The script I use has a bit more finesse than this simple overview. I use a
randomizer to prevent this process from running at the same minute past
the hour
Note there's a *tiny* chance if the script runs at 10.07 and then 11.03,
you'll get temp block for an hour from some of the mirrors,
At 8:42 AM +0100 10/16/09, Steve Basford wrote:
The script I use has a bit more finesse than this simple overview. I use a
randomizer to prevent this process from running at the same minute past
the hour
Note there's a *tiny* chance if the script runs at 10.07 and then 11.03,
you'll get
Tom Shaw wrote:
Just to clarify winnow_malware.hdb is designed to detect malware
payloads. Thus, it is effective in an email system only when the payload
is attached (such as a dropper, etc). It is also very effective when
used in file system/download checking scenarios.
Thanks to Dennis
16.10.2009 10:42, Steve Basford kirjoitti:
I'd use:
phish.ndb
rougue.hdb
winnow_malware_links.ndb
winnow_malware.hdb
Thanks, I have implemented these now with SaneSecurity Script 1.
--
http://www.iki.fi/jarif/
Alas, how love can trifle with itself!
-- William
Steve Basford wrote:
The script I use has a bit more finesse than this simple overview. I use a
randomizer to prevent this process from running at the same minute past
the hour
Note there's a *tiny* chance if the script runs at 10.07 and then 11.03,
you'll get temp block for an hour from some
Tom Shaw wrote:
Just to clarify winnow_malware.hdb is designed to detect malware
payloads. Thus, it is effective in an email system only when the
payload is attached (such as a dropper, etc). It is also very
effective when used in file system/download checking scenarios.
Thanks to Dennis
Tom Shaw wrote:
If you submit a file to virus-samp...@oitc.com I'll process it for
winnow_malware.hdb and at the same time send it to the ClamAV malware
signature team and virustotal to check if others can detect.
If you submit a url to malware to virus-samp...@oitc.com I'lldownload
the
Tom Shaw wrote:
If you submit a file to virus-samp...@oitc.com I'll process it for
winnow_malware.hdb and at the same time send it to the ClamAV
malware signature team and virustotal to check if others can detect.
If you submit a url to malware to virus-samp...@oitc.com
I'lldownload the
Tom Shaw wrote:
Tom Shaw wrote:
If you submit a file to virus-samp...@oitc.com I'll process it for
winnow_malware.hdb and at the same time send it to the ClamAV malware
signature team and virustotal to check if others can detect.
If you submit a url to malware to virus-samp...@oitc.com
Tom Shaw wrote:
As long as you don't obfuscate the url my scripts will isolate the url
or the attached malware and process.
Nice ! Can I send one URL per line ? I have 20 undetected virus.
--
---
Jose Marcio MARTINS DA CRUZ
At 8:14 AM -0700 10/16/09, Dennis Peterson wrote:
Tom Shaw wrote:
Tom Shaw wrote:
If you submit a file to virus-samp...@oitc.com I'll process it
for winnow_malware.hdb and at the same time send it to the ClamAV
malware signature team and virustotal to check if others can
detect.
If you
At 5:21 PM +0200 10/16/09, Jose-Marcio Martins da Cruz wrote:
Tom Shaw wrote:
As long as you don't obfuscate the url my scripts will isolate the
url or the attached malware and process.
Nice ! Can I send one URL per line ? I have 20 undetected virus.
Yes it strips out all urls just don't
Tom Shaw wrote:
At 5:21 PM +0200 10/16/09, Jose-Marcio Martins da Cruz wrote:
Tom Shaw wrote:
Yes it strips out all urls just don't send with a signature that
contains your home url or else it will get processed. Hopefully it will
not return malware so it will be discarded as dead. ;-)
I am interested in Tom's list of unofficial signatures - but haven't
found the recommended way to use the signatures. Do I need to download
them periodically - or do I just add an additional freshclam
DataBaseMirror directive. In either case - exactly what is the url to
download from - or to
I am interested in Tom's list of unofficial signatures - but haven't
found the recommended way to use the signatures. Do I need to download
them periodically - or do I just add an additional freshclam
DataBaseMirror directive. In either case - exactly what is the url to
download from - or to
At 10:18 AM +0100 10/15/09, Steve Basford wrote:
I am interested in Tom's list of unofficial signatures - but haven't
found the recommended way to use the signatures. Do I need to download
them periodically - or do I just add an additional freshclam
DataBaseMirror directive. In either case
15.10.2009 14:55, Tom Shaw kirjoitti:
The samples I have of that one are being detected by ClamAV standard
sigs as Trojan.Peed-477. Wonder why you and some others didn't detect it
with standard sigs? Could this be a problem? Do you have samples that
were undetectable?
Tom
Undetected
Steve,
The samples I have of that one are being detected by ClamAV standard
sigs as Trojan.Peed-477. Wonder why you and some others didn't detect
it with standard sigs? Could this be a problem? Do you have samples
that were undetectable?
Not sure Tom... here's a quick test...
Official
Undetected Outlook Express malware:
h t t p :/ / www.iki.fi/jarif/malware/install.zip
That's one of 'em:
Sanesecurity.Rogue.736.UNOFFICIAL
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
Undetected IRS scam variant.
http://www.iki.fi/jarif/malware/tax-statement.exe
--
http://www.iki.fi/jarif/
A classic is something that everyone wants to have read
and nobody wants to read.
-- Mark Twain, The Disappearance of Literature
pgptHhkej7lOn.pgp
Description: PGP
At 1:23 PM +0100 10/15/09, Steve Basford wrote:
Undetected Outlook Express malware:
h t t p :/ / www.iki.fi/jarif/malware/install.zip
That's one of 'em:
Sanesecurity.Rogue.736.UNOFFICIAL
Well that one didn't get detected by standard ClamAV. Must be running
multiple payloads
That one
At 3:14 PM +0300 10/15/09, Jari Fredriksson wrote:
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol=application/pgp-signature;
boundary==_20nrA2UWvqBocwzbhDgZQrQ22plLxr
Content-Disposition: inline
15.10.2009 14:55, Tom Shaw kirjoitti:
The samples I have of that one are being
At 4:30 PM +0300 10/15/09, Jari Fredriksson wrote:
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol=application/pgp-signature;
boundary==_6GorA2txt0CVliaTmJuBPNhCIqDzZA
Content-Disposition: inline
Undetected IRS scam variant.
http://www.iki.fi/jarif/malware/tax-statement.exe
--
15.10.2009 16:47, Tom Shaw kirjoitti:
At 4:30 PM +0300 10/15/09, Jari Fredriksson wrote:
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol=application/pgp-signature;
boundary==_6GorA2txt0CVliaTmJuBPNhCIqDzZA
Content-Disposition: inline
Undetected IRS scam variant.
At 1:23 PM +0100 10/15/09, Steve Basford wrote:
Undetected Outlook Express malware:
h t t p :/ / www.iki.fi/jarif/malware/install.zip
That's one of 'em:
Sanesecurity.Rogue.736.UNOFFICIAL
FYI Official ClamAV sigs now detect as Trojan.Inject-2443 I just
noticed that my
Does ClamAV somehow dedicate to email format (base64) or how it is
possible that is does not recognise this
http://www.iki.fi/jarif/malware/FILE_UPS_c380a16.zip
That's an UPS fraud, W32/Bredolab.D.gen!Eldorado by F-Prot.
--
http://www.iki.fi/jarif/
An exotic journey in downtown Newark is in
15.10.2009 17:24, Jari Fredriksson kirjoitti:
Does ClamAV somehow dedicate to email format (base64) or how it is
possible that is does not recognise this
http://www.iki.fi/jarif/malware/FILE_UPS_c380a16.zip
That's an UPS fraud, W32/Bredolab.D.gen!Eldorado by F-Prot.
Uh. The point was
At 5:24 PM +0300 10/15/09, Jari Fredriksson wrote:
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol=application/pgp-signature;
boundary==_T3prA2NkQhJdMqo4E_3U4WfuiiDVVM
Content-Disposition: inline
Does ClamAV somehow dedicate to email format (base64) or how it is
possible that is
Richard Chapman wrote:
I am interested in Tom's list of unofficial signatures - but haven't
found the recommended way to use the signatures. Do I need to download
them periodically - or do I just add an additional freshclam
DataBaseMirror directive. In either case - exactly what is the url to
Hello Tom,
Tom Shaw wrote:
Jose,
If you use the unofficial signatures it might help you. See
http://www.sanesecurity.co.uk/databases.htm
One of my signatures, winnow_malware.hdb, detect numerous (over 3000 at
present) malware that are not yet detected in stock ClamAV sigs. The
current
On Wednesday 14 October 2009 12:49:47 am Jose-Marcio Martins da Cruz wrote:
Hello Tom,
Tom Shaw wrote:
Jose,
If you use the unofficial signatures it might help you. See
http://www.sanesecurity.co.uk/databases.htm
I'll integrate winnow_malware.hdb.
Is there a good tutorial somewhere
upscope wrote:
On Wednesday 14 October 2009 12:49:47 am Jose-Marcio Martins da Cruz wrote:
Hello Tom,
Tom Shaw wrote:
Jose,
If you use the unofficial signatures it might help you. See
http://www.sanesecurity.co.uk/databases.htm
I'll integrate winnow_malware.hdb.
Hello,
I have 49 virus (2 kinds only) received at our mailserver last night
which weren't detected by ClamAV, but are detected by most other
antivirus available at www.virustotal.com
The name of the virus, as detected by Sophos are SophoMal/Bredo-A
(detected by 16/41) and Troj/Agent-LKL
Hi there,
On Tue, 13 Oct 2009 Jose-Marcio Martins da Cruz wrote:
I have 49 virus (2 kinds only) ... weren't detected by ClamAV
... surely variants of virus already detected by Clamav. ...
As long as this happens near every day since a week ago, it's
becoming annoying.
Check the
G.W. Haywood wrote:
Hi there,
Check the documentation on how to add your own signatures.
That way, it won't annoy you so much when you have to wait for people,
who already have too much work to do, to do some work for you. :)
Are you talking by yourself or on behalf of Clamav team ?
At 10:28 AM +0200 10/13/09, Jose-Marcio Martins da Cruz wrote:
Hello,
I have 49 virus (2 kinds only) received at our mailserver last night
which weren't detected by ClamAV, but are detected by most other
antivirus available at www.virustotal.com
The name of the virus, as detected by Sophos
36 matches
Mail list logo