[clamav-users] Signature matching email Subject:

2014-05-23 Thread Claudio Cuqui 

Hello there !

I would like to known if is it possible to create a virus signature that 
match the subject of a mail message. I tried everything and the 
signature only match when the pattern is located in the email body.


So, would be possible having a signature that matchs the subject ?

Regards,

Claudio Cuqui

PS: I tested with clamscan -d  my.ndb  scanning a full message (headers 
included) in a file.

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Signature matching email Subject:

2014-05-28 Thread Claudio Cuqui 

Helo Steve,

First at all, thanks for your promptly answer. It works flawlessly. 
After some tests I finally found what was wrong with my signatures. I 
was using sigtool --hex-dump to build my signatures. I took some time to 
realize that sigtool was adding \n to my signatures  (identified by the 
0a character at the end). After removing the 0a from my signatures they 
"magically" started to work.


Best regards, and, again, thank you for your time and help.

Claudio Cuqui


On 05/23/2014 04:06 PM, Steve Basford wrote:

On Fri, May 23, 2014 4:25 pm, Claudio Cuqui wrote:

Hello there !


I would like to known if is it possible to create a virus signature that
match the subject of a mail message. I tried everything and the signature
only match when the pattern is located in the email body.


Something like this...

Spam.Subject.001:4:*:5375626A6563743A{-50}4D617373205370616D205375626A656374

Which will match...

Subject: (any 50 chars)Mass Spam Subject

Cheers,

Steve
Sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Segfaults with database version 26908

2023-05-16 Thread Claudio Cuqui 
Same here..same version, but compiled from source directly..and 
the same strange message when clamd is restarted:


Starting clamd daemon: LibClamAV Warning: Don't know how to create 
filter for: Win.Downloader.LNKAgent-10001628-0

LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie

Best Regards,

Claudio Cuqui

On 5/16/23 07:02, Matthias Rieber wrote:

Hello List,

since the update to version 26908 we observe a high amount of segfaults.

As far as I can tell this happens in

0x7fdfd44c377d 

We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.

Has anyone seen this, too?

Best regards,
Matthias
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[Clamav-users] How do I whitelist an URL listed by SafeBrowsing in clamav ?

2009-10-28 Thread Claudio Cuqui 
Hi there ! Anybody could tell me how safebrowsing.cld is created/updated 
? Which database are used to create it ? I´m asking  ´cause there is a 
client (domain nosdacomunicacao.com) complaining that they are not 
listed anymore with google (they were listed in stopbadware.org in Sep 
8th and Sep 11th) but clamav still recognize all e-mails containing this 
URL in body as Suspect 
(Safebrowsing.Suspected-malware_safebrowsing.clamav.net FOUND).


How can I whitelist this URL in clamav ?  I already tried create a 
daily.wdb file with: 
X:.+www\.nosdacomunicao\.com.+:.+www\.nosdacomunicao\.com.+

and another with
M:www.nosdacomunicacao.com

without success. Any ideas ?

PS: Running clamscan with debug enabled I always got:

(when putting 
X:.+www\.nosdacomunicao\.com.+:.+www\.nosdacomunicao\.com.+ in daily.wdb 
file)


LibClamAV debug: Loading regex_list
*LibClamAV debug: regex_list: added new suffix /, for regex: 
.+www\.nosdacomunicao\.com.+:.+www\.nosdacomunicao\.com.+/*

LibClamAV debug: /C3Systems/clamav/bin-0.95.1/share/clamav/daily.wdb loaded
...
(when putting M:www.nosdacomunicacao.com in daily.wdb file)
LibClamAV debug: Loading regex_list
*LibClamAV debug: regex_list: added new suffix /moc.oacinumocadson.www, 
for regex: /moc.oacinumocadson.www*

LibClamAV debug: /C3Systems/clamav/bin-0.95.1/share/clamav/daily.wdb loaded

LibClamAV debug: Phishcheck:Checking url http://www.nosdacomunicacao.com/->
LibClamAV debug: Looking up hash 
03F186E34BC87B0BC20FD1E7A0B1C723DA587D3590B7810C091F272851D3DA9E for 
nosdacomunicacao.com/(21)(0)

LibClamAV debug: prefix matched
LibClamAV debug: This hash matched: 
03F186E34BC87B0BC20FD1E7A0B1C723DA587D3590B7810C091F272851D3DA9E

*LibClamAV debug: Hash matched for: http://www.nosdacomunicacao.com/*
*LibClamAV debug: Phishcheck: Phishing scan result: Blacklisted
LibClamAV debug: found Possibly Unwanted: 
Safebrowsing.Suspected-malware_safebrowsing.clamav.net

*LibClamAV debug: blobDestroy

Regards !

Claudio Cuqui

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] PUA.PDF.OpenActionObject too broad

2011-04-25 Thread Claudio Cuqui 
Same problem here. Almost all messages that include PDF attachments are 
triggering this false positive (we have more than 3 million accounts 
with thousands of line of clamd logs like this).


Would be possible to remove this signature (or replace it with one with 
narrow regexp ?)


Regards,

Claudio Cuqui

On 04/24/2011 09:30 AM, Steven Chamberlain wrote:

On -10/01/37 20:59, Johannes Schulz wrote:
   

"sigtool -fPUA.PDF.OpenActionObject|sigtool --decode-sigs" says:
VIRUS NAME: PUA.PDF.OpenActionObject
TARGET TYPE: ANY FILE
OFFSET: 0
DECODED SIGNATURE:
%PDF-{WILDCARD_ANY_STRING}obj{WILDCARD_ANY_STRING(LENGTH<=2)}<<{WILDCARD_ANY_STRING}/OpenAction
 

Hi,

As of today a bunch of old PDFs on my system were also flagged with
this.  They had been composed in OpenOffice.org Writer and contained:

   

/OpenAction[1 0 R /XYZ null null 0]
 


Also due to the same update (daily 13008) I had a ~1MiB PDF document
made by ImageMagick flagged by:

   

VIRUS NAME: PUA.PDF.EmbeddedJS
TARGET TYPE: ANY FILE
OFFSET: 0
DECODED SIGNATURE:
%PDF-{WILDCARD_ANY_STRING}obj{WILDCARD_ANY_STRING(LENGTH<=2)}<<{WILDCARD_ANY_STRING}/JS
 

...because halfway through the file, inside some image data, were the
characters "/JS".

Surely this is going to cause many false detections?  Like maybe 1 in 16
out of all PDFs over 1MiB.

Regards,
   


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml