[clamav-users] ScanOnAccess: ... (null) FOUND
Hi, I seem to be encountering the same issue someone described here: https://www.mail-archive.com/clamav-users@lists.clamav.net/msg46022.html For me the null-message arrived when switching to root: ScanOnAccess: /root/.bash_history: (null) FOUND I'm running on RHEL7 server, latest updates with versions: clamd-0.101.1-1.el7.x86_64 The accompanying files (coming from clamav-data rpm): -rw-r--r--. 1 clamupdate clamupdate199693 Jan 10 06:14 bytecode.cvd -rw-r--r--. 1 clamupdate clamupdate 53834626 Jan 10 06:14 daily.cvd -rw-r--r--. 1 clamupdate clamupdate 117892267 Jan 9 2018 main.cvd It seems the main.cvd is old, but I haven't run freshclam against this yet. Could that be the reason? Since it is an internal server, I first need to setup a proxy etc ... for freshclam to work. With friendly regards, Franky ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Detection as PUA.Andr.Trojan.Generic-6878612-0
PUA.Andr.Trojan.Generic-6878612-0 has also been dropped earlier today and will be removed in the next daily update. Regards, Micah On 3/13/19, 7:33 AM, "clamav-users on behalf of Mark Foley" wrote: On Wed, 13 Mar 2019 11:26:06 +0100 vamp898 wrote: > > Hi there, > > since a few days we get a _lot_ detections for > PUA.Andr.Trojan.Generic-6878612-0 > > Office Documents, ZIP Docuemnts, JPEG Images (containing nothing as > JPEG) are all more and more detected at this type. Not all of them but > way too much to see a real pattern what the actual issue is :( > > Is that something known? > Yes, I'm having the same issue. Several hundred emails in IMAP folder are FOUND with this PUA. Many of these messages are one or more years old, many of the emails are generated from with my office and are unlikely to contain malware. I'm wondering how legit this is and whether to actually go through and remove hundreds of message from user's mail folder or to set .ign2 to ignore this signature. --Mark ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Detection as PUA.Andr.Trojan.Generic-6878612-0
On Wed, 13 Mar 2019 11:26:06 +0100 vamp898 wrote: > > Hi there, > > since a few days we get a _lot_ detections for > PUA.Andr.Trojan.Generic-6878612-0 > > Office Documents, ZIP Docuemnts, JPEG Images (containing nothing as > JPEG) are all more and more detected at this type. Not all of them but > way too much to see a real pattern what the actual issue is :( > > Is that something known? > Yes, I'm having the same issue. Several hundred emails in IMAP folder are FOUND with this PUA. Many of these messages are one or more years old, many of the emails are generated from with my office and are unlikely to contain malware. I'm wondering how legit this is and whether to actually go through and remove hundreds of message from user's mail folder or to set .ign2 to ignore this signature. --Mark ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Detection as PUA.Andr.Trojan.Generic-6878612-0
Not sure exactly when this was added to the .ldu database, but by the name it's a Possibly Unwanted Android Application, so unlikely to be found in that many different types of files. The signature looks like this: > VIRUS NAME: PUA.Andr.Trojan.Generic-6878612-0 > TDB: Engine:51-255,FileSize:1048576-4194304,Target:0 > LOGICAL EXPRESSION: 0 > * SUBSIG ID 0 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> HEX: > 010002110304211231054151611322718132061491a1b14223241552c16233347282d14307259253f0e1f163733516a2b283264493546445c2a3743617d255 > e2 except that I added a space before the last two characters to prevent this e-mail from being detected as infected. -Al- On Mar 13, 2019, at 03:26, vamp898 via clamav-users wrote: > Hi there, > > since a few days we get a _lot_ detections for > PUA.Andr.Trojan.Generic-6878612-0 > > Office Documents, ZIP Docuemnts, JPEG Images (containing nothing as JPEG) are > all more and more detected at this type. Not all of them but way too much to > see a real pattern what the actual issue is :( > > Is that something known? ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Detection as PUA.Andr.Trojan.Generic-6878612-0
Hi there, since a few days we get a _lot_ detections for PUA.Andr.Trojan.Generic-6878612-0 Office Documents, ZIP Docuemnts, JPEG Images (containing nothing as JPEG) are all more and more detected at this type. Not all of them but way too much to see a real pattern what the actual issue is :( Is that something known? Best Regards ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Txt.Trojan.Kryptik-6887991-0 FOUND
That does not appear to be a well anchored regex. dp On 3/12/19 9:15 PM, Al Varnell via clamav-users wrote: All I can add is some technical information about the signature. I have no idea what kind of infection it causes and on what platform. The signature was added to the database by daily - 25386 earlier today as an .ldb. Looking for a single ascii string in any type of file: sigtool -fTxt.Trojan.Kryptik-6887991-0|sigtool --decode-sigs VIRUS NAME: Txt.Trojan.Kryptik-6887991-0 TDB: Engine:51-255,FileSize:262144-1048576,Target:0 LOGICAL EXPRESSION: 0 * SUBSIG ID 0 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: 1/g,"");if(!/^[-_a-zA-Z0-9#.:* ,>+~[\]()=^$|]+$/.test(c))throw E ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
