Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

.(at|be|ca|ch|co\.uk|de|es|fr|ie|in|it|nl|ph|pl|com|com\.(au|cn|hk|my|sg))([/?].*)? -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.c

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

On May 31, 2017, at 11:24 PM, Reindl Harald wrote: > Am 01.06.2017 um 03:04 schrieb Al Varnell: >> I made an attempt to determine whether epl.paypal-communication.com was a >> legitimate domain owned by PayPal with very mixed results. >> No WhoIs service could identify it d

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

gitimate PayPal message but evidence that the https certificates were issues by the same entity. So at this point I see no reason for ClamAV to do anything about the matter. -Al- On Wed, May 31, 2017 at 03:02 PM, Al Varnell wrote: > > Most of your links check out clean. The one that wa

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

n Wed, May 31, 2017 at 03:51 AM, outre...@epsilon.com wrote: > > Hi Al, > > Thank you for your help with this, it's appreciated. > > Not being a ClamAv user myself, this doesn't make much sense to me tough. > Could someone please confirm what this issue is in cl

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

ft=2Ejpg"; > width=3D"5" height=3D"40" alt=3D""/> > > Many thanks, > > Anne-Sophie > > -Original Message- > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf > Of Al Varnell > Sent: 31 May 2017 09:0

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

X browsers), so that's not an issue for ClamXav, either. -Al- On Wed, May 31, 2017 at 01:13 AM, Reindl Harald wrote: > > Am 31.05.2017 um 10:05 schrieb Al Varnell: >> Perhaps they feel the burden is on PayPal to remove the obfuscation being >> used in their links. >

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

e is following up on this, which is very poor. > > Thanks, > > Anne-Sophie > > -Original Message- > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf > Of Al Varnell > Sent: 31 May 2017 05:05 > To: ClamAV users ML > Cc: cla..

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

Did I you ever submit those samples as I recommended. It's unlikely that any action will be taken until you do. Most of the people that participate on this list are users and can't do anything but give you advice. Sent from Janet's iPad -Al- On May 19, 2017, at 9:14 AM, "Outreach wrote: > Hi

Re: [clamav-users] Freshclam memory use

Have never observed that. From what you have posted it sounds more like there is insufficient RAM to load the resulting ClamAV database, not simply running freshclam. Can you share your freshclam or other log entries that indicate the reason for failure is lack of RAM and at what point the err

Re: [clamav-users] Mail from Paypal wrongly identified as phishing by ClamAv

erify that and hence the > "Heuristics.Phishing.Email.SpoofedDomain" should not exist at all or at least > have a option to disable that *and only* that PhishingScanURLs disabled -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature

Re: [clamav-users] Mail from Paypal wrongly identified as phishing by ClamAv

This can be whitelisted by associating whatever foreign URL is being used within these messages with paypal domains, but you need to submit a sample to so that it can be taken care of. -Al- On Thu, May 18, 2017 at 03:41 AM, outre...@epsilon.com wrote: > > Hel

Re: [clamav-users] WannaCry Homeland Security yara script. False positives?

I'm pretty certain that attachments are remove to prevent malware samples from being distributed here. Need a link to a server of some sort, such as PasteBin. Sent from Janet's iPad -Al- -- Al Varnell Mountain View, CA On May 17, 2017, at 2:45 PM, Mark Foley wrote: > Perhaps I

Re: [clamav-users] DNS Caching Problem AGAIN with current.cvd.clamav.net?

daily update. That would seem to indicate a problem or delay with updates, rather than a DNS Caching issue. -Al- -- Al Varnell Mountain View, CA On May 16, 2017, at 4:33 AM, Andy Schmidt wrote: > > The same problem had been "fixed" a few weeks ago: > > http://network-tools.

Re: [clamav-users] 18+ hours since last signature

Just a note that there were two minor bytecode updates (299 & 300) posted between 10 and 11 AM PDT, so at least that part of the system was in operation twelve hours ago. $ host -t txt current.cvd.clamav.net current.cvd.clamav.net descriptive text "0.99.2:57:23389:1494905340:1:63:45939:300" -A

Re: [clamav-users] Question about ClamAV

to detect other types of email or non-email malware. -Al- > On 11 May 2017 at 14:58, Al Varnell wrote: > >> On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote: >>> >>> Hi ClamAV Developers, Users >>> >>> SaneSecurtiy and SecruiteInfo prov

Re: [clamav-users] Question about ClamAV

On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote: > > Hi ClamAV Developers, Users > > SaneSecurtiy and SecruiteInfo provides better virus signature database > feeds. with help of this, we can Increase the ClamAV Engine Detection Rate > up to 80%-90%. I had already integrated ClamAV Enine

Re: [clamav-users] disabling a database

Yes, I did not mean to indicate that Spam was the only thing done with UNOFFICIALS, just that I don't believe ClamAV target Spam. Sent from Janet's iPad -Al- -- Al Varnell Mountain View, CA On May 11, 2017, at 12:03 AM, Steve Basford wrote: > > On Thu, May 11, 2017 6:4

Re: [clamav-users] disabling a database

4 PM, crazy thinker wrote: > > @AI > > For Phishing Only, ClamAV uses Heuristics scanning ? > > On 11 May 2017 at 11:10, Al Varnell wrote: > >> I could be wrong, but my impression has always been that ClamAV signatures >> target only Malware and Phishing, while Spam d

Re: [clamav-users] disabling a database

I could be wrong, but my impression has always been that ClamAV signatures target only Malware and Phishing, while Spam detection is all done using UNOFFICIAL sigs. Sent from Janet's iPad -Al- -- Al Varnell Mountain View, CA On May 10, 2017, at 10:11 PM, nobs wrote: > Hi, > >

Re: [clamav-users] Question about Heuristic Scanning and Signature Based Scanning

I would't know where to start. -Al- On Wed, May 10, 2017 at 03:41 AM, crazy thinker wrote: > > @AI Varnell > Yes, I have plans to rewrite it from scratch.. you willing to join me ?:) > > On 9 May 2017 at 13:08, Al Varnell wrote: > >> On Tue, May 09, 2017 at

Re: [clamav-users] Question about Heuristic Scanning and Signature Based Scanning

hishing attempts. > Can I > Increase Heuristic Scan Engine Count ? I suspect you would have to write your own. -Al- > On 9 May 2017 at 12:21, Al Varnell wrote: > >> I already answered most of these questions before and after reading "My >> Understanding"

Re: [clamav-users] Question about Heuristic Scanning and Signature Based Scanning

> Thanks, > Crazy Thinker, Inc > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://g

Re: [clamav-users] Signature update timeliness

On Fri, May 05, 2017 at 10:14 AM, Mark Foley wrote: > I have a question about the timeliness of signature updates. I am running a > clamav-milter to check email when received by the MDA -- this rarely finds > anything. I also have clamscan running multiple times a day checking all the > Maildir fol

Re: [clamav-users] Information on Signature

It was dropped from the database in daily - 23331 on Apr 25, so ignore it. -Al- On Fri, May 05, 2017 at 03:49 AM, Stephan Fourie wrote: > > Hi everyone, > > Can anyone give me more information about what the following ClamAV signature > looks for: Email.Phishing.VOF2-6295380-0 > > I've tried

Re: [clamav-users] Artificial Intelligence Based Anti-Virus

database? Among others. If you are interested in knowing about all the other types you should read signatures.pdf <https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf>. -Al- > On 5 May 2017 at 14:31, Al Varnell wrote: >> All of the "Heuristics" signa

Re: [clamav-users] Artificial Intelligence Based Anti-Virus

All of the "Heuristics" signatures could be considered AI. -Al- On Fri, May 05, 2017 at 01:37 AM, crazy thinker wrote: > > Hi ClamAV Developers, Users, > > I have heard that Artificial Intellgience Based Anti-Virus provides more > security than others.. is it really true? is there any AI based

Re: [clamav-users] Custom database

From "signatures.pdf" para 3.1.3: > The easiest way to generate MD5 based section signatures is to extract target > PE sections into separate files and then run sigtool with the option --mdb -Al- On Fri, May 05, 2017 at 12:47 AM, Abdullah AL-Mutairy wrote: > > Hello everyone! > > I'm having a

Re: [clamav-users] Different results: Clamscan vs ClamWin

Not sure what you mean by "MD5 match" but the signature is a complex logical one, not a hash: > $ sigtool --find Win.Dropper.Gephys-6117417-0|sigtool --decode-sig > VIRUS NAME: Win.Dropper.Gephys-6117417-0 > TDB: Engine:51-255,Target:1 > LOGICAL EXPRESSION: 0&1&2&3&4&5&6&7&8&9 > * SUBSIG ID 0 >

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

+-> TRIGGER: 0&1 > +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\s*\x2fSig > +-> CFLAGS: sm -Al- On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote: > > It never appeared on a daily as being dropped, but when I checked on Saturday > and

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

t;>> Giuseppe >>>> ___ >>>> clamav-users mailing list >>>> clamav-users@lists.clamav.net >>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-

Re: [clamav-users] disabling a database

Since your issue appears to be with Unofficials, it would be better to contact SaneSecurity directly, since Cisco/ClamAV has no responsibility for them. -Al- On Mon, May 01, 2017 at 09:30 AM, nobswolf wrote: > > Hello, > > I just added virus support by Cl

Re: [clamav-users] Detected Email.Phishing.VOF1-6295284-0 in several emails - False positive??

And Email.Phishing.VOF1-6295446-0 was dropped in daily 23325, so after running freshclam you should not be seeing either of these. -Al- On Mon, Apr 24, 2017 at 03:59 AM, Gene Heskett wrote: > > On Monday 24 April 2017 04:57:37 D&R wrote: > >> This was detected on Friday night and one email was

Re: [clamav-users] Signature analysis

Use: sigtool --find Non-hash signatures can be further interpreted using: sigtool --find |sigtool --decode-sigs Some of the newer signature formats are not fully decoded and I've been told that ByteCode signature results do not completely describe them. -Al- On Mon, Apr 24, 2017 at 02:25 AM,

Re: [clamav-users] Detected Email.Phishing.VOF1-6295284-0 in several emails - False positive??

I guess you must have missed that discussion here beginning on Friday. That signature was dropped in daily 23321. -Al- On Mon, Apr 24, 2017 at 01:57 AM, D&R wrote: > > This was detected on Friday night and one email was dated in 2012. > > Previous week's scan was clean. > > Could this be a fa

Re: [clamav-users] Another possible FP?

ists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA ___

Re: [clamav-users] Another possible FP?

and report back with hash. -Al- On Apr 23, 2017, at 11:16 AM, ad...@web-envy.com wrote: > I can confirm that today I did not get any of these FPs, however I am > getting a bunch of these instead. A lot of them are on older email messages > that look like normal

Re: [clamav-users] Another possible FP?

Always pays to upload a sample or two so they have something to go on and include the hash value for that submission here. -Al- On Apr 22, 2017, at 9:19 PM, Gene Heskett wrote: > On Saturday 22 April 2017 07:55:45 Alain Zidouemba wrote: > >> Thanks for reporting, we'll tweak the signature. >

Re: [clamav-users] Another possible FP?

Confirming that I am getting similar results after a quick update. I uploaded one message to the FP site which just happens to be a Security Update notice from Apple: 7ed54ef4cff55f1750f74b5a439f2605:8257:172003.emlx -Al- On Apr 21, 2017, at 10:25 PM, Gene Heskett wrote: > Greetings; > > In

Re: [clamav-users] ClamAV for EnterPrise

t;http://www.clamav.net/reports/signature>. I seriously doubt that ClamAV will provide open inclusion of such signatures without having an opportunity to check each one for format and then run them against their Quality Control database in an attempt to redu

Re: [clamav-users] ClamAV for EnterPrise

Honestly, I don't see anything impolite about what Mr. Haywood had to say. Certainly seems to be great guidance from somebody that's been in the industry for over four decades. I believe you would be well served to take his advice seriously. -Al- On Tue, Apr 18, 2017 at 10:16 PM, crazy thinker

Re: [clamav-users] ClamAV for EnterPrise

As we've discussed before, ClamAV provides Anti-Malware protection across Apple, Windows and Linux hardware. You will have to look elsewhere for all those other features you require. -Al- On Tue, Apr 18, 2017 at 03:44 AM, crazy thinker wrote: > > - > - I am looking for below features in E

Re: [clamav-users] ClamAV for EnterPrise

To avoid having each workstation having to update definitions over the internet you will probably want to setup a Private Local Mirror. See . -Al- -- ClamXav User On Tue, Apr 18, 2017 at 03:28 AM, crazy thinker wrote: > > Hi ClamAV Develo

Re: [clamav-users] Sporadic signature frequency

Actually, they have been coming every 8 hours since 8 March. It was 6 hours on 7 March and 4 hours before that. -Al- On Thu, Apr 13, 2017 at 07:09 PM, Alain Zidouemba wrote: > > They come out every 6h. > > -Alain > >> On Apr 13, 2017, at 9:57 PM, Rafael Ferreira wrote: >> >> Hey folks, I've

Re: [clamav-users] Question about .cvd files

Modifying those databases will invalidate their code signing so you would also have to modify the scanning software to ignore security, which would be difficult at best and obviously not a good idea. You would also have to filter out all the non-windows signatures every time there is an update

Re: [clamav-users] Question have an about LibClamAV.dll

On Apr 10, 2017, at 3:13 AM, Shanmugam, Suresh (Conduent) wrote: > Hi Developers, This is the user list. If you have questions for developers you should be asking them on that list <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel> -Al- -- Al Varnell Mountain

Re: [clamav-users] Question about detection of malware types

ware* > *11.browser hijacker* <http://www.clamav.net> "ClamAV® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats." -Al- -- Al Varnell Mountain View, CA ___ clamav-users mailing lis

Re: [clamav-users] Win.Exploit.CVE_2016_3301-6210129-0 detected. Could this be a false positive?

; > Hello, > > It is not getting detected by McAfee which is already installed in Windows > Platform in our setup. Now, I can not share the document due to technical > contents. Now, how to prove that, yes, it is really contains a vulnerability. Win.Exploit.CVE_2016_3301-621012

Re: [clamav-users] Win.Exploit.CVE_2016_3301-6210129-0 detected. Could this be a false positive?

-3301 can be found at <https://nvd.nist.gov/vuln/detail/CVE-2016-3301>. After that I think you are on your own to decide. -Al- -- Al Varnell Mountain View, CA ClamXav user smime.p7s Description: S/MIME cryptographic signature ___ clamav-users

Re: [clamav-users] Java.Malware fps

ither of those MD5's show any hits when they were uploaded to VirusTotal several months/years ago. <https://www.virustotal.com/en/file/ab1bf4a533ff3b17825f7242afd0989d4d42af4426ca88757ad3d5bcf9013cb9/analysis/> <https://www.virustotal.com/en/file/fa95c5237a36d46b31e007690dc68ebc040

Re: [clamav-users] how to avoid false positive in clamAV

Not sure where on the internet you found these instructions, but I believe they are old. The new way is to use the ".ign2" extension containing for signatures to be completely ignored and an ".fp" file with :: for individual files to be ignored so that the signature will still pick up any actu

Re: [clamav-users] False Positive of IObit product by ClamAV

5:24352:Win.Trojan.Agent-5776271-0:73 Added by daily - 23037 on Feb 10, 2017. -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net

Re: [clamav-users] False Positive of IObit product by ClamAV

Coco You will need to upload at least one of those to in order for an investigation to be opened. -Al- On Fri, Mar 31, 2017 at 12:44 AM, Arnaud Jacques / SecuriteInfo.com wrote: > > Received this message : > > -- Message transmis -- > > Ob

Re: [clamav-users] Heuristics.Filetype.ZipWithJS

his change. Sent from Janet's iPad -Al- -- Al Varnell Mountain View, CA On Mar 28, 2017, at 5:23 AM, Reindl Harald wrote: > Heuristics are *not* signatures smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing

Re: [clamav-users] Reporting malware/false negatives

Actually, the still give their macOS/OS X product away for free. Sent from Janet's iPad -Al- On Mar 21, 2017, at 6:22 PM, "Joel Esler (jesler)" wrote: >> I don't even bother reporting them to sophos, et al because it's >> sometimes days before they're added. I was expecting better from >> clama

Re: [clamav-users] Html.Exploit.CVE_2017_0141-6003839-0 FP's

. -Al- On Thu, Mar 16, 2017 at 07:30 AM, Christopher Marczewski wrote: > > Al, > > Thanks for the report. In the interim, I'll pass that link along so we can > get a fix in as soon as possible. > > On Wed, Mar 15, 2017 at 10:55 PM, Al Varnell wrote: >> There have now

[clamav-users] Html.Exploit.CVE_2017_0141-6003839-0 FP's

s7p/infected_files_in_postman_resource_directory/> involving a variety of different files and have encouraged them to submit them as ClamAV False Positive. -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailin

Re: [clamav-users] (no subject)

You must do that for yourself near the bottom of this page: . -Al- On Thu, Mar 09, 2017 at 08:04 AM, bijan gilani wrote: > > Please take me off of your list. Unsubscribe me. > > Bijan Gilani smime.p7s Description: S/MIME cryptogr

Re: [clamav-users] ClamWin Portable DLL Hijack

Or is it based on older versions, like most of the items contained in those documents? I suspect that the ClamWin developers are the only ones that can tell us what has been or will be done about it. -Al- On Thu, Mar 09, 2017 at 03:03 AM, Groach wrote: > > So what are we saying? > > Clamwin

Re: [clamav-users] Daily 23161 broke Clam

gt; clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.

Re: [clamav-users] FP with Java.Exploit.CVE_2012_1723-8

On Wed, Mar 08, 2017 at 01:11 AM, Sergio Fernandez wrote: > > Unsubscribe You need to do that yourself near the bottom of -Al- smime.p7s Description: S/MIME cryptographic signature ___ c

Re: [clamav-users] Txt.Exploit.CVE_2017_0007-5839723-0 FOUND

First some background info. The definition was added recently by daily - 23071, Feb 15, 2017, so that explains why you are just now seeing it. It's looking for the following ASCII string in an ASCII Text document: begin_signature block{WILDCARD_ANY_STRING(LENGTH<=100)}miia4ayjkozihvcnaqccoiia0

Re: [clamav-users] SpoofedDomain FOUND

It's possible for ClamAV to fix that by providing an update record which would whitelist that particular match for PayPal. Normally you would just have to upload the message to ClamAV's False Positive page with an explanation, but in this case, since it's embedded in that Thunderbird mailbox. Th

Re: [clamav-users] Javascript file not recognized

Thanks for the response. For whatever reason I didn't receive that. -Al- On Thu, Feb 16, 2017 at 02:22 PM, Dennis Peterson wrote: > > It was resent as text in the next message body. > > dp smime.p7s Description: S/MIME cryptographic signature ___

Re: [clamav-users] Javascript file not recognized

I thought attachments were removed for that reason. I know the subscription instructions make it very clear not to submit samples . There was no attachment on the e-mail I received, did you get it? -Al- On Thu, Feb 16, 2017 at 12:0

Re: [clamav-users] Can't download daily.cvd

abase.clamav.net (IP: > 69.163.100.14): Operation already in progress > ERROR: Can't download daily.cvd from database.clamav.net > Giving up on database.clamav.net... > Update failed. Your network may be down or none of the mirrors listed in >

Re: [clamav-users] SpoofedDomain FOUND

Ellan, I'm afraid it's going to be more trouble than it's worth. You will need to turn debugging on when you scan that mailbox which will produce a huge amount of output, but includes details about exactly what was found. You would then need to search that mailbox in Thunderbird for the offendi

Re: [clamav-users] How to determine false-v-real FOUND

call 911 for >> anything that ClamAV finds on a Linux box. If you exercise reasonable >> care, you can probably forget about scanning Linux systems with ClamAV >> unless you're using the systems to store data from Windows boxes, and >> in that case you'll need a lo

Re: [clamav-users] How to determine false-v-real FOUND

$ sigtool --find Win.Trojan.Agent-793284 [main.mdb] 28672:f380d36c6d636f50392e83fb58fb8a59:Win.Trojan.Agent-793284 Since it's in the main database, it's relatively old. It's looking for a file of size 28672 with the MD5 hash shown. If it had been a more complex signature, then sigtool --find |s

Re: [clamav-users] svg files support

After further review, I see that SVG is in XML text format, which should not be a problem and there are a couple of SVG signatures in the database: > daily.cvd Html.Exploit.SVG-1 > daily.cvd Svg.Exploit.CVE_2013_1301-1 = According to paragraph 1.1 of the documentation <

Re: [clamav-users] svg files support

According to paragraph 1.1 of the documentation , No. -Al- -- ClamXav User On Wed, Feb 01, 2017 at 01:40 AM, Fluss, Daniel wrote: > > Are the svg files scanned/supported by the clamAV? > Thank you. > > S pozdravom / Kind Regards / Mit

Re: [clamav-users] clamAV: problem in DB update

As already stated, it would appear that everything was working just fine and changing the mirror settings was totally unnecessary. There is no need need to add any country settings at all as freshclam will choose the correct ones automatically based on where you are. Adding country specific

[clamav-users] Html.Exploit.CVE_2016_7204-1 FP?

cve-2016-7204-1-triggered-since-the-ui-upgrade>. -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/li

Re: [clamav-users] whitelisting sender or recipient

man clamscan --exclude=REGEX, --exclude-dir=REGEX Don't scan file/directory names matching regular expression. These options can be used multiple times. -Al- ClamXav User On Wed, Jan 18, 2017 at 11:02 PM, z...@aian.de wrote: > > Hey there, > > I bet it's

[clamav-users] Swf.Exploit.CVE_2016_1100-1

all test as infected. -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a

Re: [clamav-users] ClamAV Virus Definition Update Problem

Is there some reason you feel the need to include these? I've found the default setting to work just fine for most users. In any case, I don't believe I've ever heard of anybody using three settings for DatabaseMirror. From the log, it doesn't appear that it ever uses the third (default) settin

Re: [clamav-users] Submitting False Negatives

The new naming conventions no longer include a virus name. That has been true since the most recent main.cvd was released. I believe this is because of the amount of manual effort required to determine exactly what a malware sample is and the lack of uniformity in naming malware across the indus

[clamav-users] Osx.Malware.Agent-5505694-0

irty/>. There have been no reports of False Positives to date involving this signature by ClamXav users. Can the ClamAV signature team share with us why it was removed? -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME c

Re: [clamav-users] Clamscan Error

gt; Scanned files: 214811 >> Infected files: 0 >> Total errors: 22244 >> Data scanned: 7154.29 MB >> Data read: 9810.07 MB (ratio 0.73:1) >> Time: 2698.000 sec (44 m 58 s) > _______ > clamav-users mailing list > clamav-users@li

Re: [clamav-users] Grizzly Steppe

I have checked VirusTotal and none of the 23 samples submitted yesterday were detected at the time of submission by ClamAV. I'd estimate that an average of 20 of 55 scanners did detect them as infected. On the basis of that I would have to guess that ClamAV signatures will not detect Grizzly Ste

Re: [clamav-users] Grizzly Steppe

M, TR Shaw wrote: > > Doesn’t detect to RAT > > Al, if you don’t want to run my unofficial sigs I would be happy to provide > them to Joel for incorporation into official db. > > > >> On Jan 4, 2017, at 5:12 PM, Al Varnell wrote: >> >> Can somebody wi

Re: [clamav-users] Grizzly Steppe

Can somebody with access to those samples run them against a virgin ClamAV signature database to answer the question? I'd be happy to if there are samples I can access. -Al- On Wed, Jan 04, 2017 at 07:33 AM, TR Shaw wrote: > > I added detection in winnow_extended_malware.hdb which is distribu

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

On Dec 28, 2016, at 2:13 PM, Groach wrote: > Ok, I know it has already been mentioned before in another 2 threads but it > seems once again Joel is dismissing the claims or the responsibilities of it > being damaging to peoples systems (regularly quarantining genuine files and > emails) and inst

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

On Dec 27, 2016, at 1:53 PM, demonhunter wrote: > Office Open XML file format (.doc(x|m), .xls(x|m), etc., > https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with > macros typically contain an OLE2 file named vbaProject.bin. This signature > appears as though it would mat

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

No, Daily - 22782 says Win.Trojan.Toa-5368540-0 is a New signature, not one of the 11,296 dropped. -Al- On Mon, Dec 26, 2016 at 08:11 PM, Joel Esler (jesler) wrote: > > I believe that signature has been dropped. smime.p7s Description: S/MIME cryptographic signature _

Re: [clamav-users] Usage questions on local.ign2

On Mon, Dec 26, 2016 at 08:24 PM, Mark Foley wrote: > > For my clamscan cron job, I turned on --detect-pua=yes. While it did detect > some > genuinely infected files, it also turned up a lot of false positives for > PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1. > > In s

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

Although most, if not all the Win.Trojan.Toa old signatures were either dropped by Daily - 22782, I see it also added Win.Trojan.Toa-5368540-0, so that would appear to be a new issue. -Al- On Mon, Dec 26, 2016 at 05:24 PM, Christian Balzer wrote: > > Hello, > > On Mon, 26 Dec 2016 19:21:25 -0

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

Four have already been dropped and I’m sure there will be more to come. It will go faster if you submit samples to and post a hash back here of the file(s) you uploaded. -Al- On Mon, Dec 26, 2016 at 02:43 AM, Frank Sfalanga Jr. wrote: > > This includes .jar z

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

FILE POSITION: ANY CRC SUM: ANY Found in this mac OS X application on https://www.sublimetext.com. Submitted as FP MD5=f62311d5e593183719cbb5a4264d2e4c:54433:Java.sublime-package -Al- On Dec 25, 2016, at 7:19 AM, Steve Basford wrote: > > On Sun, December 25, 2016 10:40 am, Al Varnell

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

s.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml -Al- -- Al Varnell Mountain View, CA smime

Re: [clamav-users] clamd restart

Are you using any UNOFFICIAL signatures? Some of them have been causing memory issues recently for others. -Al- On Wed, Dec 21, 2016 at 02:09 AM, Richard Walker - Seven Internet Ltd wrote: > > Hi > > I am having to restart clamd twice a day now. I can't find anything in the > mail/clamd logs o

Re: [clamav-users] Win.Trojan.URLspoof-2 signtuare and WARC files

onsultancy > National Library of New Zealand | Te Puna Mātauranga o Aotearoa > PO Box 1467 Wellington 6140 New Zealand | +64 (0)4 474 3064 > jay.gatt...@dia.govt.nz<mailto:jay.gatt...@natlib.govt.nz> > > ___________ > clamav-users

Re: [clamav-users] the problem of endless loop

See How to Report a Bug and then file at Bugzilla . -Al- On Mon, Dec 19, 2016 at 03:56 PM, Tsutomu Oyamada wrote: > > Hi, all. > > I have a question about the error which is caused by the shotage of the size >

Re: [clamav-users] Porting LibClamAV for Android

libraries (in c/c++) ported to > android using ndk-build tool and would like to get help from > > ClamAV Developers to build clamav from source for android platform. it > would be so useful if we build liblcamav.so for android. and we can see > ClamAV mobile app in future > > O

Re: [clamav-users] Porting LibClamAV for Android

You asked a similar question on November 22nd with one response from Noel Jones: > I doubt running clam on an android device would be useful due to the > resources required. Maybe a fun time-waster though, just to see > what happens. There's several free and apparently competent > antivirus prog

Re: [clamav-users] Custom CVD

Not a basic question, but one that has been asked several times before, so you should search the archives for possible answers. There aren't any easy solutions with regard to the official signatures, so if I were you I would focus on the unofficially ones you use first. Most of them are designe

Re: [clamav-users] alternative signatures

SecureRite is another commonly used source: MalwarePatrol appears to be focused on Enterprise support: -Al- -- ClamXav User On Tue, Dec 13

Re: [clamav-users] Win.Trojan.URLspoof-2 trigger source?

On Thu, Dec 08, 2016 at 10:17 AM, Jay Gattuso wrote: > > (1)What's the signature trigger for Win.Trojan.URLspoof-2? You can find any current signature using or $ sigtool --find Win.Trojan.URLspoof-2 | sigtool --decode-sigs VIRUS NAME: Wi

Re: [clamav-users] Question about Repairing infected files

On Dec 3, 2016, at 9:02 PM, crazy thinker wrote: > Hi All, > > It is known that ClamAV uses Pattern Matching to Catch infected files. Not often. Most are checked against a hash value these days. > In > this case,Can We use Pattern Removal Statergy to repair infected files. For the most par

Re: [clamav-users] db.at.clamav.net

Query Service version 1.88 > (BLAARKOP) -Al- On Thu, Dec 01, 2016 at 02:24 AM, Walter H. wrote: > > please remove 81.223.20.171, as this host doesn't respond ... > > Thanks, > Walter -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptog

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

And the signature appears to have been dropped in daily - 22632. -Al- On Wed, Nov 30, 2016 at 02:39 PM, Al Varnell wrote: > > Let me add a couple of things here. > > - This isn't my site, I'm just a fellow user trying to help get you an answer. > > - Normally, i

<    1   2   3   4   5   6   7   8   9   10   >