Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment b...@maidment.vu wrote: I have manually patched 0.97.3, re-compiled, re-installed and restarted clamd, but the ign2 file is still being ignored. [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 BC.Exploit.CVE_2011_3412 The entry is not complete. The correct one is: BC.Exploit.CVE_2011_3412.{CVE_2011_3412} HTH, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 8 12:23:16 CET 2012 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Tomasz Kojm tk...@clamav.net: On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment b...@maidment.vu wrote: I have manually patched 0.97.3, re-compiled, re-installed and restarted clamd, but the ign2 file is still being ignored. [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 BC.Exploit.CVE_2011_3412 The entry is not complete. The correct one is: BC.Exploit.CVE_2011_3412.{CVE_2011_3412} After applying your fix, correct? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
On Wed, 8 Feb 2012 14:03:18 +0100 Ralf Hildebrandt ralf.hildebra...@charite.de wrote: * Tomasz Kojm tk...@clamav.net: On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment b...@maidment.vu wrote: I have manually patched 0.97.3, re-compiled, re-installed and restarted clamd, but the ign2 file is still being ignored. [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 BC.Exploit.CVE_2011_3412 The entry is not complete. The correct one is: BC.Exploit.CVE_2011_3412.{CVE_2011_3412} After applying your fix, correct? Correct. It won't work without the fix. -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 8 15:06:01 CET 2012 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
-Original message- From: Tomasz Kojm tk...@clamav.net Sent: Wed 08-02-2012 22:25 Subject:Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: ClamAV users ML clamav-users@lists.clamav.net; On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment b...@maidment.vu wrote: I have manually patched 0.97.3, re-compiled, re-installed and restarted clamd, but the ign2 file is still being ignored. [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 BC.Exploit.CVE_2011_3412 The entry is not complete. The correct one is: BC.Exploit.CVE_2011_3412.{CVE_2011_3412} Thanks for that. I was using the virus name reported by mimedefang. I must remember sigtool to give me the correct name. The fix does work. Cheers Bill Maidment IT Consultant to Elgas Ltd Phone: 02 4294 3649 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
Hi! I'm trying to disable this signature, since it's giving my FPs for some XLS files (yes, I already submitted it as FP today): mail2:/var/lib/clamav# sigtool --find-sigs=BC.Exploit.CVE_2011_3412 [0001114551.cbc BYTECODE] BC.Exploit.CVE_2011_3412.{CVE_2011_3412};Engine:56-255,Target:0;(01);0:d0cf11e0a1b11ae1;*:1c000404 mail2:/var/lib/clamav# cat local.ign2 BC.Exploit.CVE_2011_3412.{CVE_2011_3412} BC.Exploit.CVE_2011_3412 CVE_2011_3412 (I tried 3 different ways of disabling the signature) I restarted clamd, but still the mails are stopped as infected: Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p004: BC.Exploit.CVE_2011_3412(6988ecb2df20c8d0a4f43ccdc4008136:1782277) FOUND Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p002: BC.Exploit.CVE_2011_3412(39fd7b52d5cde9f8599267f1eb0c5aab:1317888) FOUND What am I doing wrong here? Running clamv 0.97.3 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
Ralf, We got your FP reports and will address them today. Thanks, -Alain On Tue, Feb 7, 2012 at 8:08 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Hi! I'm trying to disable this signature, since it's giving my FPs for some XLS files (yes, I already submitted it as FP today): mail2:/var/lib/clamav# sigtool --find-sigs=BC.Exploit.CVE_2011_3412 [0001114551.cbc BYTECODE] BC.Exploit.CVE_2011_3412.{CVE_2011_3412};Engine:56-255,Target:0;(01);0:d0cf11e0a1b11ae1;*:1c000404 mail2:/var/lib/clamav# cat local.ign2 BC.Exploit.CVE_2011_3412.{CVE_2011_3412} BC.Exploit.CVE_2011_3412 CVE_2011_3412 (I tried 3 different ways of disabling the signature) I restarted clamd, but still the mails are stopped as infected: Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p004: BC.Exploit.CVE_2011_3412(6988ecb2df20c8d0a4f43ccdc4008136:1782277) FOUND Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p002: BC.Exploit.CVE_2011_3412(39fd7b52d5cde9f8599267f1eb0c5aab:1317888) FOUND What am I doing wrong here? Running clamv 0.97.3 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Alain Zidouemba azidoue...@sourcefire.com: Ralf, We got your FP reports and will address them today. Thanks :) But the original question remains in case I need to whitelist a signature. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
-Original message- From: Ralf Hildebrandt ralf.hildebra...@charite.de Sent: Wed 08-02-2012 00:16 Subject:[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; Hi! I'm trying to disable this signature, since it's giving my FPs for some XLS files (yes, I already submitted it as FP today): mail2:/var/lib/clamav# sigtool --find-sigs=BC.Exploit.CVE_2011_3412 [0001114551.cbc BYTECODE] BC.Exploit.CVE_2011_3412.{CVE_2011_3412};Engine:56-255,Target:0;(01);0:d0cf11e0 a1b11ae1;*:1c000404 mail2:/var/lib/clamav# cat local.ign2 BC.Exploit.CVE_2011_3412.{CVE_2011_3412} BC.Exploit.CVE_2011_3412 CVE_2011_3412 (I tried 3 different ways of disabling the signature) I restarted clamd, but still the mails are stopped as infected: Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p004: BC.Exploit.CVE_2011_3412(6988ecb2df20c8d0a4f43ccdc4008136:1782277) FOUND Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p002: BC.Exploit.CVE_2011_3412(39fd7b52d5cde9f8599267f1eb0c5aab:1317888) FOUND What am I doing wrong here? Running clamv 0.97.3 It's the same story here. We've had to switch off all bytecode rules in the conf file. Not ideal. Cheers Bill Maidment IT Consultant to Elgas Ltd Phone: 02 4294 3649 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Bill Maidment b...@maidment.vu: What am I doing wrong here? Running clamv 0.97.3 It's the same story here. We've had to switch off all bytecode rules in the conf file. Not ideal. Sound like one cannot whitelist a bytecode signature? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
On 02/07/12 15:05, Bill Maidment wrote: -Original message- From: Ralf Hildebrandtralf.hildebra...@charite.de Sent: Wed 08-02-2012 00:16 Subject:[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; Hi! I'm trying to disable this signature, since it's giving my FPs for some XLS files (yes, I already submitted it as FP today): mail2:/var/lib/clamav# sigtool --find-sigs=BC.Exploit.CVE_2011_3412 [0001114551.cbc BYTECODE] BC.Exploit.CVE_2011_3412.{CVE_2011_3412};Engine:56-255,Target:0;(01);0:d0cf11e0 a1b11ae1;*:1c000404 mail2:/var/lib/clamav# cat local.ign2 BC.Exploit.CVE_2011_3412.{CVE_2011_3412} BC.Exploit.CVE_2011_3412 CVE_2011_3412 (I tried 3 different ways of disabling the signature) I restarted clamd, but still the mails are stopped as infected: Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p004: BC.Exploit.CVE_2011_3412(6988ecb2df20c8d0a4f43ccdc4008136:1782277) FOUND Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p002: BC.Exploit.CVE_2011_3412(39fd7b52d5cde9f8599267f1eb0c5aab:1317888) FOUND What am I doing wrong here? Running clamv 0.97.3 It's the same story here. We've had to switch off all bytecode rules in the conf file. Not ideal. Cheers Bill Maidment IT Consultant to Elgas Ltd Phone: 02 4294 3649 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml The format of local.ign is not very inituitive, IMHO. INetMsg-SpamDomains-2m.:62019:INetMsg.SpamDomain-2w.onlinehome-server.com The first entry is the name of the file the definition is in(minus the file extension). The second is the line number that the definition is on. And the third is the name of the definition. These fields are separated by ':' as you can see. The format apparently was chosen so that if you forgot to delete the file, no harm will be done when the definition disappears. But one of the side effects is that a simple update that changes the line number for that definition will also render the local.ign useless. It does work and I have used it, but every time I need it, it takes me more than one try to get it right. Especially since I only use it once every 3 or 4 months at best and it's case sensitive. Lyle Giese LCR Computer Services, Inc. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Lyle Giese l...@lcrcomputer.net: The format of local.ign is not very inituitive, IMHO. It's local.ign2 according to the docs. Creating signatures for ClamAV http://www.clamav.net/doc/latest/signatures.pdf 3.8 Whitelist databases To whitelist a specific signature from the database you just add its name into a local file called -- local.ign2 -- stored inside the database directory. You can additionally follow the signature name with the MD5 of the entire database entry for this signature, eg: Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c In such a case, the signature will no longer be whitelisted when its entry in the database gets modified (eg. the signature gets updated to avoid false alerts). INetMsg-SpamDomains-2m.:62019:INetMsg.SpamDomain-2w.onlinehome-server.com The first entry is the name of the file the definition is in(minus the file extension). The second is the line number that the definition is on. And the third is the name of the definition. These fields are separated by ':' as you can see. Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
On Tue, 7 Feb 2012 23:07:05 +0100 Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; The bytecode loader indeed seems to ignore local.ign2, I'm looking into it -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 7 23:09:12 CET 2012 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
On 02/07/12 16:07, Ralf Hildebrandt wrote: * Lyle Giesel...@lcrcomputer.net: The format of local.ign is not very inituitive, IMHO. It's local.ign2 according to the docs. Creating signatures for ClamAV http://www.clamav.net/doc/latest/signatures.pdf 3.8 Whitelist databases To whitelist a specific signature from the database you just add its name into a local file called -- local.ign2-- stored inside the database directory. You can additionally follow the signature name with the MD5 of the entire database entry for this signature, eg: Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c In such a case, the signature will no longer be whitelisted when its entry in the database gets modified (eg. the signature gets updated to avoid false alerts). INetMsg-SpamDomains-2m.:62019:INetMsg.SpamDomain-2w.onlinehome-server.com The first entry is the name of the file the definition is in(minus the file extension). The second is the line number that the definition is on. And the third is the name of the definition. These fields are separated by ':' as you can see. Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; I have never used sigtool. grep/kate/nano or any good editor will let you search and tell you the line number that you are looking at. I guess I never used a local.ign2 only local.ign for bypassing 'bad' definitions and I have tested the local.ign files I created to make sure they do exactly what is needed for my mail system. Lyle Giese LCR Computer Services, Inc. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
On Tue, 07 Feb 2012 23:11:24 +0100 Tomasz Kojm tk...@clamav.net wrote: On Tue, 7 Feb 2012 23:07:05 +0100 Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; The bytecode loader indeed seems to ignore local.ign2, I'm looking into it The problem is now fixed in master 0.97 branches: http://git.clamav.net/gitweb?p=clamav-devel.git;a=commit;h=4c22459d7a84f4c2c14b5e33ab2dfe4818121801 Thanks, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 7 23:26:30 CET 2012 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
-Original message- From: Tomasz Kojm tk...@clamav.net Sent: Wed 08-02-2012 09:29 Subject:Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; On Tue, 07 Feb 2012 23:11:24 +0100 Tomasz Kojm tk...@clamav.net wrote: On Tue, 7 Feb 2012 23:07:05 +0100 Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; The bytecode loader indeed seems to ignore local.ign2, I'm looking into it The problem is now fixed in master 0.97 branches: Thanks Tomasz The patch doesn't line up with 0.97.3 source. Do I have to manually patch that? [root@stiles clamav-0.97.3]# patch -p1 --dry-run ../fix.diff patching file libclamav/readdb.c Hunk #1 succeeded at 1192 (offset -4 lines). Hunk #2 FAILED at 1218. Hunk #3 FAILED at 1388. Hunk #4 succeeded at 1409 (offset -6 lines). Hunk #5 FAILED at 1476. Hunk #6 FAILED at 1484. Hunk #7 succeeded at 1491 with fuzz 2 (offset -6 lines). 4 out of 7 hunks FAILED -- saving rejects to file libclamav/readdb.c.rej [root@stiles clamav-0.97.3]# Cheers Bill Maidment IT Consultant to Elgas Ltd Phone: 02 4294 3649 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
-Original message- From: Bill Maidment b...@maidment.vu Sent: Wed 08-02-2012 09:53 Subject:Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; -Original message- From: Tomasz Kojm tk...@clamav.net Sent: Wed 08-02-2012 09:29 Subject: Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; On Tue, 07 Feb 2012 23:11:24 +0100 Tomasz Kojm tk...@clamav.net wrote: On Tue, 7 Feb 2012 23:07:05 +0100 Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; The bytecode loader indeed seems to ignore local.ign2, I'm looking into it The problem is now fixed in master 0.97 branches: Thanks Tomasz The patch doesn't line up with 0.97.3 source. Do I have to manually patch that? I have manually patched 0.97.3, re-compiled, re-installed and restarted clamd, but the ign2 file is still being ignored. [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 BC.Exploit.CVE_2011_3412 [root@stiles clamav]# Wed Feb 8 10:49:39 2012 - /var/spool/MIMEDefang/mdefang-q17NnSa7022557/Work/msg-30733-35.xls: BC.Exploit.CVE_2011_3412 FOUND Cheers Bill Maidment IT Consultant to Elgas Ltd Phone: 02 4294 3649 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml