Dan,
You can use sigtool:
#sigtool --find-sigs Pdf.Phishing.CWS4c384287-9890237-0 | sigtool
--decode-sigs
Looks like a cmap definition so a definition of character sets to Unicode.
Could definitely be a false positive, send samples to
https://www.clamav.net/reports/fp
Sincerely,
Guys,
Found the file causing the issue.
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/blob/master/tests/test-images/gif-test-suite/max-width.gif
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
-Original Message-
From: clamav-users On Behalf Of Orion
Poplawski via clamav-users
If you didn't know, Google is now blocking any emails with a bit dot ly
links in the body.
Sadly, they don't block outbound, but 421 on inbound return emails.
I was wondering what your opinion would be to add a custom signature
blocking the links with ClamAV, as our system is set to notify
Robert,
> From: clamav-users On Behalf Of
> Robert Kudyba
> Sent: Tuesday, April 13, 2021 10:40 AM
> To: ClamAV users ML
> Cc: G.W. Haywood
> Subject: Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain...
>
> I'm seeing a FP from a Delta Airlines email.
>
> Also, with clamav-milter
Matus,
I noticed no one emailed you back.
I personally would just use a yara regex if needed, but I would definitely
test first with just yara to make sure there isn't too many false positives.
If you've never created a yara file, it's just really a regex.
Searching on Google, as there may be
Just a heads up. I noticed a bunch of American Express Statements in our
quarantine.
My guess is because they are using m.amex and go.amex links in the emails.
DKIM and SPF pass so these definitely seem to be legit AMEX emails.
>From address is "American Express"
Sincerely,
Eric Tykwinski
Here's the signature decoded:
# sigtool --find-sig Urlhaus.Malware.452652-9766253-0 | sigtool --decode-sig
VIRUS NAME: Urlhaus.Malware.452652-9766253-0
FUNCTIONALITY LEVEL: >=48
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
aboveandbelow.com.au/cgi-bin/http:/sites/b4q7eajmmm2moxgkq/
Sincerely,
Joel,
> I pretty much disagree with this. 90% or greater of what is sent into
> http://clamav.net is covered in less than 24 hours, and to a much greater
> degree. We don’t aim to cover just the > sample you sent in, we cover all
> the variants of that sample at the time, if possible.
I
Sorry to bother, but do you guys want raw emails or just the payload Word
Docs?
I just sent payloads, since they are real emails with responses and a virus
attached.
I can however scrub the raws and send a few of those as well.
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
I'm going to start posting a few to https://www.clamav.net/reports/malware
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
___
clamav-users mailing list
clamav-users@lists.clamav.net
Sorry just noticed the last line. If you want to use check, you’ll need to
install it.
#brew install check
After that, it should build fine...
From: clamav-users On Behalf Of
eric-l...@truenet.com
Sent: Wednesday, November 11, 2020 3:57 PM
To: 'ClamAV users ML'
Subject: Re:
Wayne,
Since it looks like you are using homebrew, why not just install that:
eric@Erics-Mac-Pro ~ % brew info clamav
clamav: stable 0.103.0 (bottled), HEAD
Anti-virus software
https://www.clamav.net/
/usr/local/Cellar/clamav/0.103.0 (62 files, 448.2MB) *
Poured from bottle on
I agree with Ged on scanning a Docker registry, what I would be more worried
about is software versions especially when pulling from something like
Docker Hub.
I've personally started playing around with VMware's integrated containers
which do vulnerability scans, but I'm sure there's probably
Micah,
In all reality, most people doing it for a large number of Apple computers will
probably be running something like Jamf.
That comes with it's own pkg builder, Composer, and uses a self signed
certificate trusted by the company.
Having you guys build packages would really only be good
Probably not relevant too much to the list, but you'll need a developer
certificate, and check out pkgbuild from X-Code.
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
-Original Message-
From: clamav-users On Behalf Of Emil
via clamav-users
Sent: Thursday, September 24, 2020
Ged,
> Hi Eric,
>
> > On Tue, 22 Sep 2020, Eric Tykwinski wrote:
> >
> >> I started writing my own, but of course I'm not catching them all.
> >
> > If you could let me have some samples (complete messages) I could take
> > a look to see what I can do with my milter. If you agree I'd let you
>
I started writing my own, but of course I'm not catching them all.
Example of my YARA file is here: https://pastebin.com/MKTbKiNX
If anyone is willing to share a more comprehensive rule I would appreciate
it.
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
> From: clamav-users On Behalf Of
Micah Snyder (micasnyd) via clamav-users
> Sent: Monday, August 31, 2020 2:15 PM
> To: ClamAV users ML
> Cc: Micah Snyder (micasnyd)
> Subject: Re: [clamav-users] Is ClamAV On-Access Scanning model applied on
Windows?
>
> Hi Jack,
>
> Sorry to say On-Access
18 matches
Mail list logo