at using the -z option on either clamdscan or
clamscan and stumbled onto some odd behavior.
This is with version 101.1. 101.0 also behaves the same.
Take 2 paultest-010E110713-000 is constructed from test/clam.mail with
the addition of a line of text to
Dominique Sarrazin wrote:
Hi everyone,
On October 26^th , ClamAV’s signature database was updated with the
addition of Win.Downloader.DDECmdExec-6715271-0, for which I cannot find
any information despite my thorough research.
sigtool --find-sigs [sig name] |sigtool --decode-sigs will at leas
Brent Clark wrote:
Good day Guys
I have setup two clamd servers.
On my Webservers, I need to stream a file to the clamd for scanning.
I would like to ask, how would I specify two TCPAddr.
If I specify just one, server, everything works ok.
Ive tried various options and google does not appears
zhuangxiaohui wrote:
Dear guys,
Thanks to your team for providing us a such wonderful anti-virus soft.
But, I got some problems there.
I have some servers(Centos6/7). Most of them have 1GB memory, 600M
available.
But also servers with low memory. For example 512M memory, 200M available.
When I
Tilman Schmidt wrote:
Am 29.10.18 um 17:33 schrieb Kris Deugau:
Tilman Schmidt wrote:
Am 26.10.18 um 15:34 schrieb Johnny Time:
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
Surely you meant to write "*.docx,*
Jerry wrote:
We have a a steady flow of "*.doc", "*.docx" "*.xlsx" and *.pdf" files
exchanged with other offices. I have not seen a virus in any of them since
2010. Seems like you might be doing business with the wrong type of people.
I work for an ISP, managing our mail filtering services.
Th
Tilman Schmidt wrote:
Am 26.10.18 um 15:34 schrieb Johnny Time:
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
Surely you meant to write "*.docx,*.xlsx,*.pdf"?
*.doc and *.xls are the old, malware-prone MS-Office filetypes.
Johnny Time wrote:
Hi Folks,
We use Clamav and we wonder if we can whitelist some extensions on our
virus scan ?
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
If you're looking to block all files except a limited set
Dino Edwards wrote:
Answering my own question on the /var/run and the /run directories.
There is a link between the two, I just didn’t go up a level in the
directory structure. The question about the error still remains though.
The chown and mkdir look a bit suspect to me; I'm not seeing anyt
Win.Trojan.Agent-6584188-0 is a hash matching the executable from the
32-bit build of ProduKey. One of our staff doing an assets audit
triggered it by emailing the .zip to another staff member.
I've confirmed that the .zip and the files in it match a fresh download
from the developer's site,
Benny Pedersen wrote:
why is https even blocked ? :(
please whitelist https signatures
There's no reason a hacked HTTPS website couldn't host malware. And
there's no reason a spam domain couldn't get a certificate (from Let's
Encrypt, or somewhere else) if they carefully time their actions.
Paul wrote:
Hi
I have 2 emails which have tripped
Heuristics.Phishing.Email.SpoofedDomain (4 times in each email using
clamscan -x option)
Is the output from clamscan -x --debug shown below indicate the
offending url pair triggering Heuristics.Phishing.Email.SpoofedDomain?
LibClamAV debug
G.W. Haywood wrote:
Hi Kris,
On Thu, 15 Mar 2018, Kris Deugau wrote:
I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. ...
Would you be able to send me a few samples? Preferably with full headers.
I've been able to create log
for two-byte fixed
references in patterns in all other pattern-matching signature types,
since I have another Yara rule for a series of obfuscated Javascript
that uses a similar type of regex pattern.
-kgd
Regards
Mark.
On 14/03/18 20:47, Kris Deugau wrote:
I'm still chasing s
I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. I've found an issue that is either an
implementation limit or a bug in ClamAV's handling of Yara rules.
I've narrowed it down to an issue with the "#" condition variant.
For a rule like so:
rule ba
J Doe wrote:
I note though that man 5 freshclam.conf states that clamd is *NOT* set to
update by default, however when I installed the package on Ubuntu 16.04.03 LTS,
it has put in 3600 for an update frequency.
Between freshclam and clamd there are three options here that operate
indpendentl
I've had a customer reporting problems sending a supposedly all-text
(likely actually multipart text+html with no hand-added attachments)
triggering this signature.
Since it's a hash I'm baffled by what it might be misfiring on in a
legitimate more-or-less text-only message.
I don't yet have
Paul B. wrote:
Ok, I got the same errors from Synaptics upon trying to install a
completely unrelated program:
E: clamav-base: subprocess installed post-installation script returned
error exit status 1
E: clamav-freshclam: dependency problems - leaving unconfigured
E: clamav: dependency problems
Chris wrote:
Using nc -l 3310 in one terminal and nc 127.0.0.1 3310 I get:
nc -l 3310
test
this is a test
nc 127.0.0.1 3310
test
this is a test
So, IIUC I can talk to port 3310 with 127.0.0.1 or am I incorrect?
nc -l should have returned an error if clamd was actually listening on
that po
G.W. Haywood wrote:
Hi there,
On Tue, 16 Jan 2018, Kris Deugau wrote:
I'm trying to create signatures to match a particular series of
large to very large spams whose main identifier is a
I'm trying to create signatures to match a particular series of large to
very large spams whose main identifier is a
richard parker wrote:
I am sure this is something obvious to the experienced but not to a bit of
a newbie such as myself. I am struggling with installation with the
following being reported
E: dpkg was interrupted, you must manually run 'sudo dpkg --configure -a'
to correct the problem.
rich
micah anderson wrote:
I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain - my research has shown me that
the reason this is happening is because of Outlook's "advanced threat
protection" which wraps urls in a "safelink" url,
I really didn't wa
Ravi wrote:
Thanks Kris for your comments. Currently we scan the incoming
files(zips/archives) placed on the local hard drive with the
clamdscan(which uses clamd daemon), Can you share more info on what you
meant on handling the result differently if we are using the clamdscan?
Whatever calls c
Ravi wrote:
Hi,
Looking forward for comments and suggestions for the below reported issue
from the community.
Well, to answer your original question, it looks to me like the test is
doing exactly what it's supposed to. Core dumps would quite reasonably
contain executable chunks, but may not
Chris Johnson wrote:
I have on access scanning configured and we successfully run a script
when a virus is found. This script allows us to make a log that the
file was scanned and a virus found. However we'd also like to run a
script to make a log when the file has been scanned and no virus has
Crystalslave wrote:
Return-Path: harlequin...@gmail.com
First off, my apologies for the confusion. This is my first time
posting to a mailing list; I didn't really know how to handle the
return path thing, so I had to start over. Is this better? The return
path goes at the top of the message bod
Mark Foley wrote:
So, the question posted below remains:
Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux?
Any valid signature file will be loaded and used.
Any *invalid* signature file will cause clamd to exit.
If clamd is running, and you've been able to co
outre...@epsilon.com wrote:
Hi Al,
Could you please confirm exactly what is the issue you see with the links? As
far as I can see, they use standard link tracking.
^^
In my experience that, in and of itself, is often the problem.
The c
Cedric Knight wrote:
Devs - is it possible to block PDFs based on containing '/JavaScript'
and '/OpenAction' (or '/Launch')? I wish ClamAV has a hierarchy from
definite signatures first to secondly checking heuristics...
Not a ClamAV developer, but yes, you can create a signature for this.
Y
Joel Esler (jesler) wrote:
We already distribute some third party feeds into the official database, we
have a program for that which can be found on our website.
For my part I would far prefer an enhancement to freshclam to allow it
to download arbitrary third-party signature sets, much as Sp
nobswolf wrote:
Hello,
I just added virus support by ClamAV to my email-server. I am almost
satisfied. It already catched some "zero days".
But I'd like to separate the detection of junk from the detection of
malware. So I'd like to disable the junk detection in ClamAV.
I commented out the Jur
Groach wrote:
> If I could exclude the Clam default
> signatures and just continue to use Sane then I would and then I could
> turn back on quarantining to make our systems safe again.
You can; turn off freshclam and delete the stock signature files.
Also make sure that you don't use the --off
Al Varnell wrote:
> On Dec 27, 2016, at 1:53 PM, demonhunter wrote:
>> Office Open XML file format (.doc(x|m), .xls(x|m), etc.,
>> https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with
>> macros typically contain an OLE2 file named vbaProject.bin. This signature
>> appear
Mark Foley wrote:
> Kees - thanks for that info. So, basically I'd have to start a new clamd with
> a
> different socket and therefore pointing to a different config file. Not sure
> then what the point of the --config-file parameter to clamdscan is ...
It allows you to call a different clamd tha
Joel Esler (jesler) wrote:
> Dave,
>
> Check out:
> https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
Unfortunately this document still leaves a number of questions, since
it's quite easy to create a signature that looks to be valid but which
ClamAV won't accept. And the
John T. Bryan wrote:
> I’ve been running ClamAV now for some years as the virus-checking plug-in on
> my main multi-client mail server. For a long time, I was very pleased with
> it and how easily I was able to integrate it into the custom software back
> when I first switched to it.
>
> Lately,
crazy thinker wrote:
> Hi,
>
> I would you like to get each file status call back in *Clamdscan output*
> while perfrom scan over a dirtectory using *clamdscan*. but i able to get
> a file status call back *(OR | ERROR| FOUND)* in *Clamdscan output* when
> i perfrom scan over a *single file.
Matus UHLAR - fantomas wrote:
> On 15.09.16 00:51, Reindl Harald wrote:
>> frankly i have seen companies blocking every .doc and .xls attachment
>> with a reject info that you should use .docx and .xslx becasue they
>> can't contain macros (would be .docm for the new formats)
>
> .docm is docx wit
Steven Morgan wrote:
> Please try clamscan --scan-html=no to turn off normalization.
Mmmm. I suppose that's technically the functionality I'm asking for,
but in its current form it's a pretty blunt instrument - it's all or
nothing, especially if set for clamd with the "ScanHTML" option in
clamd.c
Kris Deugau wrote:
> Is there a way to force matching on the raw file, or at least control
> the normalization to some degree so that formatting and details in the
> original code aren't lost?
As a complement to that question, is there a way to *force* other
Javascript files to be
Is there a way to force matching on the raw file, or at least control
the normalization to some degree so that formatting and details in the
original code aren't lost?
I've been coming across .wsf files in .zip files, which are essentially
Javascript wrapped in a very thin wrapper:
[insert nasty
Alex wrote:
> Please don't send me to the amavis list - there must be someone who
> uses both clamav and amavis that understands what's happening here.
Much like SpamAssassin, Clamav in and of itself can only say "Matched
signature " or "Triggered heuristic test ", or "Didn't match
anything".
It'
Alex wrote:
> Hi,
>
> I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
> for capitaloneemail.com, but can't figure out how to use sigtool to
> determine which actual domain it thinks was spoofed.
>
> # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
> sigtool --d
Charles Swiger wrote:
> On Jul 19, 2016, at 10:39 AM, Kris Deugau wrote:
>> ClamAV hits on any of the Heuristics.* tests get flagged instead of
>> treated the same as the signature-based hits, and that flag either
>> causes an an adjustment in the SpamAssassin results
Charles Swiger wrote:
> The milter approach is less flexible. With a scoring mechanism, you can rate
> actual viruses sufficiently negative that the scoring algorithm will always
> reject them.
That depends on the milter you're using. My own favoured milter is
MIMEDefang, which allows you do
Groach wrote:
> As a side note: is anyone surprised a virus hasnt been released,
> embedded in a 'password protected' Zip file (to fool AV scans) with the
> body of the email sayuing something like "to fight against viruses and
> to protect you, it is password protected. Your password is: ABC12
Steve Basford wrote:
> 1) .rmd/.zmd databases are obsolete, they are replaced with .cdb
>
> More details:
> https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
Does anyone have any examples of valid signatures for the .cdb sigfiles?
I've tried a couple of times to port some
Gene Heskett wrote:
> But, I do wish that clamd would send me a substitute email advising that
> it has stashed a suspect incoming email into the
> mailfile /var/spool/mail/virii. I try to look that file over for FP's,
> but quickly get lost in the visual garbage because its probably a zip'd
>
Alex wrote:
> Steve Basford wrote:
>> I've posted the email here:
>> http://pastebin.com/n4WRjmzE
>
>> Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema
>> Before inserting .: .f.email.americanexpress.com
>> Lookup result: in regex list
>> Phishcheck:host:.r.smartbrief.com
>> Ph
G.W. Haywood wrote:
> Hi there,
>
> On Mon, 2 Nov 2015, Hajo Locke wrote:
>
>> ... It seems to be so easy for a php-programmer to generate infinite
>> number of malwarefiles ...
>
> That's correct.
>
> Any .php file sent here goes straight to /dev/null without inspection.
I can't say I've seen
1 - 100 of 149 matches
Mail list logo