Re: [clamav-users] Virus not detected by Clamav
Still not recognised. On Wed, Jun 29, 2011 at 4:00 PM, Mihamina Rakotomandimby miham...@bbs.mg wrote: On Wed, 29 Jun 2011 12:45:37 +0300 Henrik K h...@hege.li wrote: So your users receive lot of legimate exes? Nope, exes are zipped -- RMA. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On Wed, 29 Jun 2011 11:24:24 +0200 polloxx poll...@gmail.com wrote: Are there other user with the same problem? Any solution? I have the same problem. I manage a mail server used by a vendor of DHL. Pretty annoying as far as all emails from DHL are sensible and important for the suers :-) Unfortunately, I have found no solution... yet. -- RMA. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On Wed, Jun 29, 2011 at 12:27:46PM +0300, Mihamina Rakotomandimby wrote: On Wed, 29 Jun 2011 11:24:24 +0200 polloxx poll...@gmail.com wrote: Are there other user with the same problem? Any solution? I have the same problem. I manage a mail server used by a vendor of DHL. Pretty annoying as far as all emails from DHL are sensible and important for the suers :-) Unfortunately, I have found no solution... yet. So your users receive lot of legimate exes? If you are expecting ClamAV to be a 0day magic tool without having lots of other defences (spamassassin etc) and lots of custom rules, then yes, there is no solution. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On Wed, Jun 29, 2011 at 11:45 AM, Henrik K h...@hege.li wrote: On Wed, Jun 29, 2011 at 12:27:46PM +0300, Mihamina Rakotomandimby wrote: On Wed, 29 Jun 2011 11:24:24 +0200 polloxx poll...@gmail.com wrote: Are there other user with the same problem? Any solution? I have the same problem. I manage a mail server used by a vendor of DHL. Pretty annoying as far as all emails from DHL are sensible and important for the suers :-) Unfortunately, I have found no solution... yet. So your users receive lot of legimate exes? It was a zip file. If you are expecting ClamAV to be a 0day magic tool without having lots of other defences (spamassassin etc) and lots of custom rules, then yes, there is no solution. The virus was found Monday morning. According to Virus Total 31/41 engines do detect it. Unfortunately Clamav did not. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On 2011-06-29 13:04, polloxx wrote: On Wed, Jun 29, 2011 at 11:45 AM, Henrik K h...@hege.li wrote: On Wed, Jun 29, 2011 at 12:27:46PM +0300, Mihamina Rakotomandimby wrote: On Wed, 29 Jun 2011 11:24:24 +0200 polloxx poll...@gmail.com wrote: Are there other user with the same problem? Any solution? I have the same problem. I manage a mail server used by a vendor of DHL. Pretty annoying as far as all emails from DHL are sensible and important for the suers :-) Unfortunately, I have found no solution... yet. So your users receive lot of legimate exes? It was a zip file. If you don't want to allow executables and archived executables to be sent via e-mail then add these signatures to your dbdir: $ cat policy.ndb EOF Policy.NoExecutables:1:*:4d5a{60-300}5045 EOF $ cat policy.cdb EOF Policy.Container.NoExecutables:*:*:.+[.]([Ee][Xx][Ee]|[dD][lL][lL]|[Bb][Aa][Tt]|[Cc][Oo][Mm]|[Ll][Nn][Kk]|[Cc][Mm][Dd]|[Jj][Ss]|[Vv][Bb][Ss]):*:*:*:*:*:* EOF Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On Jun 29, 2011, at 6:04 AM, polloxx wrote: On Wed, Jun 29, 2011 at 11:45 AM, Henrik K h...@hege.li wrote: On Wed, Jun 29, 2011 at 12:27:46PM +0300, Mihamina Rakotomandimby wrote: On Wed, 29 Jun 2011 11:24:24 +0200 polloxx poll...@gmail.com wrote: Are there other user with the same problem? Any solution? I have the same problem. I manage a mail server used by a vendor of DHL. Pretty annoying as far as all emails from DHL are sensible and important for the suers :-) Unfortunately, I have found no solution... yet. So your users receive lot of legimate exes? It was a zip file. If you are expecting ClamAV to be a 0day magic tool without having lots of other defences (spamassassin etc) and lots of custom rules, then yes, there is no solution. The virus was found Monday morning. According to Virus Total 31/41 engines do detect it. Unfortunately Clamav did not. winnow.malware and other portions of sanesecurity's distributed unofficial rules will probably detect those. Tom ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
If you have a sample of the file, submitting it through ClamAV's submission interface makes it bubble up so the rule writers can get to it faster. (instead of waiting for it to come through Virustotal) J On Jun 29, 2011, at 5:24 AM, polloxx wrote: Dear, One of our customers got a virus not detected by Clamav:dhl-express-prtcopy-Delivery-Failure-Notification-HXZsVlN[...].exe A fake DHL non-delivery report. Other engines do detect it: BitDefender 7.2 2011.06.27 Trojan.Zbot.1911 F-Secure 9.0.16440.0 2011.06.27 Trojan.Zbot.1911 Kaspersky 9.0.0.837 2011.06.27 Trojan-Spy.Win32.Zbot.bpsx Sent it to Totalvirus 2 days ago. Are there other user with the same problem? Any solution? Thx, P. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On Wed, 29 Jun 2011 13:12:30 +0300 Török Edwin articulated: On 2011-06-29 13:04, polloxx wrote: On Wed, Jun 29, 2011 at 11:45 AM, Henrik K h...@hege.li wrote: On Wed, Jun 29, 2011 at 12:27:46PM +0300, Mihamina Rakotomandimby wrote: On Wed, 29 Jun 2011 11:24:24 +0200 polloxx poll...@gmail.com wrote: Are there other user with the same problem? Any solution? I have the same problem. I manage a mail server used by a vendor of DHL. Pretty annoying as far as all emails from DHL are sensible and important for the suers :-) Unfortunately, I have found no solution... yet. So your users receive lot of legimate exes? It was a zip file. If you don't want to allow executables and archived executables to be sent via e-mail then add these signatures to your dbdir: $ cat policy.ndb EOF Policy.NoExecutables:1:*:4d5a{60-300}5045 EOF $ cat policy.cdb EOF Policy.Container.NoExecutables:*:*:.+[.]([Ee][Xx][Ee]|[dD][lL][lL]|[Bb][Aa][Tt]|[Cc][Oo][Mm]|[Ll][Nn][Kk]|[Cc][Mm][Dd]|[Jj][Ss]|[Vv][Bb][Ss]):*:*:*:*:*:* EOF Seriously! Why not have the user shut down his mail system entirely. That would pretty much ensure that no Virus or Malware is delivered via SMTP. Your suggest is only feasible if the user never wants to receive any executable or archived file formats. Assuming that they do, a better solution has to be implemented. -- Jerry ✌ clamav.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ No matter how cynical you get, it's impossible to keep up. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On Wed, Jun 29, 2011 at 12:49 PM, Joel Esler jes...@sourcefire.com wrote: If you have a sample of the file, submitting it through ClamAV's submission interface makes it bubble up so the rule writers can get to it faster. (instead of waiting for it to come through Virustotal) Joel, I did that yesertday. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On Jun 29, 2011, at 7:58 AM, polloxx wrote: On Wed, Jun 29, 2011 at 12:49 PM, Joel Esler jes...@sourcefire.com wrote: If you have a sample of the file, submitting it through ClamAV's submission interface makes it bubble up so the rule writers can get to it faster. (instead of waiting for it to come through Virustotal) Joel, I did that yesertday. If you are using winnow malware rules (part of sanesecurity's distrobution) you can also send a sample to virus_samples at oitc.com. We release temp sigs quickly until clamav folks provides a formal sig. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
I think he should demand all his money back. -- Michael Scheidell, CTO SECNAP Network Security -Original message- From: Joel Esler jes...@sourcefire.com To: ClamAV users ML clamav-users@lists.clamav.net Sent: Wed, Jun 29, 2011 10:50:25 GMT+00:00 Subject: Re: [clamav-users] Virus not detected by Clamav If you have a sample of the file, submitting it through ClamAV's submission interface makes it bubble up so the rule writers can get to it faster. (instead of waiting for it to come through Virustotal) J On Jun 29, 2011, at 5:24 AM, polloxx wrote: Dear, One of our customers got a virus not detected by Clamav:dhl-express-prtcopy-Delivery-Failure-Notification-HXZsVlN[...].exe A fake DHL non-delivery report. Other engines do detect it: BitDefender 7.2 2011.06.27 Trojan.Zbot.1911 F-Secure 9.0.16440.0 2011.06.27 Trojan.Zbot.1911 Kaspersky 9.0.0.837 2011.06.27 Trojan-Spy.Win32.Zbot.bpsx Sent it to Totalvirus 2 days ago. Are there other user with the same problem? Any solution? Thx, P. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On 2011 Jun 29, at 12:49 , Joel Esler wrote: If you have a sample of the file, submitting it through ClamAV's submission interface makes it bubble up so the rule writers can get to it faster. Or if you're lucky and it's the exact same file every time, you can trivially create your own signature using an md5 hash and use that instantly. That's one of the things I particularly like about clamav (and used a couple of times in the past). -- Jan-Pieter Cornet joh...@xs4all.nl People are continuously reinventing the flat tyre. PGP.sig Description: This is a digitally signed message part ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
Seriously! Why not have the user shut down his mail system entirely. That would pretty much ensure that no Virus or Malware is delivered via SMTP. Your suggest is only feasible if the user never wants to receive any executable or archived file formats. Assuming that they do, a better solution has to be implemented. btw, I'm assuming not any archived file format, just those containing executables. For many years now, my (Computer Science) department has not allowed certain executables (MIME types application/x-msdownload and application/x-msdos-program mainly) through our mail system, and have had few problems/complaints with it. Most people seem to easily find other methods (IM transfers, direct connections, posting to a web page) to transfer the few legitimate programs they may need to send. Not to say that it is appropriate everywhere, just that, FWIW, it can be done occasionally without too much trouble -- Bryan Burke IT Administrator Department of Electrical Engineering and Computer Science University of Tennessee, Knoxville bbu...@eecs.utk.edu (865) 974-4694 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On Wed, 29 Jun 2011 12:45:37 +0300 Henrik K h...@hege.li wrote: So your users receive lot of legimate exes? Nope, exes are zipped -- RMA. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus not detected by clamav
Not detected here too, oldest clamav versions detect it well. Linux cubo 2.4.27-2-686 #1 Mon May 16 17:03:22 JST 2005 i686 GNU/Linux ClamAV 0.87.1/1213/Mon Dec 19 15:48:34 2005 ([EMAIL PROTECTED]:~)# clamscan attreg.zip attreg.zip: OK ([EMAIL PROTECTED]:~)# f-prot -ver Program version: 4.6.3 Engine version: 3.16.10 ([EMAIL PROTECTED]:~)# f-prot attreg.zip /root/attreg.zip-File-packed_dataInfo.exe Infection: W32/Sober ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
On Dec 20, 2005, at 04:40 , Luis Miguel R. wrote: Not detected here too, oldest clamav versions detect it well. Detection of viruses in a buffer scan isn't working well either, it doesn't recognize most viruses including the ClamAV test viruses that the older versions (pre 0.87) recognize. SEE: http://www.daleenterprise.com/test.php Linux cubo 2.4.27-2-686 #1 Mon May 16 17:03:22 JST 2005 i686 GNU/Linux ClamAV 0.87.1/1213/Mon Dec 19 15:48:34 2005 ([EMAIL PROTECTED]:~)# clamscan attreg.zip attreg.zip: OK ([EMAIL PROTECTED]:~)# f-prot -ver Program version: 4.6.3 Engine version: 3.16.10 ([EMAIL PROTECTED]:~)# f-prot attreg.zip /root/attreg.zip-File-packed_dataInfo.exe Infection: W32/Sober Tomasz, I've resolved the crashing issue with libclamav and apache, I have solid code for a PHP extension that has been tested on several OS's without any issues. Do you wish to add this to the contrib ??? SEE: http://www.daleenterprise.com/clamav_info.php -- Dale ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
Hamilton Vera said: Hi list, Since November, I noticed that clamav 87.1 does not recognize the following virus. www.i2.com.br/~hamilton/reg_pass.zip So I posted it in http://cgi.clamav.net/sendvirus.cgi, but I got no answer NOD32 detects it as Win32/Sober.Y worm, I'd like to know if it is an isolated case. $ clamdscan reg_pass.zip /tmp/reg_pass.zip: Worm.Sober.U FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.044 sec (0 m 0 s) dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
On Mon, 19 Dec 2005, Hamilton Vera wrote: ; Since November, I noticed that clamav 87.1 does not recognize the following ; virus. ; ; www.i2.com.br/~hamilton/reg_pass.zip ; ; So I posted it in http://cgi.clamav.net/sendvirus.cgi, but I got no answer ; ; NOD32 detects it as Win32/Sober.Y worm, I'd like to know if it is an isolated ; case. Works fine here with CVS, haven't got 87.1 to hand but I can't see why it would have problems; that signature has been in the database for a while. % clamscan reg_pass.zip reg_pass.zip: Worm.Sober.U FOUND A. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
Hi Denis, thanks for answering. What version are you using? I am using and updated 87.1, and I think that this version is not working. clamd -V ClamAV 0.87.1 Received signal: wake up ClamAV update process started at Mon Dec 19 13:51:22 2005 main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, builder: tkojm) daily.cvd is up to date (version: 1213, sigs: 1844, f-level: 6, builder: diego) clamdscan reg_pass.zip /tmp/reg_pass.zip: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.294 sec (0 m 0 s) Thnaks ! On Mon, 19 Dec 2005, Dennis Peterson wrote: Hamilton Vera said: Hi list, Since November, I noticed that clamav 87.1 does not recognize the following virus. www.i2.com.br/~hamilton/reg_pass.zip So I posted it in http://cgi.clamav.net/sendvirus.cgi, but I got no answer NOD32 detects it as Win32/Sober.Y worm, I'd like to know if it is an isolated case. $ clamdscan reg_pass.zip /tmp/reg_pass.zip: Worm.Sober.U FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.044 sec (0 m 0 s) dp ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
What version are you using? I am using and updated 87.1, and I think that this version is not working. my clamscan (87.1/1213) definitely finds it here (Worm.Sober.U). -- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
Hamilton Vera said: Hi Denis, thanks for answering. What version are you using? I am using and updated 87.1, and I think that this version is not working. I'm running v 87.1. Examine your clamd.conf and freshclam.conf files and ensure they agree on where the cvd files are being placed. It often happens they don't. While you're in there, ensure your binaries are looking at the conf files you think they are. It also happens often that a new installation expects to see binaries in a location different from the previous version and this results in conf files in more than one location. dp ... and resist the urge to top post. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
Hamilton Vera wrote: Hi list, Since November, I noticed that clamav 87.1 does not recognize the following virus. www.i2.com.br/~hamilton/reg_pass.zip Try the development version: [EMAIL PROTECTED] ~]$ clamscan reg_pass.zip reg_pass.zip: Worm.Sober.U FOUND --- SCAN SUMMARY --- Known viruses: 41468 Engine version: devel-20051211 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.18 MB Time: 1.803 sec (0 m 1 s) [EMAIL PROTECTED] ~]$ clamscan -V ClamAV devel-20051211/1212/Sun Dec 18 11:09:50 2005 [EMAIL PROTECTED] ~]$ Thanks in advance Hamilton Vera -- Nigel Horne. Arranger, Adjudicator, Band Trainer, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
On Mon, 19 Dec 2005 13:34:00 -0200 (BRDT) in [EMAIL PROTECTED] Hamilton Vera [EMAIL PROTECTED] wrote: NOD32 detects it as Win32/Sober.Y worm, I'd like to know if it is an isolated case. Don't assume that NOD32 has identified it correctly, other packages have false positives you know. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
Nigel Horne said: Hamilton Vera wrote: Hi list, Since November, I noticed that clamav 87.1 does not recognize the following virus. www.i2.com.br/~hamilton/reg_pass.zip Try the development version: It would be very nice if future releases of clamd and freshclam printed out the compiled-in path to the config file, say in the -V option, as a way to help debug installation problems. In fact it would be nice to have a command line switch that generates a listing of what is seen and understood by the applications after reading the clamd.conf and freshclam.conf files, as well as where they were found. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
Brian Morrison wrote: On Mon, 19 Dec 2005 16:28:47 + in [EMAIL PROTECTED] Nigel Horne [EMAIL PROTECTED] wrote: www.i2.com.br/~hamilton/reg_pass.zip Try the development version: [EMAIL PROTECTED] ~]$ clamscan reg_pass.zip reg_pass.zip: Worm.Sober.U FOUND So does that mean a new release is imminent Nigel? That is out of my hands. -- Nigel Horne. Arranger, Adjudicator, Band Trainer, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
Brian Morrison wrote: On Mon, 19 Dec 2005 16:28:47 + in [EMAIL PROTECTED] Nigel Horne [EMAIL PROTECTED] wrote: www.i2.com.br/~hamilton/reg_pass.zip Try the development version: [EMAIL PROTECTED] ~]$ clamscan reg_pass.zip reg_pass.zip: Worm.Sober.U FOUND So does that mean a new release is imminent Nigel? Standard $clamscan /u/virus/example/reg_pass.zip: Worm.Sober.U FOUND release: $clamscan --version ClamAV 0.87.1/1213/Mon Dec 19 14:48:34 200 This is bog standard gentoo release. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
Hamilton Vera wrote: Hi list, Since November, I noticed that clamav 87.1 does not recognize the following virus. www.i2.com.br/~hamilton/reg_pass.zip So I posted it in http://cgi.clamav.net/sendvirus.cgi, but I got no answer NOD32 detects it as Win32/Sober.Y worm, I'd like to know if it is an isolated case. Thanks in advance Hamilton Vera I think it takes time for clamav to recognise viruses. I posted once winldra.exe some time ago, but clamav does not detect it yet. McAfee Virus scan detects it as W32/Dumaru.bv I submitted it to the web site again today. James ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
On Mon, Dec 19, 2005 at 08:39:10AM -0800, Dennis Peterson wrote: In fact it would be nice to have a command line switch that generates a listing of what is seen and understood by the applications after reading the clamd.conf and freshclam.conf files, as well as where they were found. delurk Postfix's postconf(1) is an excellent model for this: postconf [no args]: print the entire running config postconf var-name: print just that variable. -h to omit the 'name=' part. postconf -d: print the default values of known config variables postconf -n: print only non-default or explicitly set variables postconf -e: edit a config variable There are other options to list supported map types and locking methods that wouldn't be as relevant to a theoretical clamconf(1). It's scripting-friendly, and gives a standard set of installation info to post to the ML for help There are plenty of apps I have to deal with that I wish had an equivalent of postconf. cheers rob /delurk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Virus not detected by clamav
Rob Chanter said: On Mon, Dec 19, 2005 at 08:39:10AM -0800, Dennis Peterson wrote: In fact it would be nice to have a command line switch that generates a listing of what is seen and understood by the applications after reading the clamd.conf and freshclam.conf files, as well as where they were found. delurk Postfix's postconf(1) is an excellent model for this: Yessir - and so too is Jose-Marcio's J-Chkmail helpful in this regard (and is an excellent milter for spam and integrates ClamAV, too). It will even create a new config file from scratch or use elements of your existing config file to create one appropriate for the current version. It even flags obsolete configuration elements. dp ___ http://lurker.clamav.net/list/clamav-users.html