Dominique Sarrazin wrote:
Hi everyone,
On October 26^th , ClamAV’s signature database was updated with the
addition of Win.Downloader.DDECmdExec-6715271-0, for which I cannot find
any information despite my thorough research.
sigtool --find-sigs [sig name] |sigtool --decode-sigs will at least tell
you what it's matching on, assuming it's an active signature.
I don't seem to have that particular signature on any system I manage,
so either it's third-party or it was dropped at some point.
The closest matches on that sig name that I have are
Win.Downloader.DDEObfuscatedCmdExec-6715127-0 and
Win.Downloader.DDEObfuscatedCmdExec-6715128-0.
Since that update, ClamAV has reported that many tables in our MySQL are
susceptible to this vulnerability. I would simply like to know the
details of this vulnerability and how to identify it in our database.
Scanning the filesystem storage for any DBMS is almost certainly a waste
of time and likely to lead to all kinds of bizarre false positives.
If you really need to scan the content, scan things before inserting, or
do a periodic "retrieve-and-scan" process if you're worried about
zero-day malware that might not have had a signature when it was inserted.
-kgd
_______________________________________________
clamav-users mailing list
[email protected]
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
