Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-16 Thread Nataraj
On 05/15/2017 01:04 PM, Mark Foley wrote: > On Mon May 15 15:06:07 2017 "Eric Tykwinski" wrote: >> Here's links to sample files, ie use at your own risk: >> https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 >> >> Sincerely, >> >> Eric Tykwinski >> TrueNet,

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-16 Thread Joel Esler (jesler)
: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf > Of Dennis Peterson > Sent: Tuesday, May 16, 2017 12:25 PM > To: ClamAV users ML > Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with > clamav > > If not email what is the vector? >

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-16 Thread Eric Tykwinski
Peterson Sent: Tuesday, May 16, 2017 12:25 PM To: ClamAV users ML Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with clamav If not email what is the vector? dp On 5/15/17 5:11 PM, Joel Esler (jesler) wrote: > To be clear let me link to our blog post on the subject: >

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-16 Thread Dennis Peterson
If not email what is the vector? dp On 5/15/17 5:11 PM, Joel Esler (jesler) wrote: To be clear let me link to our blog post on the subject: http://blog.talosintelligence.com/2017/05/wannacry.html There has been No email vector seen in WannaCry to date. Almost everyone that has claimed

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Joel Esler (jesler)
To be clear let me link to our blog post on the subject: http://blog.talosintelligence.com/2017/05/wannacry.html There has been No email vector seen in WannaCry to date. Almost everyone that has claimed this, has retracted it. Please read the above blog post for all the facts as we know them.

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Steven Morgan
on this page are for wannaCry, right? > > --Mark > > > -Original Message----- > > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On > Behalf > > Of Mark Foley > > Sent: Monday, May 15, 2017 2:58 PM > > To: clamav-users@lists.clamav.

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Mark Foley
2017 2:58 PM > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with > clamav > > On Sat May 13 13:25:07 2017 From: Alain Zidouemba > <azidoue...@sourcefire.com> wrote: > > > > Yara rules have been supported b

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Eric Tykwinski
Just as a side note, normal rules are catching the samples, so I don't know if it would display both YARA and the others. Here's what the samples show without YARA: ./CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE: Win.Ransomware.WannaCry-6313053-0 FOUND

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Eric Tykwinski
Sent: Monday, May 15, 2017 2:58 PM To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with clamav On Sat May 13 13:25:07 2017 From: Alain Zidouemba <azidoue...@sourcefire.com> wrote: > > Yara rules have been supported by ClamAV since

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Mark Foley
On Sat May 13 13:25:07 2017 From: Alain Zidouemba wrote: > > Yara rules have been supported by ClamAV since 2015: > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html > > - Alain I'm following these instructions now. The instruction say, "just place your YARA

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-14 Thread Cedric Knight
On 14/05/17 17:42, G.W. Haywood wrote: >> Are clamav users protected from this ransomware? Partially. Everyone agrees: * Check MS17-010 is applied on every Windows device you can - before tomorrow! I don't have access to samples, but ClamAV seems to be picking up some of

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-14 Thread Joel Esler (jesler)
ClamAV isn't only used for mail. Clamwin and Immunet client will catch this. -- Sent from my iPhone > On May 14, 2017, at 12:42, G.W. Haywood wrote: > > Hi there, > >> On Sun, 14 May 2017, Alex wrote: >> >> Are clamav users protected from this ransomware? > >

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-14 Thread G.W. Haywood
Hi there, On Sun, 14 May 2017, Alex wrote: Are clamav users protected from this ransomware? To be clear about this, the current excitement is caused by a 'worm'. That means if vulnerable, network-connected systems are not protected from each other, for example by a firewall, the worm can

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-14 Thread Alain Zidouemba
To address WannaCry, look up signatures with the name: Win.Ransomware.WannaCry-* Re: email & WannaCry: http://blog.talosintelligence.com/2017/05/wannacry.html?showComment=1494655249347#c771405865891887102 Re: anything further we need to do to protect ourselves: "Organizations should ensure that

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-14 Thread Alex
Hi, On Sat, May 13, 2017 at 1:32 PM, Alain Zidouemba wrote: > For "WannaCry", look for ClamAV signatures: > Win.Ransomware.WannaCry-* Are clamav users protected from this ransomware? Are there possible variants not yet detected? Is there anything further we need to do

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-13 Thread Alain Zidouemba
We don't ship Yara rules. We continue to ship signatures in the ClamAV signatures format ClamAV includes Yara support so that end-users can choose to locally use Yara rules like the ones you referenced. Alain On Sat, May 13, 2017 at 2:12 PM, Alex wrote: > Hi, > > On

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-13 Thread Alex
Hi, On Sat, May 13, 2017 at 1:24 PM, Alain Zidouemba wrote: > Yara rules have been supported by ClamAV since 2015: > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html Yes, I saw that, but maybe I'm misunderstanding the benefit of yara. Are the signatures not

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-13 Thread Alain Zidouemba
For "WannaCry", look for ClamAV signatures: Win.Ransomware.WannaCry-* Alain On Sat, May 13, 2017 at 1:24 PM, Alain Zidouemba wrote: > Yara rules have been supported by ClamAV since 2015: > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html > > - Alain > > On

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-13 Thread Alain Zidouemba
Yara rules have been supported by ClamAV since 2015: http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html - Alain On Sat, May 13, 2017 at 1:16 PM, Alex wrote: > Hi, > > So you've probably heard of the latest ransomware dubbed WannaCry. I'm > wondering if anyone

[clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-13 Thread Alex
Hi, So you've probably heard of the latest ransomware dubbed WannaCry. I'm wondering if anyone has figured out a way to integrate the yara signatures for these types of exploits with spamassassin? https://www.us-cert.gov/ncas/alerts/TA17-132A What is the status of development of integration of