Re: [clamav-users] WannaCry Homeland Security yara script. False positives?

Yes. We strip attachments. However, are there samples that are not being caught by the ClamAV ruleset? -- Joel Esler | Talos: Manager | jes...@cisco.com On May 17, 2017, at 6:30 PM, Al Varnell mailto:alvarn...@mac.com>> wrote: I'm pretty certain that attachments

Re: [clamav-users] WannaCry Homeland Security yara script. False positives?

I'm pretty certain that attachments are remove to prevent malware samples from being distributed here. Need a link to a server of some sort, such as PasteBin. Sent from Janet's iPad -Al- -- Al Varnell Mountain View, CA On May 17, 2017, at 2:45 PM, Mark Foley wrote: > Perhaps I'm missing it, b

Re: [clamav-users] WannaCry Homeland Security yara script. False positives?

Perhaps I'm missing it, but I didn't see any attachment. --Mark On 5/17/2017 1:46 PM, João Gouveia wrote: Those rules are know for FP'ing a lot. Here's a different set you might want to check, courtesy of ReversingLabs ( attached ). On Wed, May 17, 2017 at 6:10 AM, Mark Foley wrote: I added

Re: [clamav-users] WannaCry Homeland Security yara script. False positives?

Those rules are know for FP'ing a lot. Here's a different set you might want to check, courtesy of ReversingLabs ( attached ). On Wed, May 17, 2017 at 6:10 AM, Mark Foley wrote: > I added the yara script published by Homeland security to the clamav > database > directory. I believe I am getting

[clamav-users] WannaCry Homeland Security yara script. False positives?

I added the yara script published by Homeland security to the clamav database directory. I believe I am getting a substantial number of false positives on this including messages containing PDF and JPG attachments, the latter known to be OK. $ clamscan "/home/HPRS/mpress/Maildir/.Sent Items/cur/1