On Thu, Jan 26, 2006 at 10:24:57AM +0100, Diego d'Ambra wrote:
Erik Corry wrote:
On Wed, Jan 25, 2006 at 09:55:10PM +0100, Diego d'Ambra wrote:
Erik Corry wrote:
Suspicious.HTML.javascript2=756e6573636170652822253636
Put it in a file called local.db in the same directory as your
On Thu, Jan 26, 2006 at 11:50:00AM +0100, Erik Corry wrote:
How about:
JS.Feebs-C.variant-ec:3:*:756e6573636170652822(253636|66)(253735|75)(25363e|6e)(253633|63)*(253237|27)(253237|27)(25323c|2c)??(25323c|2c)??(25323c|2c)??(25323c|2c)
Sheesh, this sig making stuff isn't as simple
On Thu, Jan 26, 2006 at 01:09:28PM +0100, Diego d'Ambra wrote:
Erik Corry wrote:
On Thu, Jan 26, 2006 at 11:50:00AM +0100, Erik Corry wrote:
How about:
JS.Feebs-C.variant-ec:3:*:756e6573636170652822(253636|66)(253735|75)(25363e|6e)(253633|63)*(253237|27)(253237|27)(25323c|2c
:
Suspicious.HTML.javascript2=756e6573636170652822253636
Put it in a file called local.db in the same directory as your main.cvd
and daily.cvd files. It searches for the string:
unescape (%66
(only without the space) in a mail, so it will get some false positives.
--
Erik Corry In this way the infinite
On Wed, Jan 25, 2006 at 01:19:58PM -0500, Mike Robinson wrote:
Erik Corry wrote:
The following signature seems to detec the Mytob variants on my system:
Suspicious.HTML.javascript2=756e6573636170652822253636
Put it in a file called local.db in the same directory as your main.cvd
On Wed, Jan 25, 2006 at 09:55:10PM +0100, Diego d'Ambra wrote:
Erik Corry wrote:
Suspicious.HTML.javascript2=756e6573636170652822253636
Put it in a file called local.db in the same directory as your main.cvd
and daily.cvd files. It searches for the string:
unescape (%66
(only
are running the software) and so the
error code cannot cause a bounce.
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed.
---
This SF.Net email
On Sun, Mar 21, 2004 at 08:43:19PM +, Antony Stone wrote:
On Sunday 21 March 2004 6:37 pm, Erik Corry wrote:
You need to distinguish between Worms and Viruses. Worms are just
propagating themselves. There's never any harm in dropping a worm
since they are not part of a project
since a very recent CVS version) isn't a good solution either as a
submitter can have a valid reason to encrypt some sample intentionally.
Suggestion:
Add a web form field for typing in the password, then you can scan
inside the zip, or reject an encrypted zip without a password.
--
Erik Corry
On Tue, Mar 02, 2004 at 09:38:11PM -0800, Shawn Tayler wrote:
On Tue, 2 Mar 2004 17:07:53 +0100 Erik Corry [EMAIL PROTECTED] exclaimed:
The question is how much of a problem it really is. Are users
really that dumb?
What I'm wondering is whether the encrypted version of the
virus
On Tue, Mar 02, 2004 at 03:07:31PM +0800, kengheng wrote:
Hi, Can clamav detected those virus that is protected by a password in a zipped file?
No
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed
have seen have all been
produced by actual encrypted-zip infections. Anyone know?
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed.
---
SF.Net
the password.
That's probably not a task for clamav though, more like MIMEDefang:
http://www.mimedefang.org/
Someone seems to have been giving this some thought:
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html
--
Erik Corry I'd be a Libertarian, if they weren't all
needs to be able to get a list of possible passwords so it
can have a go at decrypting the zip file.
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed
file and use that...
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed.
---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build
that to trigger freshclam.
Alternatively I could install freshclam setuid and trigger it
directly with procmail, but I'm not sure freshclam is safe to
use in setuid mode.
--
Erik Corry
---
SF.Net is sponsored by: Speed Start Your Linux Apps
/libc.so.6
#1 0xffc0 in ?? ()
#2 0x0804bc2b in threadwatcher ()
#3 0x40097ae0 in pthread_start_thread () from /lib/libpthread.so.0
(gdb) thread 4
Thread ID 4 not known.
I am running on Linux 2.4.20 SMP on a dual PPro with glibc-2.3.2-11.9
(Red Hat)
Any ideas?
--
Erik Corry I'd
of the
SCO virus and the virus was correctly detected. Also, standalone copies
of the decompression bombs could be scanned: Clamav stopped scanning after a
few Mbytes.
So that's nice.
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging
=3839743forum_id=34617
--
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed.
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open
19 matches
Mail list logo