Re: [clamav-users] Detection as PUA.Andr.Trojan.Generic-6878612-0

On Wed, 13 Mar 2019 11:26:06 +0100 vamp898 wrote: > > Hi there, > > since a few days we get a _lot_ detections for > PUA.Andr.Trojan.Generic-6878612-0 > > Office Documents, ZIP Docuemnts, JPEG Images (containing nothing as > JPEG) are all more and more detected at this type. Not all of them but

Re: [clamav-users] Emf.Exploit.CVE_2017_16395-6376329-0

STRING(LENGTH==36)} EMF > * SUBSIG ID 1 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > > > -Al- > > On Sun, Nov 19, 2017 at 09:12 AM, Mark Foley wrote: > > For the past couple of days I've been getting notices from clamscan for > >

[clamav-users] Emf.Exploit.CVE_2017_16395-6376329-0

For the past couple of days I've been getting notices from clamscan for Emf.Exploit.CVE_2017_16395-6376329-0. clamscan is running on the IMAP Maildir directories and is finding this exploit on emails as old as 2010. I can find nothing on this exploit searching on the web other than it exists. No

Re: [clamav-users] Virus Malvare not detected

o the issues. Thanks, Steve On Wed, Nov 15, 2017 at 2:45 PM, Mark Foley <mfo...@novatec-inc.com> wrote: > I'm going to continue piggybacking onto this thread as it deals with > Clamav's > non-discovery of the malware attached to messages with the subject "Invoice > ...". Al

Re: [clamav-users] Virus Malvare not detected

ld I submit a sample of this attachment?) --Mark -Original Message----- From: Mark Foley <mfo...@novatec-inc.com> Date: Wed, 15 Nov 2017 13:18:23 -0500 Organization: Novatec Software Engineering, LLC To: clamav-users@lists.clamav.net I'm having this same issue. The problem as I see it is that the .doc

Re: [clamav-users] password protected encrypted .docx files

OK, I've found something. Encrypted .docx files contain the following strings: http://schemas.microsoft.com/office/2006/encryption; xmlns:p="http://schemas.microsoft.com/office/2006/keyEncryptor/password;> > >>> scripts and > > >>> execute .exe files. > > >>> > > >>> I'd like to block

Re: [clamav-users] Virus Malvare not detected

I'm having this same issue. The problem as I see it is that the .doc attached to these "Invoice" message is encrypted and clamav does not see what's inside. I'm discussing this encrypted attachment issue in my thread, subject: "password protected encrypted .docx files". I'm continuing to research

Re: [clamav-users] password protected encrypted .docx files

On Wed, 15 Nov 2017 18:37:36 +0100 (CET) Kees Theunissen <c.j.theunis...@differ.nl> wrote: > > On Wed, 15 Nov 2017, Mark Foley wrote: > > >On Wed 15 Nov 2017 01:14:00 -0800 Al Varnell <alvarn...@mac.com> wrote: > > > >>On Tue, Nov 14, 2017 at 07:45 AM,

Re: [clamav-users] password protected encrypted .docx files

On Wed 15 Nov 2017 01:14:00 -0800 Al Varnell <alvarn...@mac.com> wrote: >On Tue, Nov 14, 2017 at 07:45 AM, Mark Foley wrote: >> I found this older message in the archives. I'm receiving a lot of fake >> "Invoice" messages with attached encrypted .doc files that run

Re: [clamav-users] password protected encrypted .docx files

I found this older message in the archives. I'm receiving a lot of fake "Invoice" messages with attached encrypted .doc files that run VB scripts and execute .exe files. I'd like to block encrypted Word documents. Interestingly, as Reindl Harald says, ".docx files *are* zip files", but lately

Re: [clamav-users] PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1

wrote: > > We discussed these same two last December: Usage questions on local.ign2 > <http://lists.clamav.net/pipermail/clamav-users/2016-December/003938.html > <http://lists.clamav.net/pipermail/clamav-users/2016-December/003938.html>> > > -Al- > > On Wed,

[clamav-users] PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1

Today I got clamscan notices for PUA.Pdf.Trojan.EmbeddedJavaScript-1 and PUA.Win.Trojan.EmbeddedPDF-1 on over 100 old email files that have been out there for years. Are these false positives? --Mark ___ clamav-users mailing list

Re: [clamav-users] Bytecode run timed out

I've put that (with the trailing '.{}') in the .ign2 file as well. Can I use a '#' at the beginning of the lines in the .ign2 file as a comment? I've found no documentation on this and, if not, I might be getting false results. --Mark -Original Message----- From: Mark Foley <mfo...@novatec-inc.c

Re: [clamav-users] Bytecode run timed out

> > > Checking back I see there was a period rather than a space between the > > signature name and the brackets, so: > > > > BC.Multios.Exploit.CVE_2017_2816-6329916-0.{} > > BC.Pdf.Exploit.CVE_2017_2818-6331913-0.{} > > BC.Pdf.Exploit.CVE_2017_2862-6331914-0.{} &

Re: [clamav-users] Bytecode run timed out

That didn't work. I'll try w/o the {}. Just to confirm, I've put these in /var/lib/clamav/local.ign2, correct? --Mark -Original Message- From: Mark Foley <mfo...@novatec-inc.com> Date: Sat, 22 Jul 2017 11:08:28 -0400 To: clamav-users@lists.clamav.net So

Re: [clamav-users] Bytecode run timed out

last time it was > discussed here, the entry needed to be followed by {} for some unknown > reason, to make it work. > > -Al- > > On Fri, Jul 21, 2017 at 10:29 PM, Mark Foley wrote: > > > > Are bytecodes individually blockable? > > > > --Mark > >

Re: [clamav-users] Bytecode run timed out

E_2017_2818-6331913-0 >* BC.Pdf.Exploit.CVE_2017_2862-6331914-0 > > -Al- > > On Fri, Jul 21, 2017 at 08:36 PM, Mark Foley wrote: > > > > I ran clamscan by hand on the files before and after the error, and it's > > the file > > after the error. I've bumped the --bytecode-

Re: [clamav-users] Bytecode run timed out

ough I suppose it's possible for it to be the next one > shown. > > It's my understanding that not all files receive a bytecode signature scan, > making it even more difficult to determine the problem file. > > -Al- > > On Fri, Jul 21, 2017 at 08:59 AM, Mark Foley wrote:

Re: [clamav-users] Bytecode run timed out

it and why would the 1,266,193 size file cause the warning and not the more that twice-as-large file immediately following? Also there are much larger files in this directory, up to 21M, but this is the only warning issued. --Mark -Original Message----- From: Mark Foley <mfo...@novatec-inc.c

Re: [clamav-users] Bytecode run timed out

OK, I'll turn that off and see what I get. --Mark On Thu, 20 Jul 2017 16:59:34 -0400 Steven Morgan <smor...@sourcefire.com> wrote: > > --infected suppresses the printing of clean file names. > > On Thu, Jul 20, 2017 at 3:31 PM, Mark Foley <mfo...@novatec-inc.com> wrote: &

Re: [clamav-users] Bytecode run timed out

milliseconds. What clamscan parameters are you using? > I am seeing file names by default. > > Steve > > On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfo...@novatec-inc.com> wrote: > > > It doesn't give any file names, even in the logfiles. It happens when I'm >

Re: [clamav-users] Bytecode run timed out

y increasing the timeout limit. --bytecode-timeout for clamscan > and BytecodeTimeout for clamd. > > Steve > > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <mfo...@novatec-inc.com> wrote: > > > What is this? I just started happening. > > > > LibClamAV Warning

[clamav-users] Bytecode run timed out

What is this? I just started happening. LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytcode 5 failed to run: Time

Re: [clamav-users] How to know if yara rules are being run?

On Thu, 6 Jul 2017 11:34:53 -0400 Kris Deugau <kdeu...@vianet.ca> wrote > > Mark Foley wrote: > > > So, the question posted below remains: > > > > Will the expetr.yara rule, described in this thread, run as is, or not, on > > Linux? > > Any valid si

Re: [clamav-users] How to know if yara rules are being run?

From: Mark Foley <mfo...@novatec-inc.com> Date: Wed, 05 Jul 2017 17:52:03 -0400 Organization: Novatec Software Engineering, LLC To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] How to know if yara rules are being run? I'm following up to my own message. I've confirmed that my

Re: [clamav-users] How to know if yara rules are being run?

On Tue, 4 Jul 2017 11:47:35 -0400 eric-l...@truenet.com wrote > > Eric - you misunderstand my question. I'm not asking if the yara rule is > > working as designed. I'm asking how I can tell if clamav-milter is actually > > running the rule during its scan of incoming email. All I did was put >

Re: [clamav-users] How to know if yara rules are being run?

On Mon, 3 Jul 2017 19:57:25 -0400 Eric Tykwinski wrote: > >> > > > > Yes. I got exactly the same output as you show. Therefore, yara rules are > > enabled. > > > > So then, how can I confirm the expetr.yara I created is being run? > > > > ???Mark > > Mark, > > We are

Re: [clamav-users] How to know if yara rules are being run?

On Sat, 1 Jul 2017 09:21:50 -0400 Eric Tykwinski <eric-l...@truenet.com> wrote: > > On Jul 1, 2017, at 1:10 AM, Mark Foley <mfo...@novatec-inc.com> wrote: > > > > I've put the expetr.yara rule from Kaspersky for the recent notPetya > > ransomware > > in

Re: [clamav-users] New ClamAV update?

On Sun, 02 Jul 2017 11:25:34 -0700 Al Varnell <alvarn...@mac.com> wrote > On Jul 2, 2017, at 7:44 AM, Mark Foley wrote: > > On Jun 29, 2017, at 5:10 PM, Al Varnell wrote: > >> The list of CVE's known to apply to ClamAV can be found here: > >> <https://w

Re: [clamav-users] New ClamAV update?

On Jun 29, 2017, at 5:10 PM, Al Varnell > wrote: > The list of CVE's known to apply to ClamAV can be found here: > . I've check that known CVE list.

[clamav-users] How to know if yara rules are being run?

I've put the expetr.yara rule from Kaspersky for the recent notPetya ransomware in my /var/lib/clamav directory. I can I tell if clamav is running it? I see nothing in /var/log/clamav.log. --Mark ___ clamav-users mailing list

Re: [clamav-users] WannaCry Homeland Security yara script. False positives?

Perhaps I'm missing it, but I didn't see any attachment. --Mark On 5/17/2017 1:46 PM, João Gouveia wrote: Those rules are know for FP'ing a lot. Here's a different set you might want to check, courtesy of ReversingLabs ( attached ). On Wed, May 17, 2017 at 6:10 AM, Mark Foley <mfo...@nova

[clamav-users] WannaCry Homeland Security yara script. False positives?

I added the yara script published by Homeland security to the clamav database directory. I believe I am getting a substantial number of false positives on this including messages containing PDF and JPG attachments, the latter known to be OK. $ clamscan "/home/HPRS/mpress/Maildir/.Sent

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

aCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm" so I would imagine the samples on this page are for wannaCry, right? --Mark > -Original Message- > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf > Of Mark Foley > Sent: Monday, May 15,

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

On Sat May 13 13:25:07 2017 From: Alain Zidouemba wrote: > > Yara rules have been supported by ClamAV since 2015: > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html > > - Alain I'm following these instructions now. The instruction say, "just place your YARA

[clamav-users] Signature update timeliness

I have a question about the timeliness of signature updates. I am running a clamav-milter to check email when received by the MDA -- this rarely finds anything. I also have clamscan running multiple times a day checking all the Maildir folders. Yesterday, the Maildir folder scan found

Re: [clamav-users] Problems with 3rd party sigs

in ClamAV. > Other specifics of using yara rules in Clam may be found in > docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara > rule? > > Hope this helps, > Steve > > On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley <mfo...@novatec-inc.com> wrote: > >

[clamav-users] Problems with 3rd party sigs

Per advice on this list, I downloaded and installed the clamav-unofficial-sigs scripts from the link on Sanesecurity. I've not been able to get it running. Two problems: 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from crond. I get an email: /bin/sh: clamav: command not

Re: [clamav-users] Win.Trojan.DarkKomet-5711346-0 false positive?

On Thu, 16 Feb 2017 21:21:06 +0100 Reindl Harald <h.rei...@thelounge.net> wrote: > Am 16.02.2017 um 21:17 schrieb Mark Foley: > > I am running a scheduled clamscan on the IMAP mail folders. The command is: > > > > /usr/local/bin/clamscan -a --detect-pua=yes --no-summa

[clamav-users] Win.Trojan.DarkKomet-5711346-0 false positive?

I am running a scheduled clamscan on the IMAP mail folders. The command is: /usr/local/bin/clamscan -a --detect-pua=yes --no-summary --stdout --infected \ --recursive --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ This scan turns up the following: /home/HPRS/dsmith/Maildir/.Sent

[clamav-users] How to get/use 3rd party signatures?

On 29/12/2016 09:32, Reindl Harald wrote: > > Am 29.12.2016 um 10:21 schrieb Reindl Harald: >> >> state of the official sgnatures is that clamav don't catch many real >> malware all over the time without sanesecurity 3rd party signatures and >> the official > I'd like to add these 3rd party

[clamav-users] Usage questions on local.ign2

For my clamscan cron job, I turned on --detect-pua=yes. While it did detect some genuinely infected files, it also turned up a lot of false positives for PUA.Win.Trojan.EmbeddedPDF-1 and PUA.Pdf.Trojan.EmbeddedJavaScript-1. In searching for a way to block just these specific PUA signatures, I

Re: [clamav-users] Cannot skip OLE2 checking

On Wed, 21 Dec 2016 20:05:27 (CET) Kees Theunissen wrote: > > On Wed, 21 Dec 2016, Mark Foley wrote: > > >On Wed, 21 Dec 2016 17:34:05 Reindl Harald wrote: > >> > >> Am 21.12.2016 um 17:25 schrieb Mark Foley: > >> > I'm running clamdscan on Maildir fold

Re: [clamav-users] Cannot skip OLE2 checking

On Wed, 21 Dec 2016 17:34:05 Reindl Harald wrote: > > Am 21.12.2016 um 17:25 schrieb Mark Foley: > > I'm running clamdscan on Maildir folders as: > > > > clamdscan --config-file=/usr/local/etc/clamdscan.conf --multiscan \ > > --fdpass --allmatch --stdout /home/HPR

[clamav-users] Cannot skip OLE2 checking

I'm running clamdscan on Maildir folders as: clamdscan --config-file=/usr/local/etc/clamdscan.conf --multiscan \ --fdpass --allmatch --stdout /home/HPRS/user/Maildir/ I want to skip checking for OLE2 macros. The /usr/local/etc/clamdscan.conf has: ScanOLE2 no OLE2BlockMacros no However, it

Re: [clamav-users] No notice of OLE2.ContainsMacros

On Tue, 20 Dec 2016 17:26:10 "G.W. Haywood" wrote: > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros > > On Tue, 20 Dec 2016, Mark Foley wrote: > > > ... running clamscan --block-macros=yes does find the > >

Re: [clamav-users] No notice of OLE2.ContainsMacros

Ah ha! Some progress: # First, I'll extract the attachment: $ ripmime -v -i /var/spool/mqueue/dfuBJBh64e020058 Decoding filename=textfile0 Decoding filename=textfile1 Decoding filename=Payslip_Dec_2016_84286914.doc # try vanilla clamscan (nothing found): $ clamscan Payslip_Dec_2016_84286914.doc

Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]

ing the list, asking to be 'unsubscribed'. Best regards, Matteo On 12/19/2016 04:05 PM, Mark Foley wrote: > Please elaborate a bit on your suggestion "unsubscrib". I don't understand. > > --Mark > > -Original Message- > Date: Mon, 19 Dec 2016 08:57:44 -0500

[clamav-users] No notice of OLE2.ContainsMacros

et> Subject: [clamav-users] unsubscribe unsubscribe -----Original Message- From: "Mark Foley" <mfo...@novatec-inc.com> Sent: Monday, December 19, 2016 8:36am To: clamav-users@lists.clamav.net Subject: [clamav-users] No notice of OLE2.ContainsMacros Before I submit a bug r

[clamav-users] No notice of OLE2.ContainsMacros

Before I submit a bug report on this, I thought I'd see if any list members have ideas. I'm running clamav 0.99.2 on Linux Slackware64 14.1. I'm running clamav-milter for sendmail. I have "OLE2BlockMacros yes" set in /usr/local/etc/clamd.conf. This is working fine, I get: fd[10]: