Re: [clamav-users] Looks like we've gotten a new variant of Emotet getting through...

2020-12-22 Thread Joel Esler (jesler) via clamav-users 
Isn’t that literally the opposite of what needs to happen?

On Dec 22, 2020, at 1:27 AM, Brent Clark via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:


Hiya

Can you please submit to Sanesecurity too.

https://sanesecurity.com/contact-us/

Regards
Brent

On 2020/12/21 18:44, eric-l...@truenet.com wrote:
I’m going to start posting a few to https://www.clamav.net/reports/malware

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300




___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Looks like we've gotten a new variant of Emotet getting through...

2020-12-21 Thread Brent Clark via clamav-users 

Hiya

Can you please submit to Sanesecurity too.

https://sanesecurity.com/contact-us/

Regards
Brent

On 2020/12/21 18:44, eric-l...@truenet.com wrote:


I’m going to start posting a few to https://www.clamav.net/reports/malware

Sincerely,

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Looks like we've gotten a new variant of Emotet getting through...

2020-12-21 Thread G.W. Haywood via clamav-users 

Hi there,

On Mon, 21 Dec 2020, eric-l...@truenet.com wrote:


I can however scrub the raws and send a few of those as well.


If you could zip up a few complete emails for me to look at I'd be
most grateful.  If you need to sanitize content in the bodies that's
fine but it would be best for me if you can leave the headers intact.

I've whitelisted your list address for mail to mine.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Looks like we've gotten a new variant of Emotet getting through...

2020-12-21 Thread Arnaud Jacques 

Joel,

I would like to see more third party signature providers distribute 
through the signed packages so that every user is getting the signatures 
instead of a few.


Last month I sent a generic sig using 
https://www.clamav.net/reports/signature and AFAIK it is still not 
published.


If you do not publish the signature I created and I gave you, I'd be 
happy to know why.


I have several generic signature ready to give you if you are agree to 
publish them.



--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Looks like we've gotten a new variant of Emotet getting through...

2020-12-21 Thread Joel Esler (jesler) via clamav-users 


On Dec 21, 2020, at 4:02 PM, 
eric-l...@truenet.com wrote:

Joel,

I pretty much disagree with this.  90% or greater of what is sent into 
http://clamav.net is covered in less than 24 hours, and to 
a much greater degree.  We don’t aim to cover just the > sample you sent in, we 
cover all the variants of that sample at the time, if possible.

I pretty much agree with you there, if it's not you guys getting them right 
away, it'll be a third party signature, like SecuriteInfo, or SaneSecurity, so 
I've got no problems.
Hell, the reason I like ClamAV so much is that it's not a mystery black box, 
and I can write my own signatures if I need to.

The beauty of open source.  Also, it’s free.  So there’s that.

I would like to see more third party signature providers distribute through the 
signed packages so that every user is getting the signatures instead of a few.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Looks like we've gotten a new variant of Emotet getting through...

2020-12-21 Thread eric-list 
Joel,

> I pretty much disagree with this.  90% or greater of what is sent into 
> http://clamav.net is covered in less than 24 hours, and to a much greater 
> degree.  We don’t aim to cover just the > sample you sent in, we cover all 
> the variants of that sample at the time, if possible.

I pretty much agree with you there, if it's not you guys getting them right 
away, it'll be a third party signature, like SecuriteInfo, or SaneSecurity, so 
I've got no problems.
Hell, the reason I like ClamAV so much is that it's not a mystery black box, 
and I can write my own signatures if I need to.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300





___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Looks like we've gotten a new variant of Emotet getting through...

2020-12-21 Thread Joel Esler (jesler) via clamav-users 
I pretty much disagree with this.  90% or greater of what is sent into 
clamav.net is covered in less than 24 hours, and to a much 
greater degree.  We don’t aim to cover just the sample you sent in, we cover 
all the variants of that sample at the time, if possible.

On Dec 21, 2020, at 3:34 PM, max mailto:m...@sbg.at>> wrote:

hi eric,

Am 21.12.20 um 17:59 schrieb 
eric-l...@truenet.com:
Sorry to bother, but do you guys want raw emails or just the payload
Word Docs?

I just sent payloads, since they are real emails with responses and a
virus attached.

this is pretty useless as clamav's reporting process is far too slow or
or is not made for rapidly changing attack vectors used by emotet (never
saw clamav hits with default signatures enabled on the last big emotet
waves on my side, may be different somewhere else).

for hunting emotet you can report to sanesecurity where steve and his
team are taking care and use their 3rd-party signatures. and/or use
urlhaus (driven by abuse.ch) 3rd-party signatures feeded by 
lots of
(emotet) malware hunters floating around on
https://twitter.com/cryptolaemus1 - all of them doing a great job here.

btw - lots of vulnerable/unpatched wordpress installs involved as
always, may be related to fresh CVE-2020-35489

https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/

regards
max


I can however scrub the raws and send a few of those as well.

Sincerely,



Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300







___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Looks like we've gotten a new variant of Emotet getting through...

2020-12-21 Thread Arnaud Jacques 

Hi,

... or you can use SecuriteInfo signatures. The lastest emotet malwares 
variant are already detected today.

More information at http://ow.ly/LqfdL


--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Looks like we've gotten a new variant of Emotet getting through...

2020-12-21 Thread max 
hi eric,

Am 21.12.20 um 17:59 schrieb eric-l...@truenet.com:
> Sorry to bother, but do you guys want raw emails or just the payload
> Word Docs?
> 
> I just sent payloads, since they are real emails with responses and a
> virus attached.

this is pretty useless as clamav's reporting process is far too slow or
or is not made for rapidly changing attack vectors used by emotet (never
saw clamav hits with default signatures enabled on the last big emotet
waves on my side, may be different somewhere else).

for hunting emotet you can report to sanesecurity where steve and his
team are taking care and use their 3rd-party signatures. and/or use
urlhaus (driven by abuse.ch) 3rd-party signatures feeded by lots of
(emotet) malware hunters floating around on
https://twitter.com/cryptolaemus1 - all of them doing a great job here.

btw - lots of vulnerable/unpatched wordpress installs involved as
always, may be related to fresh CVE-2020-35489

https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/

regards
max


> I can however scrub the raws and send a few of those as well.
> 
> Sincerely,
> 
>  
> 
> Eric Tykwinski
> 
> TrueNet, Inc.
> 
> P: 610-429-8300
> 
>  
> 
>  
> 
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Looks like we've gotten a new variant of Emotet getting through...

2020-12-21 Thread eric-list 
Sorry to bother, but do you guys want raw emails or just the payload Word
Docs?

I just sent payloads, since they are real emails with responses and a virus
attached.

I can however scrub the raws and send a few of those as well.

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Looks like we've gotten a new variant of Emotet getting through...

2020-12-21 Thread eric-list 
I'm going to start posting a few to https://www.clamav.net/reports/malware

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml