[clamav-users] Signature matching email Subject:
Hello there ! I would like to known if is it possible to create a virus signature that match the subject of a mail message. I tried everything and the signature only match when the pattern is located in the email body. So, would be possible having a signature that matchs the subject ? Regards, Claudio Cuqui PS: I tested with clamscan -d my.ndb scanning a full message (headers included) in a file. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Signature matching email Subject:
Helo Steve, First at all, thanks for your promptly answer. It works flawlessly. After some tests I finally found what was wrong with my signatures. I was using sigtool --hex-dump to build my signatures. I took some time to realize that sigtool was adding \n to my signatures (identified by the 0a character at the end). After removing the 0a from my signatures they "magically" started to work. Best regards, and, again, thank you for your time and help. Claudio Cuqui On 05/23/2014 04:06 PM, Steve Basford wrote: On Fri, May 23, 2014 4:25 pm, Claudio Cuqui wrote: Hello there ! I would like to known if is it possible to create a virus signature that match the subject of a mail message. I tried everything and the signature only match when the pattern is located in the email body. Something like this... Spam.Subject.001:4:*:5375626A6563743A{-50}4D617373205370616D205375626A656374 Which will match... Subject: (any 50 chars)Mass Spam Subject Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Segfaults with database version 26908
Same here..same version, but compiled from source directly..and the same strange message when clamd is restarted: Starting clamd daemon: LibClamAV Warning: Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0 LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie Best Regards, Claudio Cuqui On 5/16/23 07:02, Matthias Rieber wrote: Hello List, since the update to version 26908 we observe a high amount of segfaults. As far as I can tell this happens in 0x7fdfd44c377d We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye. Has anyone seen this, too? Best regards, Matthias ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[Clamav-users] How do I whitelist an URL listed by SafeBrowsing in clamav ?
Hi there ! Anybody could tell me how safebrowsing.cld is created/updated ? Which database are used to create it ? I´m asking ´cause there is a client (domain nosdacomunicacao.com) complaining that they are not listed anymore with google (they were listed in stopbadware.org in Sep 8th and Sep 11th) but clamav still recognize all e-mails containing this URL in body as Suspect (Safebrowsing.Suspected-malware_safebrowsing.clamav.net FOUND). How can I whitelist this URL in clamav ? I already tried create a daily.wdb file with: X:.+www\.nosdacomunicao\.com.+:.+www\.nosdacomunicao\.com.+ and another with M:www.nosdacomunicacao.com without success. Any ideas ? PS: Running clamscan with debug enabled I always got: (when putting X:.+www\.nosdacomunicao\.com.+:.+www\.nosdacomunicao\.com.+ in daily.wdb file) LibClamAV debug: Loading regex_list *LibClamAV debug: regex_list: added new suffix /, for regex: .+www\.nosdacomunicao\.com.+:.+www\.nosdacomunicao\.com.+/* LibClamAV debug: /C3Systems/clamav/bin-0.95.1/share/clamav/daily.wdb loaded ... (when putting M:www.nosdacomunicacao.com in daily.wdb file) LibClamAV debug: Loading regex_list *LibClamAV debug: regex_list: added new suffix /moc.oacinumocadson.www, for regex: /moc.oacinumocadson.www* LibClamAV debug: /C3Systems/clamav/bin-0.95.1/share/clamav/daily.wdb loaded LibClamAV debug: Phishcheck:Checking url http://www.nosdacomunicacao.com/-> LibClamAV debug: Looking up hash 03F186E34BC87B0BC20FD1E7A0B1C723DA587D3590B7810C091F272851D3DA9E for nosdacomunicacao.com/(21)(0) LibClamAV debug: prefix matched LibClamAV debug: This hash matched: 03F186E34BC87B0BC20FD1E7A0B1C723DA587D3590B7810C091F272851D3DA9E *LibClamAV debug: Hash matched for: http://www.nosdacomunicacao.com/* *LibClamAV debug: Phishcheck: Phishing scan result: Blacklisted LibClamAV debug: found Possibly Unwanted: Safebrowsing.Suspected-malware_safebrowsing.clamav.net *LibClamAV debug: blobDestroy Regards ! Claudio Cuqui ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] PUA.PDF.OpenActionObject too broad
Same problem here. Almost all messages that include PDF attachments are triggering this false positive (we have more than 3 million accounts with thousands of line of clamd logs like this). Would be possible to remove this signature (or replace it with one with narrow regexp ?) Regards, Claudio Cuqui On 04/24/2011 09:30 AM, Steven Chamberlain wrote: On -10/01/37 20:59, Johannes Schulz wrote: "sigtool -fPUA.PDF.OpenActionObject|sigtool --decode-sigs" says: VIRUS NAME: PUA.PDF.OpenActionObject TARGET TYPE: ANY FILE OFFSET: 0 DECODED SIGNATURE: %PDF-{WILDCARD_ANY_STRING}obj{WILDCARD_ANY_STRING(LENGTH<=2)}<<{WILDCARD_ANY_STRING}/OpenAction Hi, As of today a bunch of old PDFs on my system were also flagged with this. They had been composed in OpenOffice.org Writer and contained: /OpenAction[1 0 R /XYZ null null 0] Also due to the same update (daily 13008) I had a ~1MiB PDF document made by ImageMagick flagged by: VIRUS NAME: PUA.PDF.EmbeddedJS TARGET TYPE: ANY FILE OFFSET: 0 DECODED SIGNATURE: %PDF-{WILDCARD_ANY_STRING}obj{WILDCARD_ANY_STRING(LENGTH<=2)}<<{WILDCARD_ANY_STRING}/JS ...because halfway through the file, inside some image data, were the characters "/JS". Surely this is going to cause many false detections? Like maybe 1 in 16 out of all PDFs over 1MiB. Regards, ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml