[clamav-users] Trouble with foxhole

Tue, 13 Oct 2015 23:24:59 -0700 



Hi,
Today we had a lot problems with exe files hidden in zip archives

I tried to add the foxholedb to our clamav, but sadly it didn’t recognize the 
exe in the zip.


clamscan --database=/var/lib/clamav/foxhole_generic.cdb fatuousness\ paging\ 
policy\ work\ regulations.zip
fatuousness paging policy work regulations.zip: OK


Mit freundlichen Grüßen / Best Regards


i. A. Jan Hartmann
IT Administrator Groupware

phone: +49 2371 820 298
mobile: +49 171 865 962 2
fax: +49 2371 211 443
e-mail: [email protected]


KIRCHHOFF Witte GmbH
c/o KIRCHHOFF Automotive GmbH
Stefanstrasse 2
58638 Iserlohn
Germany



KIRCHHOFF Witte GmbH | HRB 6370 Amtsgericht Iserlohn | Sitz der Gesellschaft: 
58640 Iserlohn | Geschäftsführer: Dipl.-Ing. Jürgen Wolfgang Kirchhoff, Andreas 
Haase, Dipl.-Ing. Stefan Leitzgen | http://www.kirchhoff-automotive.com





Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. 
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese 
Mail.Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist 
nicht gestattet. This e-mail may contain confidential and/or privileged 
information.If you are not the intended recipient (or have received this e-mail 
in error) please notify the sender immediately and destroy this e-mail. Any 
unauthorised copying, disclosure or distribution of the material in this e-mail 
is strictly forbidden.

----------- SCAN SUMMARY -----------
Known viruses: 185
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.05 MB
Data read: 0.02 MB (ratio 2.60:1)

LibClamAV debug: searching for unrar, user-searchpath: /usr/lib
LibClamAV debug: searching for unrar: libclamunrar_iface.so.6.1.26 not found
LibClamAV debug: unrar support loaded from /usr/lib/libclamunrar_iface.so.6 
libclamunrar_iface_so
LibClamAV debug: Initialized 0.98.7 engine
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^ 
*(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
LibClamAV debug: Bytecode initialized in JIT mode
LibClamAV debug: /var/lib/clamav/foxhole_generic.cdb loaded
LibClamAV debug: Initializing engine->root[0]
LibClamAV debug: Initialising AC pattern matcher of root[0]
LibClamAV debug: cli_initroots: Initializing BM tables of root[0]
LibClamAV debug: Initializing engine->root[1]
LibClamAV debug: Initialising AC pattern matcher of root[1]
LibClamAV debug: cli_initroots: Initializing BM tables of root[1]
LibClamAV debug: Initializing engine->root[2]
LibClamAV debug: Initialising AC pattern matcher of root[2]
LibClamAV debug: Initializing engine->root[3]
LibClamAV debug: Initialising AC pattern matcher of root[3]
LibClamAV debug: Initializing engine->root[4]
LibClamAV debug: Initialising AC pattern matcher of root[4]
LibClamAV debug: Initializing engine->root[5]
LibClamAV debug: Initialising AC pattern matcher of root[5]
LibClamAV debug: Initializing engine->root[6]
LibClamAV debug: Initialising AC pattern matcher of root[6]
LibClamAV debug: Initializing engine->root[7]
LibClamAV debug: Initialising AC pattern matcher of root[7]
LibClamAV debug: Initializing engine->root[8]
LibClamAV debug: Initialising AC pattern matcher of root[8]
LibClamAV debug: Initializing engine->root[9]
LibClamAV debug: Initialising AC pattern matcher of root[9]
LibClamAV debug: Initializing engine->root[10]
LibClamAV debug: Initialising AC pattern matcher of root[10]
LibClamAV debug: Initializing engine->root[11]
LibClamAV debug: Initialising AC pattern matcher of root[11]
LibClamAV debug: Initializing engine->root[12]
LibClamAV debug: Initialising AC pattern matcher of root[12]
LibClamAV debug: Initializing engine->root[13]
LibClamAV debug: Initialising AC pattern matcher of root[13]
LibClamAV debug: Loaded 145 filetype definitions
LibClamAV debug: Using filter for trie 0
LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 76 (reloff: 1, absoff: 0) BM 
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 32 
LibClamAV debug: Using filter for trie 1
LibClamAV debug: Matcher[1]: PE: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 
(reloff: 0, absoff: 0) maxpatlen 0 
LibClamAV debug: Matcher[2]: OLE2: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 
(reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[3]: HTML: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 
(reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Using filter for trie 4
LibClamAV debug: Matcher[4]: MAIL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 
(reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 0 (reloff: 0, absoff: 0) BM 
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[6]: ELF: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 
(reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Using filter for trie 7
LibClamAV debug: Matcher[7]: ASCII: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 
0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM 
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 
0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[10]: PDF: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 
(reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[11]: FLASH: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 
0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[12]: JAVA: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 
0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[13]: INTERNAL: AC sigs: 0 (reloff: 0, absoff: 0) BM 
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Dynamic engine configuration settings:
LibClamAV debug: --------------------------------------
LibClamAV debug: Module PE: On
LibClamAV debug:    * Submodule     PARITE:     On
LibClamAV debug:    * Submodule       KRIZ:     On
LibClamAV debug:    * Submodule    MAGISTR:     On
LibClamAV debug:    * Submodule    POLIPOS:     On
LibClamAV debug:    * Submodule    MD5SECT:     On
LibClamAV debug:    * Submodule        UPX:     On
LibClamAV debug:    * Submodule        FSG:     On
LibClamAV debug:    * Submodule    SWIZZOR:     On
LibClamAV debug:    * Submodule     PETITE:     On
LibClamAV debug:    * Submodule     PESPIN:     On
LibClamAV debug:    * Submodule         YC:     On
LibClamAV debug:    * Submodule     WWPACK:     On
LibClamAV debug:    * Submodule     NSPACK:     On
LibClamAV debug:    * Submodule        MEW:     On
LibClamAV debug:    * Submodule      UPACK:     On
LibClamAV debug:    * Submodule     ASPACK:     On
LibClamAV debug:    * Submodule    CATALOG:     On
LibClamAV debug:    * Submodule DISABLECERT:    ** Off **
LibClamAV debug:    * Submodule   DUMPCERT:     ** Off **
LibClamAV debug:    * Submodule  MATCHICON:     On
LibClamAV debug: Module ELF: On
LibClamAV debug: Module MACHO: On
LibClamAV debug: Module ARCHIVE: On
LibClamAV debug:    * Submodule        RAR:     On
LibClamAV debug:    * Submodule        ZIP:     On
LibClamAV debug:    * Submodule       GZIP:     On
LibClamAV debug:    * Submodule       BZIP:     On
LibClamAV debug:    * Submodule        ARJ:     On
LibClamAV debug:    * Submodule       SZDD:     On
LibClamAV debug:    * Submodule        CAB:     On
LibClamAV debug:    * Submodule        CHM:     On
LibClamAV debug:    * Submodule       OLE2:     On
LibClamAV debug:    * Submodule        TAR:     On
LibClamAV debug:    * Submodule       CPIO:     On
LibClamAV debug:    * Submodule     BINHEX:     On
LibClamAV debug:    * Submodule        SIS:     On
LibClamAV debug:    * Submodule       NSIS:     On
LibClamAV debug:    * Submodule     AUTOIT:     On
LibClamAV debug:    * Submodule    ISHIELD:     On
LibClamAV debug:    * Submodule       7zip:     On
LibClamAV debug:    * Submodule    ISO9660:     On
LibClamAV debug:    * Submodule        DMG:     On
LibClamAV debug:    * Submodule        XAR:     On
LibClamAV debug:    * Submodule    HFSPLUS:     On
LibClamAV debug:    * Submodule         XZ:     On
LibClamAV debug: Module DOCUMENT: On
LibClamAV debug:    * Submodule       HTML:     On
LibClamAV debug:    * Submodule        RTF:     On
LibClamAV debug:    * Submodule        PDF:     On
LibClamAV debug:    * Submodule     SCRIPT:     On
LibClamAV debug:    * Submodule HTMLSKIPRAW:    On
LibClamAV debug:    * Submodule     JSNORM:     On
LibClamAV debug:    * Submodule        SWF:     On
LibClamAV debug: Module MAIL: On
LibClamAV debug:    * Submodule       MBOX:     On
LibClamAV debug:    * Submodule       TNEF:     On
LibClamAV debug: Module OTHER: On
LibClamAV debug:    * Submodule  UUENCODED:     On
LibClamAV debug:    * Submodule     SCRENC:     On
LibClamAV debug:    * Submodule       RIFF:     On
LibClamAV debug:    * Submodule       JPEG:     On
LibClamAV debug:    * Submodule    CRYPTFF:     On
LibClamAV debug:    * Submodule        DLP:     On
LibClamAV debug:    * Submodule  MYDOOMLOG:     On
LibClamAV debug:    * Submodule PREFILTERING:   On
LibClamAV debug:    * Submodule PDFNAMEOBJ:     On
LibClamAV debug:    * Submodule  PRTNINTXN:     On
LibClamAV debug: Module PHISHING On
LibClamAV debug:    * Submodule     ENGINE:     On
LibClamAV debug:    * Submodule    ENTCONV:     On
LibClamAV debug: Module BYTECODE On
LibClamAV debug:    * Submodule INTERPRETER:    On
LibClamAV debug:    * Submodule    JIT X86:     On
LibClamAV debug:    * Submodule    JIT PPC:     On
LibClamAV debug:    * Submodule    JIT ARM:     ** Off **
LibClamAV debug: Module STATS Off
LibClamAV debug: pool memory used: 5.937 MB
LibClamAV debug: No bytecodes loaded, not running builtin test
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized ZIP file
LibClamAV debug: cache_check: a60a67db9972504c370bc088fad5eb09 is negative
LibClamAV debug: in cli_unzip
LibClamAV debug: cli_unzip: central @52b8
LibClamAV debug: cli_unzip: ch - flags 2 - method 8 - csize 527b - usize 8a00 - 
flen e - elen 9 - clen 0 - disk 0 - off 0
LibClamAV debug: cli_unzip: ch - fname: 8045207857.exe
LibClamAV debug: cli_unzip: lh - 
ZMDNAME:0:8045207857.exe:35328:21115:ecea7732:8:1:1
LibClamAV debug: 
CDBNAME:CL_TYPE_ZIP:21115:8045207857.exe:21115:35328:0:1:3974788914:(nil)
LibClamAV debug: cli_unzip: extracted to 
/tmp/clamav-5cbfdda8d607b898a1a31c62e967d7e5.tmp/zip.000
LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16)
LibClamAV debug: Recognized MS-EXE/DLL file
LibClamAV debug: cache_check: 6d66dfaa8f5987ef48943c3cc2e8b8db is negative
LibClamAV debug: in cli_peheader
LibClamAV debug: versioninfo_cb: type: 10, name: 1, lang: 409, rva: 8110
LibClamAV debug: cli_peheader: parsing version info @ rva 8110 (1/1)
LibClamAV debug: VersionInfo (838e): 'CompanyName'='UnitedPeople Corporation' - 
VI:43006f006d00700061006e0079004e0061006d0065000000000055006e006900740065006400500065006f0070006c006500200043006f00720070006f0072006100740069006f00
LibClamAV debug: VersionInfo (83e2): 'FileDescription'='UnitedPeople tools' - 
VI:460069006c0065004400650073006300720069007000740069006f006e000000000055006e006900740065006400500065006f0070006c006500200074006f006f006c00
LibClamAV debug: VersionInfo (8432): 'FileVersion'='1.1.161.1' - 
VI:460069006c006500560065007200730069006f006e000000000031002e0031002e00310036003100
LibClamAV debug: VersionInfo (8466): 'InternalName'='unipeo.EXE' - 
VI:49006e007400650072006e0061006c004e0061006d006500000075006e006900700065006f002e0045005800
LibClamAV debug: VersionInfo (849e): 'LegalCopyright'='R©UnitedPeople 
Corporation.  All rights reserved.' - 
VI:4c006500670061006c0043006f00700079007200690067006800740000001204a90055006e006900740065006400500065006f0070006c006500200043006f00720070006f0072006100740069006f006e002e002000200041006c006c00200072006900670068007400730020007200650073006500720076006500
LibClamAV debug: VersionInfo (8526): 'OriginalFilename'='invepeo.EXE' - 
VI:4f0072006900670069006e0061006c00460069006c0065006e0061006d006500000069006e0076006500700065006f002e004500
LibClamAV debug: VersionInfo (8566): 'ProductName'='UnitedPeopleR® pure tools' 
- 
VI:500072006f0064007500630074004e0061006d0065000000000055006e006900740065006400500065006f0070006c0065001204ae0020007000750072006500200074006f006f00
LibClamAV debug: VersionInfo (85ba): 'ProductVersion'='1.1.161.1' - 
VI:500072006f006400750063007400560065007200730069006f006e00000031002e0031002e00310036003100
LibClamAV debug: Matched signature for file type PE
LibClamAV debug: hashtab: Freeing hashset, elements: 8, capacity: 64
LibClamAV debug: e_lfanew == 216
LibClamAV debug: File type: Executable
LibClamAV debug: Machine type: 80386
LibClamAV debug: NumberOfSections: 3
LibClamAV debug: TimeDateStamp: Tue Jul  1 12:57:51 2014
LibClamAV debug: SizeOfOptionalHeader: e0
LibClamAV debug: File format: PE
LibClamAV debug: MajorLinkerVersion: 6
LibClamAV debug: MinorLinkerVersion: 0
LibClamAV debug: SizeOfCode: 0x3400
LibClamAV debug: SizeOfInitializedData: 0x5200
LibClamAV debug: SizeOfUninitializedData: 0x0
LibClamAV debug: AddressOfEntryPoint: 0x1e06
LibClamAV debug: BaseOfCode: 0x1000
LibClamAV debug: SectionAlignment: 0x1000
LibClamAV debug: FileAlignment: 0x200
LibClamAV debug: MajorSubsystemVersion: 4
LibClamAV debug: MinorSubsystemVersion: 0
LibClamAV debug: SizeOfImage: 0xb000
LibClamAV debug: SizeOfHeaders: 0x400
LibClamAV debug: NumberOfRvaAndSizes: 16
LibClamAV debug: Subsystem: Win32 GUI
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 0
LibClamAV debug: Section name: .text
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x3216 0x4000
LibClamAV debug: VirtualAddress: 0x1000 0x1000
LibClamAV debug: SizeOfRawData: 0x3400 0x3400
LibClamAV debug: PointerToRawData: 0x400 0x400
LibClamAV debug: Section contains executable code
LibClamAV debug: Section's memory is executable
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 1
LibClamAV debug: Section name: .data
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x220e 0x3000
LibClamAV debug: VirtualAddress: 0x5000 0x5000
LibClamAV debug: SizeOfRawData: 0x2400 0x2400
LibClamAV debug: PointerToRawData: 0x3800 0x3800
LibClamAV debug: Section's memory is writeable
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 2
LibClamAV debug: Section name: .rsrc
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x2d70 0x3000
LibClamAV debug: VirtualAddress: 0x8000 0x8000
LibClamAV debug: SizeOfRawData: 0x2e00 0x2e00
LibClamAV debug: PointerToRawData: 0x5c00 0x5c00
LibClamAV debug: ------------------------------------
LibClamAV debug: EntryPoint offset: 0x1206 (4614)
LibClamAV debug: Bytecode executing hook id 259 (0 hooks)
LibClamAV debug: Bytecode: no logical signature matched, no bytecode executed
LibClamAV debug: Bytecode executing hook id 257 (0 hooks)
LibClamAV debug: Bytecode: no logical signature matched, no bytecode executed
LibClamAV debug: cli_magic_scandesc: returning 0  at line 2477
LibClamAV debug: cache_add: 6d66dfaa8f5987ef48943c3cc2e8b8db (level 0)
LibClamAV debug: cli_unzip: ch - wrkcomplete
LibClamAV debug: Matched signature for file type ZIP-SFX at 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: cli_magic_scandesc: returning 0  at line 2477
LibClamAV debug: cache_add: a60a67db9972504c370bc088fad5eb09 (level 0)
fatuousness paging policy work regulations.zip: OK
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

----------- SCAN SUMMARY -----------
Known viruses: 185
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.05 MB
Data read: 0.02 MB (ratio 2.60:1)
Time: 0.012 sec (0 m 0 s)

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml





















					Reply via email to