Tom Shaw wrote:
At 5:21 PM +0200 10/16/09, Jose-Marcio Martins da Cruz wrote:
Tom Shaw wrote:
Yes it strips out all urls just don't send with a signature that
contains your home url or else it will get processed. Hopefully it will
not return malware so it will be discarded as dead. ;-)
N
At 5:21 PM +0200 10/16/09, Jose-Marcio Martins da Cruz wrote:
Tom Shaw wrote:
As long as you don't obfuscate the url my scripts will isolate the
url or the attached malware and process.
Nice ! Can I send one URL per line ? I have 20 undetected virus.
Yes it strips out all urls just don't
At 8:14 AM -0700 10/16/09, Dennis Peterson wrote:
Tom Shaw wrote:
Tom Shaw wrote:
If you submit a file to virus-samp...@oitc.com I'll process it
for winnow_malware.hdb and at the same time send it to the ClamAV
malware signature team and virustotal to check if others can
detect.
If you s
Tom Shaw wrote:
As long as you don't obfuscate the url my scripts will isolate the url
or the attached malware and process.
Nice ! Can I send one URL per line ? I have 20 undetected virus.
--
---
Jose Marcio MARTINS DA CRUZ
Tom Shaw wrote:
Tom Shaw wrote:
If you submit a file to virus-samp...@oitc.com I'll process it for
winnow_malware.hdb and at the same time send it to the ClamAV malware
signature team and virustotal to check if others can detect.
If you submit a url to malware to virus-samp...@oitc.com I'l
Tom Shaw wrote:
If you submit a file to virus-samp...@oitc.com I'll process it for
winnow_malware.hdb and at the same time send it to the ClamAV
malware signature team and virustotal to check if others can detect.
If you submit a url to malware to virus-samp...@oitc.com
I'lldownload the ma
Tom Shaw wrote:
If you submit a file to virus-samp...@oitc.com I'll process it for
winnow_malware.hdb and at the same time send it to the ClamAV malware
signature team and virustotal to check if others can detect.
If you submit a url to malware to virus-samp...@oitc.com I'lldownload
the ma
Tom Shaw wrote:
Just to clarify winnow_malware.hdb is designed to detect malware
payloads. Thus, it is effective in an email system only when the
payload is attached (such as a dropper, etc). It is also very
effective when used in file system/download checking scenarios.
Thanks to Dennis a
Steve Basford wrote:
The script I use has a bit more finesse than this simple overview. I use a
randomizer to prevent this process from running at the same minute past
the hour
Note there's a *tiny* chance if the script runs at 10.07 and then 11.03,
you'll get temp block for an hour from some o
16.10.2009 10:42, Steve Basford kirjoitti:
I'd use:
phish.ndb
rougue.hdb
winnow_malware_links.ndb
winnow_malware.hdb
Thanks, I have implemented these now with SaneSecurity Script 1.
--
http://www.iki.fi/jarif/
Alas, how love can trifle with itself!
-- William Shakespeare,
Tom Shaw wrote:
Just to clarify winnow_malware.hdb is designed to detect malware
payloads. Thus, it is effective in an email system only when the payload
is attached (such as a dropper, etc). It is also very effective when
used in file system/download checking scenarios.
Thanks to Dennis a
At 8:42 AM +0100 10/16/09, Steve Basford wrote:
> The script I use has a bit more finesse than this simple overview. I use a
randomizer to prevent this process from running at the same minute past
the hour
Note there's a *tiny* chance if the script runs at 10.07 and then 11.03,
you'll get t
> The script I use has a bit more finesse than this simple overview. I use a
> randomizer to prevent this process from running at the same minute past
> the hour
Note there's a *tiny* chance if the script runs at 10.07 and then 11.03,
you'll get temp block for an hour from some of the mirrors, dep
Richard Chapman wrote:
I am interested in Tom's list of unofficial signatures - but haven't
found the recommended way to use the signatures. Do I need to download
them periodically - or do I just add an additional freshclam
DataBaseMirror directive. In either case - exactly what is the url to
At 5:24 PM +0300 10/15/09, Jari Fredriksson wrote:
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=_T3prA2NkQhJdMqo4E_3U4WfuiiDVVM"
Content-Disposition: inline
Does ClamAV somehow dedicate to email format (base64) or how it is
possible that i
15.10.2009 17:24, Jari Fredriksson kirjoitti:
Does ClamAV somehow dedicate to email format (base64) or how it is
possible that is does not recognise this
http://www.iki.fi/jarif/malware/FILE_UPS_c380a16.zip
That's an UPS fraud, W32/Bredolab.D.gen!Eldorado by F-Prot.
Uh. The point was that
Does ClamAV somehow dedicate to email format (base64) or how it is
possible that is does not recognise this
http://www.iki.fi/jarif/malware/FILE_UPS_c380a16.zip
That's an UPS fraud, W32/Bredolab.D.gen!Eldorado by F-Prot.
--
http://www.iki.fi/jarif/
An exotic journey in downtown Newark is in
At 1:23 PM +0100 10/15/09, Steve Basford wrote:
> Undetected Outlook Express malware:
h t t p :/ / www.iki.fi/jarif/malware/install.zip
That's one of 'em:
Sanesecurity.Rogue.736.UNOFFICIAL
FYI Official ClamAV sigs now detect as Trojan.Inject-2443 I just
noticed that my winnow.malware.75
15.10.2009 16:47, Tom Shaw kirjoitti:
At 4:30 PM +0300 10/15/09, Jari Fredriksson wrote:
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=_6GorA2txt0CVliaTmJuBPNhCIqDzZA"
Content-Disposition: inline
Undetected IRS scam variant.
http://www.iki
At 4:30 PM +0300 10/15/09, Jari Fredriksson wrote:
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=_6GorA2txt0CVliaTmJuBPNhCIqDzZA"
Content-Disposition: inline
Undetected IRS scam variant.
http://www.iki.fi/jarif/malware/tax-statement.exe
-
At 3:14 PM +0300 10/15/09, Jari Fredriksson wrote:
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=_20nrA2UWvqBocwzbhDgZQrQ22plLxr"
Content-Disposition: inline
15.10.2009 14:55, Tom Shaw kirjoitti:
The samples I have of that one are being
At 1:23 PM +0100 10/15/09, Steve Basford wrote:
> Undetected Outlook Express malware:
h t t p :/ / www.iki.fi/jarif/malware/install.zip
That's one of 'em:
Sanesecurity.Rogue.736.UNOFFICIAL
Well that one didn't get detected by standard ClamAV. Must be running
multiple payloads
That one
Undetected IRS scam variant.
http://www.iki.fi/jarif/malware/tax-statement.exe
--
http://www.iki.fi/jarif/
A classic is something that everyone wants to have read
and nobody wants to read.
-- Mark Twain, "The Disappearance of Literature"
pgptHhkej7lOn.pgp
Description: PGP sig
> Undetected Outlook Express malware:
> h t t p :/ / www.iki.fi/jarif/malware/install.zip
That's one of 'em:
Sanesecurity.Rogue.736.UNOFFICIAL
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
ht
> Steve,
>
> The samples I have of that one are being detected by ClamAV standard
> sigs as Trojan.Peed-477. Wonder why you and some others didn't detect
> it with standard sigs? Could this be a problem? Do you have samples
> that were undetectable?
Not sure Tom... here's a quick test...
Offici
15.10.2009 14:55, Tom Shaw kirjoitti:
The samples I have of that one are being detected by ClamAV standard
sigs as Trojan.Peed-477. Wonder why you and some others didn't detect it
with standard sigs? Could this be a problem? Do you have samples that
were undetectable?
Tom
Undetected Outlo
At 10:18 AM +0100 10/15/09, Steve Basford wrote:
> I am interested in Tom's list of unofficial signatures - but haven't
found the recommended way to use the signatures. Do I need to download
them periodically - or do I just add an additional freshclam
DataBaseMirror directive. In either case
> I am interested in Tom's list of unofficial signatures - but haven't
> found the recommended way to use the signatures. Do I need to download
> them periodically - or do I just add an additional freshclam
> DataBaseMirror directive. In either case - exactly what is the url to
> download from - or
I am interested in Tom's list of unofficial signatures - but haven't
found the recommended way to use the signatures. Do I need to download
them periodically - or do I just add an additional freshclam
DataBaseMirror directive. In either case - exactly what is the url to
download from - or to ad
upscope wrote:
> On Wednesday 14 October 2009 12:49:47 am Jose-Marcio Martins da Cruz wrote:
>
>> Hello Tom,
>>
>> Tom Shaw wrote:
>>
>>> Jose,
>>>
>>> If you use the unofficial signatures it might help you. See
>>> http://www.sanesecurity.co.uk/databases.htm
>>>
>> I'll integrate wi
On Wednesday 14 October 2009 12:49:47 am Jose-Marcio Martins da Cruz wrote:
> Hello Tom,
>
> Tom Shaw wrote:
> > Jose,
> >
> > If you use the unofficial signatures it might help you. See
> > http://www.sanesecurity.co.uk/databases.htm
> I'll integrate winnow_malware.hdb.
Is there a good tutorial
Hello Tom,
Tom Shaw wrote:
Jose,
If you use the unofficial signatures it might help you. See
http://www.sanesecurity.co.uk/databases.htm
One of my signatures, winnow_malware.hdb, detect numerous (over 3000 at
present) malware that are not yet detected in stock ClamAV sigs. The
current li
At 10:28 AM +0200 10/13/09, Jose-Marcio Martins da Cruz wrote:
Hello,
I have 49 virus (2 kinds only) received at our mailserver last night
which weren't detected by ClamAV, but are detected by most other
antivirus available at www.virustotal.com
The name of the virus, as detected by Sophos a
G.W. Haywood wrote:
Hi there,
Check the documentation on how to add your own signatures.
That way, it won't annoy you so much when you have to wait for people,
who already have too much work to do, to do some work for you. :)
Are you talking by yourself or on behalf of Clamav team ?
Ther
Hi there,
On Tue, 13 Oct 2009 Jose-Marcio Martins da Cruz wrote:
> I have 49 virus (2 kinds only) ... weren't detected by ClamAV
> ... surely variants of virus already detected by Clamav. ...
> As long as this happens near every day since a week ago, it's
> becoming annoying.
Check the documenta
Hello,
I have 49 virus (2 kinds only) received at our mailserver last night
which weren't detected by ClamAV, but are detected by most other
antivirus available at www.virustotal.com
The name of the virus, as detected by Sophos are SophoMal/Bredo-A
(detected by 16/41) and Troj/Agent-LKL (de
36 matches
Mail list logo
