Doc.Dropper.Agent is automated. Sounds like someone submitted the file to Clamav.net<http://Clamav.net> or one my other automated systems that produces detection.
-- Joel Esler | Talos: Manager | [email protected]<mailto:[email protected]> On Nov 15, 2017, at 7:09 PM, Al Varnell <[email protected]<mailto:[email protected]>> wrote: Yes, both those signatures were added in daily - 24045 last night (my time). -Al- On Wed, Nov 15, 2017 at 01:14 PM, Mark Foley wrote: Actually, the clamscanner is now finding these files, so someone must have updated something since yesterday (which is when these files came in): /home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S: Doc.Dropper.Agent-6374331-0 FOUND /home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S!MAIL:InvoiceETT3600920.doc!...!(3)ZIP:docProps/core.xml: Doc.Dropper.Agent-6374331-0 FOUND I'll go ahead and submit my file anyway, in case this is something different. --Mark -----Original Message----- From: Steven Morgan <[email protected]<mailto:[email protected]>> Date: Wed, 15 Nov 2017 15:50:31 -0500 To: ClamAV users ML <[email protected]<mailto:[email protected]>> Subject: Re: [clamav-users] Virus Malvare not detected Mark, Please open a bug report about this issue at bugzilla.clamav.net<http://bugzilla.clamav.net>. Please include your file and we can look into the issues. Thanks, Steve On Wed, Nov 15, 2017 at 2:45 PM, Mark Foley <[email protected]<mailto:[email protected]>> wrote: I'm going to continue piggybacking onto this thread as it deals with Clamav's non-discovery of the malware attached to messages with the subject "Invoice ...". Although, I don't know if this is the same type of attachment. The attachments I've been getting are .docx file named as .doc files. In examining the contents of these archives I find: $ unzip -l InvoiceZGC3020188.doc Archive: InvoiceZGC3020188.doc Length Date Time Name --------- ---------- ----- ---- 1510 01-01-1980 00:00 [Content_Types].xml 590 01-01-1980 00:00 _rels/.rels 1226 01-01-1980 00:00 word/_rels/document.xml.rels 5097 01-01-1980 00:00 word/document.xml 5424 01-01-1980 00:00 word/media/image1.emf 132276 01-01-1980 00:00 word/media/image2.png 6850 01-01-1980 00:00 word/theme/theme1.xml 6144 01-01-1980 00:00 word/embeddings/oleObject1.bin 4809 01-01-1980 00:00 word/settings.xml 1299 01-01-1980 00:00 word/fontTable.xml 576 01-01-1980 00:00 word/webSettings.xml 995 01-01-1980 00:00 docProps/app.xml 29121 01-01-1980 00:00 word/styles.xml 732 01-01-1980 00:00 docProps/core.xml --------- ------- 196649 14 files "Normal" .docx files do not have the oleObject1.bin as an archive members. I do have ScanOLE2 and OLE2BlockMacros enabled. So why isn't clamav detecting this oleObject1.bin member? (To where should I submit a sample of this attachment?) --Mark -----Original Message----- From: Mark Foley <[email protected]<mailto:[email protected]>> Date: Wed, 15 Nov 2017 13:18:23 -0500 Organization: Novatec Software Engineering, LLC To: [email protected]<mailto:[email protected]> I'm having this same issue. The problem as I see it is that the .doc attached to these "Invoice" message is encrypted and clamav does not see what's inside. I'm discussing this encrypted attachment issue in my thread, subject: "password protected encrypted .docx files". I'm continuing to research this. --Mark On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel <[email protected]<mailto:[email protected]>> wrote: Other virus not detected https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f 78103d2e87bd4331654bc65c0daeb176dd/detection El 14/11/17 a las 09:52, Emanuel escribió: Scan the attachment, clamav not detect this file. El 14/11/17 a las 09:51, Al Varnell escribió: You mentioned two attachments. Kaspersky and ClamXAV appear to catch the first one, but neither catch the second one you showed us. The SHA246 for a file is the same no matter what scanner is used. -Al- On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote: the first scan is with kaspersky online El 14/11/17 a las 09:31, Al Varnell escribió: That's not the same file you showed before. The SHA256 is different. -Al- On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote: Please see https://www.virustotal.com/es-ar/file/ 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b 5da4/analysis/1510662252/ <https://www.virustotal.com/es-ar/file/ 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b 5da4/analysis/1510662252/> <https://www.virustotal.com/es-ar/file/ 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b 5da4/analysis/1510662252/ <https://www.virustotal.com/es-ar/file/ 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b 5da4/analysis/1510662252/>> El 14/11/17 a las 09:00, Al Varnell escribió: According to VirusTotal, ClamAV does detect it as Doc.Dropper.Agent-6369707-0 <https://www.virustotal.com/en/file/ 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/ <https://www.virustotal.com/en/file/ 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/ <https://www.virustotal.com/en/file/ 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/ <https://www.virustotal.com/en/file/ 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/ but go ahead and try to submit it anyway. -Al- On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote: Hello, I received two docs files in a email with the Subject "Invoice". The attachment is a malware virus, clamav not detected this. Scan with kaspersky Scan result File is infected Detected threats Trojan-Downloader.MSWord.Agent.bqx File size 144.95 KB File type OOXML/DOCUMENT Scan date Nov 14 2017 08:15:42 Databases release date Nov 14 2017 10:36:04 UTC MD5 70bdc39f8f57e090bebc4616924cdadc SHA1 ecf414f8523627a0d5d6637041f6e1e3bbcee62e SHA256 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf it's possible to add manually this virus to the clamav database? _______________________________________________ clamav-users mailing list [email protected]<mailto:[email protected]> <mailto:[email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -Al- _______________________________________________ clamav-users mailing list [email protected]<mailto:[email protected]> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- envialosimple.com<http://envialosimple.com> <http://www.envialosimple.com> Emanuel Gonzalez Deliverability Specialist [email protected]<mailto:[email protected]> <mailto:[email protected]> www.envialosimple.com<http://www.envialosimple.com> <http://www.envialosimple.com> by donweb <http://www.envialosimple.com> Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com<http://DonWeb.com> queda prohibida. DonWeb.com<http://DonWeb.com> no se hace responsable del mensaje por la falsificación y/o alteración del mismo. De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elimínelo de su sistema. Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com<http://DonWeb.com>. DonWeb.com<http://DonWeb.com> shall not be liable for the message if altered or falsified. If you are not the intended addressee of this message, please cancel it immediately and inform the sender Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados. Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente. É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas. Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor. _______________________________________________ clamav-users mailing list [email protected]<mailto:[email protected]> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
