Re: [clamav-users] How to determine false-v-real FOUND

On Thu, February 9, 2017 1:12 pm, Brad Scalio wrote: > Clamscan found a PE "visor.exe.svn-base" that matched > Win.Trojan.Agent-793284 FOUND. > > Is there a way, or an online tutorial, or some other information to > decompose the signature and the file easily to determine if it's a false >

Re: [clamav-users] svg files support

On Wed, February 1, 2017 10:19 am, Al Varnell wrote: > After further review, I see that SVG is in XML text format, which should > not be a problem and there are a couple of SVG signatures in the > database: That's correct... I've a few sigs for SVG too, mainly due to Javascript being used

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

On Thu, December 29, 2016 1:40 pm, Mark Allan wrote: > It seems a little overkill to add a new feature for this. Couldn't you > just delete the cvd/cld file and prevent freshclam from running? Or > better yet, write a wrapper around freshclam so the update still takes > place and then unpack the

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

On Thu, December 29, 2016 9:32 am, Reindl Harald wrote: > >i would love to be able to *completly* exclude >"daily.cld", "daily.cvd" and "main.cvd" and only update >"safebrowsing.cvd" daily.cvd and main.cvd are compressed versions of multiple databases... eg. sigtool --unpack-current=daily

Re: [clamav-users] signature memory use

doppelstern aren't used any more but I still mirror the blank files for a while so people's config don't break. Cheers, Steve Twitter: @sanesecurity On 28 December 2016 19:57:06 Alex wrote: Hi Steve, crdfam.clamav.hdb,pool memory used: 4.355 MB

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

#All# macros inside xlsm files are being blocked due to sig blocking of Vbaproject.bin inside. Cheers, Steve Twitter: @sanesecurity On 27 December 2016 20:08:37 Adnan de Castro Donato wrote: In keeping with one false positive reports I have 8 CentOS servers

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: > In keeping with the other false positive reports I have more than 400 > CentOS servers report below after yesterday's freshclam update: Yes, nashorn.jar seems to get hit too... eg: fp2\11476331d01: Win.Trojan.Toa-5372078-0

Re: [clamav-users] More fp's.

On Mon, December 26, 2016 12:39 pm, Sierk Bornemann wrote: Just run freshclam... fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

On Sun, December 25, 2016 10:40 am, Al Varnell wrote: > A handful of ClamXav users can confirm the Firefox > omni.ja:Win.Trojan.Toa-5370234-0. It also identified some Adobe products > as infected when run through QA. Firstly, Merry Christmas to all. Onto the FP's... basically they are too

Re: [clamav-users] signature memory use

> So all signatures should be running fine with 6Gb of RAM, right ? > Even our big signatures :) Summary test: Using clamscan only to scan test.eml (3,706 bytes) ClamAV Official sigs only (daily/main): pool memory used: 385.675 MB Official + *all* Sanesecurity/Distributed sigs pool memory

[clamav-users] signature memory use

As some people have reported memory issues... Quickly put these together based on scanning a small file and *only* loading *one* signature database at a time: Sanesecurity: badmacro.ndb,pool memory used: 5.132 MB blurl.ndb,pool memory used: 4.800 MB bofhland_cracked_URL.ndb,pool memory used:

Re: [clamav-users] clamd restart

On 21 December 2016 11:07:42 Al Varnell wrote: Are you using any UNOFFICIAL signatures? Some of them have been causing memory issues recently for others. Al, while some 3rd party sigs are using memory, you also got to remember the Huge amount of sig only hashes the

Re: [clamav-users] clamd restart

Do you have a list of signatures in your clamav database folder you can list? Cheers, Steve Twitter: @sanesecurity On 21 December 2016 11:20:12 "Richard Walker - Seven Internet Ltd" wrote: Hi Al Yes I'm using unofficial signatures. I have disabled the cron

Re: [clamav-users] Custom CVD

On Fri, December 16, 2016 2:39 am, filipecalderon66...@yahoo.com wrote: > Hello all - first time post and new clamav user. > I have installed clamav on a box that has very specific exposures, and has > very limited memory and disk space. The existing signatures when all the > other optional ones

Re: [clamav-users] Custom CVD

On Fri, December 16, 2016 2:39 am, filipecalderon66...@yahoo.com wrote: > Hello all - first time post and new clamav user. > I have installed clamav on a box that has very specific exposures, and has > very limited memory and disk space. The existing signatures when all the > other optional ones

Re: [clamav-users] Question on attachments

Hi Tom, .ftm files contain magic headers of various formats. Cat daily.ftm Cat sanesecurity.ftm The engine then unpacks if it's a zip etc and the unpacked exists. That's why your example filename still unpacks. You can also use. ftm to skip file formats from scanning. I'm mobile at the

Re: [clamav-users] bugzilla security certificate

On Wed, December 7, 2016 5:03 pm, Benny Pedersen wrote: >> You can bypass the warning if desired. > > worst advise you ever have giving here Thanks... but I didn't actually say you *should* ... but browsers do allow you too. In this case the firefox error box was: bugs.clamav.net uses an

Re: [clamav-users] Goldeneye ransomware

Hi... this is detected with Badmacro.ndb. On 8 December 2016 16:54:26 Matteo Dessalvi wrote I also ran a quick analysis on Malwr: https://malwr.com/analysis/Y2VhYWNjZTk3NWFhNGRhMDg5OWYwY2E5MzdjNDA2M2I/ Best regards, Matteo

Re: [clamav-users] Goldeneye ransomware

On 8 December 2016 20:39:49 Jack wrote: In addition to SaneSecurity, here is another third-party repo of sigs (updated often) that catches these docs: They are available on the to use on the download script already I seem to remember. I've high fps with them and had

[clamav-users] bugzilla security certificate

Just a quick one... in case it confuses visitors to Bugzilla... Going to https://bugs.clamav.net/ Firefox reports: "bugs.clamav.net uses an invalid security certificate. The certificate is only valid for bugzilla.clamav.net Error code: SSL_ERROR_BAD_CERT_DOMAIN" You can bypass the warning if

[clamav-users] support

Hi, Just had a twitter user contact me regarding an fp that he reported 1st September (I don't have a hash sorry): 3986318.cbc:BC.Legacy.Exploit.CVE_2012_4148-1.{};Engine:70-255,Target:10;(0&2&1) ;0:255044462d312e;*:2f416e6e6f74;*:2f53756274797065{-5}2f576964676574 Secondly, I'm seeing this

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wed, November 30, 2016 10:50 am, Al Varnell wrote: > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > >> >> * Al Varnell : >> >>> Has anybody submitted a PDF yet? >>> >> >> Of course. >> > > Hash? Here's one example I saw in a forum... Source:

Re: [clamav-users] BKF archives scanable by ClamAV?

On Tue, November 29, 2016 9:26 pm, Fr34k wrote: > Hello ClamAV Experts, > Can ClamAV scan within Windows BKF archives? > Both the Clam AntiVirus 0.99.1User Manual and my Internet searches thus > far suggest the answer is, sadly, "no".I presume this may be due to the > age of .bkf usage.  

[clamav-users] Reddit fp report

Might need a reply https://www.reddit.com/r/Malware/comments/5fix65/clamav_and_fortinet_have_not_fixed_a_false/ https://www.virustotal.com/en/file/61b5451350a110512d734f426a37e49721a7dea8170fd10f0a48974dedd971a5/analysis/ Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] Whitelist based on sign *and* filename?

On Mon, November 28, 2016 1:56 pm, Mathieu D. wrote: > Hello, > > > Is there any way to whitelist a file based on it's signature *and* it's > filename? > Not that I know of... I guess this *might* be an option. 1. Find something common in your pdf you want to "whitelist", say "Your company

Re: [clamav-users] [Ext] Using very high CPU with lots of errors

On Mon, November 21, 2016 3:15 pm, Hayes, Doug wrote: > Hi Team, > > > Looking for some assistance here, looks like I am getting the below > errors when starting the clamd process? Any ideas? > > --Version > ClamAV 0.97.6/22576/Mon Nov 21 06:21:40 2016 Sorry for to add...

Re: [clamav-users] [Ext] Using very high CPU with lots of errors

On Mon, November 21, 2016 3:15 pm, Hayes, Doug wrote: > Hi Team, > > > Looking for some assistance here, looks like I am getting the below > errors when starting the clamd process? Any ideas? > > --Version > ClamAV 0.97.6/22576/Mon Nov 21 06:21:40 2016 You need to upgrade your ClamAV engine.

Re: [clamav-users] CRDF databases and clamav

Passed directly to CRDF at the same time something is reported to the ClamAV team. For infoIf someone reports an FP with a Sanesecurity or Sanesecurity distributed sigs, the sig is firstly removed then reported to the sig maker and if the FP can be avoided and fixed, it will be

Re: [clamav-users] CRDF databases and clamav

On 20 November 2016 16:54:48 Rafael Ferreira wrote: CRDF databases are now being rolled into the >main/daily.cvd ones? Yes they were distributed on the Sanesecurity mirror originally (with an config option to enable) but were removed after the announcement... as it

Re: [clamav-users] clamav-users@lists.clamav.net

:07 PM, Steve basford wrote: Remove javascript.ndb and retry... Cheers, Steve Twitter: @sanesecurity On 18 November 2016 22:02:41 Richard Doyle <list...@arbitrarydomain.name> wrote: On 11/18/2016 01:52 PM, Steve basford wrote: Does clamscan --debug on the database folder show the

Re: [clamav-users] clamav-users@lists.clamav.net

Remove javascript.ndb and retry... Cheers, Steve Twitter: @sanesecurity On 18 November 2016 22:02:41 Richard Doyle <list...@arbitrarydomain.name> wrote: On 11/18/2016 01:52 PM, Steve basford wrote: Does clamscan --debug on the database folder show the same delays... Yes Can

Re: [clamav-users] clamav-users@lists.clamav.net

took 5 minutes for clamd to start. On 11/18/2016 01:25 PM, Steve basford wrote: Can you give me a list of 3rd party databases you are using Cheers, Steve Twitter: @sanesecurity On 18 November 2016 21:11:22 Richard Doyle <list...@arbitrarydomain.name> wrote: Yes, clamd on my syst

Re: [clamav-users] clamav-users@lists.clamav.net

Can you give me a list of 3rd party databases you are using Cheers, Steve Twitter: @sanesecurity On 18 November 2016 21:11:22 Richard Doyle wrote: Yes, clamd on my system is taking about 5 minutes to start, which causes timeouts. This issue developed

Re: [clamav-users] ClamAV malware report: include info from Malwr?

On Wed, November 16, 2016 1:56 pm, Matteo Dessalvi wrote: > It ended up to be just the first step in order to download the > real malware: > > https://malwr.com/analysis/MzVkNzAzYjBiOTJhNDlmODhkZjRiY2EwY2EwOWZhZWE/ I Guess you could post links to other sites too... eg:

Re: [clamav-users] Problems with safe browsing

Hi Tom, Create a standard header body formatted email and then insert the address at the end. It will be detected. Just placing on a line.. it won't be detected, Cheers, Steve Twitter: @sanesecurity On 10 November 2016 19:53:05 TR Shaw wrote: I have freshclam set to

Re: [clamav-users] Creating Windows 10 Services

On Thu, November 10, 2016 12:15 am, Andrew Brown wrote: > I would now like to turn this into a service. I have found Sc > create #BKMK_examples> useful and I can create the service but when I enter my > parameters it goes bang

Re: [clamav-users] WSF viruses, and other issues

Hi John, phish.ndb, rogue.ndb for most malware, See foxhole sigs for other levels of detection. As well as .js, .wsf and .hta malware, now seeing and detecting .lnk malware with an auto downloading PowerShell command, which is nasty. Cheers, Steve Twitter: @sanesecurity On 24 October

Re: [clamav-users] Memory error

On 23 October 2016 21:11:26 Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: On 22.10.16 22:53, Steve basford wrote: Upgrade... ie. https://wiki.zimbra.com/wiki/ClamAV_DB_update_leads_to_**UNCHECKED**_in_all_messages I wonder if this hasn't been known prior to the update. Last EO

Re: [clamav-users] Memory error

Upgrade... ie. https://wiki.zimbra.com/wiki/ClamAV_DB_update_leads_to_**UNCHECKED**_in_all_messages Cheers, Steve Twitter: @sanesecurity On 22 October 2016 21:40:11 Marcelo Machado wrote: Hi everybody. I have a Zimbra server and the clamav crashes when it loads the

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

On Wed, October 19, 2016 3:12 pm, Joel Esler (jesler) wrote: > Heino, > > > Can you clarify which sig caught it? > > > Doc.Dropper.Agent-177659 is not an actual sig number. Damn cut and paste... it's: Doc.Dropper.Agent-1776597 (a hash) -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

On Wed, October 19, 2016 3:05 pm, Joel Esler (jesler) wrote: > So to be clear, it is not detected or it is detected? I think here's saying... * It *should* have been blocked with OLE2BlockMacros yes option but *wasn't* * It is now detected as Doc.Dropper.Agent-177659 -- Cheers, Steve

Re: [clamav-users] unsubscribe

On Wed, October 12, 2016 8:40 am, Van Dalsen, Herbie wrote: > unsubscribe > Here you go... List-Unsubscribe: http://lists.clamav.net/cgi-bin/mailman/options/clamav-users or mailto:clamav-users-requ...@lists.clamav.net?subject=unsubscribe -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] Whitelisting FP domains

On Thu, October 6, 2016 3:21 pm, Reindl Harald wrote: > >> I have another that was just discovered. Is this a sanesecurity >> pattern and could it be a FP? There's no reference to it on virustotal or >> elsewhere: >> >> >> # sigtool --find-sigs winnow.spam.ts.miscspam.1025807 | sigtool >>

Re: [clamav-users] Whitelisting FP domains

On Thu, October 6, 2016 1:40 pm, Alex wrote: > Hi, > > > We have reports of a domain being blacklisted and we don't think it > should be: > > LibClamAV debug: Phishcheck:Checking url > http://www.hospitalitytec.com->www.hospitalitytec.com I think its better to keep the domain listed at the

Re: [clamav-users] Encrypted Word doc/phishing attack

On Wed, October 5, 2016 1:21 pm, Alex wrote: > Hi, > I'm starting to receive emails like this: > > > http://pastebin.com/HpvEcT9K > > > They're not being caught by clamav or other virus filters. Is it even > possible to catch encrypted Word docs with a virus scanner? > Sorry this is brief, still

Re: [clamav-users] How to get each file status when scan a ditrtectory using clamdscan

On Mon, October 3, 2016 6:05 pm, crazy thinker wrote: > Hi, > > > when i scanned a dirtectory using clamdscan, i could get only error and > virus file infected files status in output.but i would like to see each > file status(including "OK" status also ) when i perform scan over sinle >

Re: [clamav-users] false positive rate

I guess the first question is are you using official only signatures or do you use 3rd party ones... if so could you do a database list. Next, are you scanning files which are getting fps or are these files grabbed via http or proxy? Could you post sig names, filenames and hashes of a few of

Re: [clamav-users] Empty updates

On Fri, September 30, 2016 10:56 am, Al Varnell wrote: > Last two daily's (22277 and 22278) were empty. ClamAV Signature Publishing Notice Datefile: daily Version:22277 Publisher: Alain Zidouemba New Sigs: 0 Dropped Sigs: 0 Ignored Sigs: 49 New Detection

Re: [clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

On Tue, September 27, 2016 8:39 am, David Shrimpton wrote: > Hi, > > > Win.Trojan.Agent-1696554 added to daily.hdb on 21/9/16 is an > md5sum of a file containing 2240 null bytes only, so appears to be a broken > signature. > > It is causing false positives. Confirmed FP I would say:

Re: [clamav-users] CryLocker and Cryptolocker

On 14 September 2016 18:20:17 Alex wrote: I also don't always get the feedback from the >users on the specific Word documents that were missed, >only that their desktop was compromised. Without having a sample it's a bit difficult but if you do get a sample that

Re: [clamav-users] CryLocker and Cryptolocker

On Wed, September 14, 2016 5:51 pm, Philip Parsons wrote: > I am also still having a bunch get through. .doc .zip .docm most of the > java script ones are not making in it. Hi Philip, If you zip up a few samples with a password: samp...@sanesecurity.me.uk -- Cheers, Steve Twitter:

Re: [clamav-users] CryLocker and Cryptolocker

On 14 September 2016 16:48:45 Alex wrote: Yes, I'm using all the third-party sigs, including sanesecurity, but they are still getting through. Hi Alex, What types are getting through JavaScript or docs etc. What dbs are you using ? Can you send some missed

Re: [clamav-users] (no subject)

>LibClamaV Warning: fmap_readpage : preadfail : asked for 4085 >bytes@offset11, got 0 An old post but hopefully advice is still sound... http://www.gossamer-threads.com/lists/clamav/users/50788 Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity

Re: [clamav-users] Understanding OLE2BlockMacros

On Thu, August 25, 2016 9:20 pm, Dennis Peterson wrote: >> I think the issue is that he wants to block recognized viruses, but >> only mark heuristic matches. >> > That would be a scoring task in Amavisd. > Maybe... # [ qr’^’^Heuristics\.OLE2\.ContainsMacros’ => 0.1 ], So, allocate a

Re: [clamav-users] Understanding OLE2BlockMacros

> > Try this: > 1) Enable OLE2BlockMacros and restart clamd > 2) Use clamdscan to test your sample message and note the results > 3) Disable OLE2BlockMacros and restart clamd > 4) Use clamdscan to test your sample message again and note these results > > Something else... In amavisd-new there are

Re: [clamav-users] False negative.

On Sun, August 21, 2016 5:02 pm, G.W. Haywood wrote: > Hi there, > > > I tried to submit this: > > > https://virusscan.jotti.org/en-GB/filescanjob/3fyvy4dcmm > > > using this: > > http://www.clamav.net/reports/malware > > > but my browser gets no response, just a blank page, after hitting >

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

Try clamscan --debug 2>debug.log and I think that should show you a domain. Cheers, Steve Web: sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity On 16 August 2016 17:32:31 Alex wrote: Hi, I have a false-positive with

Re: [clamav-users] Sigtool parsing issues

On Mon, August 15, 2016 4:25 pm, Jack wrote: > Great, thanks. Here is the output with ‘—debug’: > > > LibClamAV debug: Initialized 0.99.2 engine > LibClamAV debug: in cli_ole2_extract() > LibClamAV debug: OLE2 magic failed! > LibClamAV debug: Cleaning up phishcheck > LibClamAV debug: Phishcheck

Re: [clamav-users] Sigtool parsing issues

On Mon, August 15, 2016 3:50 pm, Jack wrote: > Hello, > > > > Can someone take a look and determine why there are passing issues? Hi Jack, add --debug on the end... eg... might give you a bit more info... sigtool --vba "287DD777DB20BE14F2DD0B9952BECF41.xxx" --debug LibClamAV debug: Initialized

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

This was on the blog YARA rules using any of the following features will be flagged in error, and the respective rules will be disabled: Single byte YARA string components – currently in the ClamAV matcher, all strings, as well as components of strings delimited by wild cards, must be

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

On Thu, August 11, 2016 10:07 am, ancien compte wrote: > Also, the mirror clamav.securiteinfo.com not work, can't resolv it > That's an old 3rd party signature domain... it's been gone a while.. Latest download scripts here: http://sanesecurity.com/usage/linux-scripts/ Cheers, Steve Web :

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

On Wed, August 10, 2016 7:22 am, ANANT S ATHAVALE wrote: > Hi, > > > Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is > this a false positive? Finally got it... blank LibreOffice.doc file... blank.doc: Win.Exploit.CVE_2016_3316-1 I've added a whitelist entry to

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

On Wed, August 10, 2016 10:52 am, Jan-Pieter Cornet wrote: > On 10-8-16 08:22, ANANT S ATHAVALE wrote: > >> Hi, >> >> >> Most of the mails are marked with Win.Exploit.CVE_2016_3316-1. Is >> this a false positive? > > Created a completely empty .doc file using LibreOffice on linux, and the >

Re: [clamav-users] Yara and base64 encoded body

Hi, If it helps, could you email the YARA rule and test email offlist and I'll have a quick look. I seem to remember hitting that issue. Cheers, Steve Web: sanesecurity.com Twitter: @sanesecurity On 27 July 2016 08:35:53 kionez wrote: Hi all, I'm using custom Yara

Re: [clamav-users] signature processing order

On Tue, May 24, 2016 12:23 pm, Groach wrote: > Out of interest, what does it matter? Why is it important that an > official CLAM definition stops the virus before the 3rd party definition > stops the same virus (if they both have the same criteria)? Surely a goal > is a goal and it doesnt

Re: [clamav-users] ClamAV+exim: scanner finds not a single malware

On Mon, May 23, 2016 2:33 pm, Michael D. L. wrote: > > > On 05/23/2016 02:44 PM, C.D. Cochrane wrote: > >> Hi Michael and Michael, >> You may want to look at sanesecurity[.]org. They have a supplemental >> ClamAV database that >> is supposed to be better at detecting the current scourge of

Re: [clamav-users] Synology DSM 4.2 support

On Mon, April 18, 2016 7:44 am, Rene van der Linden wrote: > Antivirus Essential on Synology NAS with DSM 4.2 does not get any updates > anymore. Even de-installing and re-installing does not help. Message i get > DSM 4.2 came out 5 Mar 2013, can you update to a higher DSM, my nas has just

Re: [clamav-users] Block files based on their types

On Mon, April 18, 2016 6:12 am, Kianoosh Kashefi wrote: > > > I was wondering if clamav has such feature to stop certain file types, > for example executable files even if they are not malware. Hi, You can use foxhole database(s) as a starting point and add more types if needed...

Re: [clamav-users] winnow FP

On Thu, April 14, 2016 8:22 am, Paul Whelan wrote: > On 13 Apr 2016 at 11:20, Alex wrote: > > >> Hi, >> >> >> I don't understand why themastersbaker.com would be tagged? Quick update: FP has already been removed. Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com Twitter:

Re: [clamav-users] zip, rar, jar, ... how to delete all exe's and others files?

On Thu, April 14, 2016 7:48 am, ìÉ×ÉÔÉÎ óÅÒÇÅÊ àÒØÅ×ÉÞ wrote: > Hi. > Use clamav + spamassassin + postfix. > Use /var/lib/archive.zmd and archive.rmd] > > Tried to sent exe-file in rar archive - clamd said "CLEAN" :( > Where is detailed documentation about possibilities of clamav? A few things:

Re: [clamav-users] Quick scan via command-line

On Fri, April 1, 2016 2:19 am, Andrew Wright wrote: > Hi, > > > I''m trying to create a rescue Live USB with Fedora and ClamAV for > Windows > PCs. I've read this guide for speeding up ClamAV: > https://www.clamav.net/documents/how-to-speed-up-clamwin > > > But, specifically, how would you do

Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

On Thu, March 31, 2016 7:56 pm, Paul Kosinski wrote: > I disable Javascript in our PDF viewer. PostScript (which underlies > PDF) is a Turing-complete executable language, and even has a mechanism > to read and write files, so it could cause some trouble on its own. Good idea! For windows

Re: [clamav-users] Email.Phishing.DblDom-60 -- issue

On Thu, March 31, 2016 4:01 pm, Alessandro Vesely wrote: > This was a false positive itself. I got: > Virus-Found: Email.Phishing.DblDom-53 > Sanesecurity.Phishing.Cur.744.UNOFFICIAL > Thanks for the FP report. Fixed Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com Twitter:

Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

On Thu, March 31, 2016 2:33 pm, polloxx wrote: > Since the new Clamav database we have a lot more false positives for > PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1. > What can we do about this, except disabling PUA? Create a local.ign2 with the following lines:

Re: [clamav-users] no new signatures

On 18 March 2016 13:46:42 polloxx wrote: Dear, Since the migration we have no new >signatures: It's not your config, it's just that sig updates were put on hold on Friday. I would think it's wise to have hold off updates until the team know all went well with the sig

Re: [clamav-users] no new signatures

On Fri, March 18, 2016 2:05 pm, Helmut Hullen wrote: > Hallo, polloxx, > > > Du meintest am 18.03.16: > > >> Fri Mar 18 14:34:15 2016 -> ClamAV update process started at Fri Mar >> 18 14:34:15 2016 >> Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is >> OUTDATED! >> > > > So what -

Re: [clamav-users] javascript ZIP virus not caught?

On Tue, March 15, 2016 4:25 am, Al Varnell wrote: >> Scanning these ZIP/.js viruses has a hit rate of about 35%. 35% of all >> antivirus packages will say they are viruses. For example running one >> through https://www.virustotal.com will say out of about 53 antivirus >> programs, 16 flag it

Re: [clamav-users] Filename Regex

On 18 February 2016 20:14:14 Mehmet Avcioglu wrote: For example I am able to use "^New.Doc.*" to match for "New Doc.xls" but "^New\sDoc.*" or "^New Doc.*" does not. > http://www.clamav.net/contact.html#ml If you look at foxhole databases it should give you an

Re: [clamav-users] BlackEnergy malware detection

On Thu, February 18, 2016 12:37 pm, Volcy, Georges wrote: > Good Morning, > > > Does ClamAV detect the Blackenergy malware and is there any way for me to > verify it. Thanks, Just added Sanesecurity_BlackEnergy.yara to the Sanesecurity mirrors, if that's a help. It hit on a sample I downloaded.

[clamav-users] FP System

"Houston, we have a problem" aka The FP reporting system is broken. Here's a windows file which is repoting... ieinstal.exe: Win.Trojan.Win64-226 FOUND I ran freshclam... freshclam ClamAV update process started at Tue Feb 16 09:00:52 2016 main.cld is up to date (version: 55, sigs: 2424225,

Re: [clamav-users] Win.Trojan.Ramnit FPs

On Mon, February 15, 2016 11:22 am, Mark Allan wrote: > I'm still getting the email saying "your sample was empty", so I'm > posting here too. > > The Ramnit series of sigs is hitting a bunch of files which have been > resident on users' HDs and scanned as clean for many years. VT also > reports

Re: [clamav-users] Zip.Suspect.MacroDoubleExtension-zippwd false positive

Hi, Here's the entry for Zip.Suspect.MacroDoubleExtension-zippwd (?i)((\.doc)|([ _.-](7z|avi|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|tar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[

Re: [clamav-users] clamscan doesn't have a BlockMacros option

On Wed, February 10, 2016 9:05 am, David Shrimpton wrote: > Hi, > > > clamscan doesn't appear to have an option equivalent to the > OLE2BlockMacros in clamd.conf for clamdscan. > Hi David, Just for info... I've already logged a bugzilla entry to add that option to Clamscan here:

Re: [clamav-users] ScanOLE2 yes disables macro virus detection

On Mon, February 8, 2016 3:48 pm, David Shrimpton wrote: > Hi Steve, > > > When I remove all my local database files problem goes away. > So problem appears to be in a local database. > Ah ok... > BAD_SIGNATURE.ldb.macro.19;Target:2;1;41747472;0:(0)/./ri For info, I've used this against my

Re: [clamav-users] ScanOLE2 yes disables macro virus detection

On Sun, February 7, 2016 10:28 pm, David Shrimpton wrote: > > clamscan -z --scan-ole2=yes > > no signatures from badmacro are detected Can you do this and output the debug to a pastebin... (leave off -z) clamscan --scan-ole2=yes --debug I've tried to re-produce but can't. Cheers, Steve Web

Re: [clamav-users] False positives submitted but still viewed as viruses

On Mon, February 8, 2016 1:27 pm, Klaas TJEBBES wrote: > Hi. > > > I've submitted several false positives but at the end of the submission > form I don't get any "submission-ID" so I cannot track my submissions. > > The files I've submitted (a week ago) are still detected as viruses. > Hi, If

Re: [clamav-users] New request created with ID: ##136## from Steve basford

On Sun, February 7, 2016 9:08 am, Walter H. wrote: > On 04.02.2016 00:55, G <vuln-wa...@thefeeds.info> wrote: > /\ > invalid e-mail address No idea where the above header comes from, other that a "person" called "G" >> A new request with request

Re: [clamav-users] ScanOLE2 yes disables macro virus detection

On Sun, February 7, 2016 8:30 am, David Shrimpton wrote: > Hi, > > > But most of the badmacro or other unofficial virus signatures written to > detect macro virus are written against the container itself which has the > compressed macro code in it. They are not written against the > uncompressed

Re: [clamav-users] Freshclam Non-repudiation

On Thu, January 28, 2016 10:29 pm, Brad Scalio wrote: > Is there any integrity or authenticity checks within freshclam when it > connects to the clamAV servers to download the virus signature databases? Hi Brad, Just to cover 3rd Party (.UNOFFICIAL) signatures. Signatures produced by

Re: [clamav-users] SaneSecurity SpearL signatures

On Tue, January 26, 2016 4:21 pm, Ian Eiloart wrote: > 3. If 'yes' to either, is it possible to prevent this in order to make it > easier to investigate problems? > As there's been no post regarding the FP's on the Sanesecurity list, I thought I'd publicly update here... (sorry folks) a) The

Re: [clamav-users] Tooooo sloooooooow startup clamd on Solaris SPARC

On Wed, January 27, 2016 10:30 am, Yuri Voinov wrote: > Hi gents, > > > I found one issue. On SPARC server (4 CPU SPARC-IV+, 16 Gb RAM, two 15k > RPM disks) clamd starts very slow: > Wed Jan 27 16:23:05 2016 -> Reading databases from /var/lib/clamav > Wed Jan 27 16:23:05 2016 -> Not loading PUA

Re: [clamav-users] Clamav cannot detect a malware using a signature based on html comment

On Tue, January 26, 2016 11:54 am, Arnaud Jacques / SecuriteInfo.com wrote: > Hello Steve, > > >> I've seen the same sometimes I've had to end up using type 0, >> instead of 3/4/7 which isn't ideal. > > Even with filetype 0 this doesn't match : Hi Arnaud, Can you attach a sample... see if I

Re: [clamav-users] SaneSecurity SpearL signatures

On Tue, January 26, 2016 4:21 pm, Ian Eiloart wrote: > Hi, > > > I had a spate of reports about an FP in the SaneSecurity SpearL list. It > included a URL that’s attached by MessaageLabs when it scans outbound > mail from the University of Brighton (which is just over the road from > us). Hi

Re: [clamav-users] Virus-Datebase-Updates?

Hi Walter, Could you post a hash or two or maybe a Virustotal link to one of the Submitted ones. Cheers, Steve Web: sanesecurity.com Blog: sanesecurity.blogspot.com On 18 January 2016 04:46:07 "Walter H." wrote: Hello, I want an explanation, why not adding?

Re: [clamav-users] crdf threatcenter

On Wed, December 30, 2015 7:27 pm, sebast...@debianfan.de wrote: > Hi @all, > > > does anybody know, whats up with the crdf threatcenter ? > > I am not able to download the crdfam.clamav.hdb database. > Hi Sebastian, I tweeted them a few days ago, they said they were having a few issues and

Re: [clamav-users] Detection in windows but not Linux

On Sun, December 13, 2015 2:25 am, Kurt Fitzner wrote: > > The file is definitely malware - it was injected through a WordPress > vulnerability. I have a virus scan that runs hourly on my wordpress folder > just for that reason, but this one slipped through the cracks. I want to > find out what

[clamav-users] Sanesecurity news: Scripts 0.99

Just in case anyone isn't subscribed to the Sanesecurity list, a re-post of download script news for 0.99 and Yara: http://www.freelists.org/post/sanesecurity/Sanesecurity-News Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com ___

Re: [clamav-users] mail follow url

On Thu, November 26, 2015 4:00 pm, polloxx wrote: > In http://www.clamav.net/documents/installing-clamav#requirements I read: > > > Optional: > > > GMP: for digital signatures > *cURL: for mail follow url* > > > > Does this mean that clamav scans URL's in mails? Hi, It *used* to a long time

Re: [clamav-users] mail follow url

On Thu, November 26, 2015 4:00 pm, polloxx wrote: > In http://www.clamav.net/documents/installing-clamav#requirements I read: > > > Optional: > > > GMP: for digital signatures > *cURL: for mail follow url* > > > > Does this mean that clamav scans URL's in mails? > Thu Aug 6 22:26:30 CEST 2009

Re: [clamav-users] handling multiple hits on CVE-2015-7645?

Create a localfp.ign2 file with the following line in it in your ClamAV database folder: Swf.Exploit.CVE_2015_7645 Restart clamd Hopefully the FP will be officially fixed soon. Cheers, Steve Web: sanesecurity.com Blog: sanesecurity.blogspot.com On 22 November 2015 12:52:04 "Orrick,

<    1   2   3   4   5   6   >