Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

That's unfortunate. Given the magnitude of the change I would've expected them to be very attentive to the list, post deployment. -J On Thu, Mar 17, 2016 at 1:23 PM, Al Varnell wrote: > No. I'm sure they are trying to recover from this week's activities and > rarely have

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Hallo, Matus, Du meintest am 19.05.16: >>> your clamav was build without pcre support. You have to compile a >>> new binary >> Sorry - no. Configuring with "--disable_pcre" doesn't change this >> behaviour. > of course DISABLING does NOT help, you need to ENABLE it. > the whole problem comes

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

LibClamAV Warning: cli_loadldb: logical signature for Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping LibClamAV Warning: cli_loadldb: logical signature for Win.Ransomware.Locky-4 uses PCREs but support is disabled, skipping LibClamAV Warning: cli_loadldb: logical signature for

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Hallo, Andreas, Du meintest am 19.05.16: >> LibClamAV Warning: cli_loadldb: logical signature for >> Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping >> LibClamAV Warning: cli_loadldb: logical signature for >> Win.Ransomware.Locky-4 uses PCREs but support is disabled, skipping

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Am 18.05.2016 um 06:27 schrieb Helmut Hullen: > LibClamAV Warning: cli_loadldb: logical signature for Win.Trojan.ssid18332-1 > uses PCREs but support is disabled, skipping > LibClamAV Warning: cli_loadldb: logical signature for Win.Ransomware.Locky-4 > uses PCREs but support is disabled,

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Hallo, Jason, Du meintest am 17.05.16: >> You should see these lines within your debug output: >> >> ... >> LibClamAV debug: daily.ign2 loaded >> ... >> LibClamAV debug: /var/lib/clamav/daily.cld loaded >> ... >> LibClamAV debug: Ignoring signature Win.Trojan.Trojan-605 >> ... >> LibClamAV

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Hi Dave, Thanks. I don't see any issues with it loading the daily.cld. I'm going to wipe it out and let Freshclam reload it and the ign. -J On Tue, May 17, 2016 at 2:02 PM, David Raynor wrote: > If you run clamscan with "--debug" it will tell you which files it is >

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

If you run clamscan with "--debug" it will tell you which files it is loading, even the files inside a cvd or cld file. It will also remark about which signatures is skips when loading. You should see these lines within your debug output: ... LibClamAV debug: daily.ign2 loaded ... LibClamAV

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Yessir: # sigtool -u /var/lib/clamav/daily.cld # grep -i 'Win.Trojan.Trojan-605' daily.ign main:42:Win.Trojan.Trojan-605 On Tue, May 17, 2016 at 1:25 PM, Alain Zidouemba wrote: > $ sigtool -u /usr/local/share/clamav/daily.cld > > $ grep -i 'Win.Trojan.Trojan-605'

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

$ sigtool -u /usr/local/share/clamav/daily.cld $ grep -i 'Win.Trojan.Trojan-605' daily.ign main:42:Win.Trojan.Trojan-605 Same on your end? - Alain On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams < jasonjwwilli...@gmail.com> wrote: > We do. > > -J > > On Tue, May 17, 2016 at 1:13 PM,

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

We do. -J On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba wrote: > Jason: > > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was > dropped several weeks ago, but would only be reflected in your installation > if you have both main.cvd and

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Jason: Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was dropped several weeks ago, but would only be reflected in your installation if you have both main.cvd and daily.cvd. Please confirm. Thanks, - Alain On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

No ClamAV 0.98.7. -J On Mon, May 16, 2016 at 11:25 PM, Al Varnell wrote: > I’m unable to replicate your findings: > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND > > Taking a look at the current daily.cld I see entries in both ignore > sections: > >

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

I’m unable to replicate your findings: ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND Taking a look at the current daily.cld I see entries in both ignore sections:

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Looks like EICAR is getting classified as Win.Trojan.Trojan-605 again (daily 21557). https://gist.github.com/williamsjj/b8104402e80f44475df5 -J On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell wrote: > The new database was just made available, so I recommend you hold off > until

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Just to confirm, I'm also seeing everything being flagged as Win.Trojan.Trojan-476 with the new main/daily.cvd files. Mark > On 17 Mar 2016, at 6:49 am, Al Varnell wrote: > > I just ran a scan against the ClamAV test files contained in the 0.99.1 > source file and I’m

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

The new database was just made available, so I recommend you hold off until you have the new mail.cvd v57 and daily.cvd v21466 before getting too excited about this. -Al- On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote: > > As of the latest daily update, running ClamAV against

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Does anyone that's chimed in work on the signatures team? -J On Thu, Mar 17, 2016 at 10:31 AM, Al Varnell wrote: > There have not been any additional updates released yet, so nothing could > have changed. > > -Al- > > On Thu, Mar 17, 2016 at 10:25 AM, Jason Williams wrote: >

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

sigtool --unpack=main.cvd rm -f main.cvd grep EICAR main.* main.hdb:44d88612fea8a8f36de82e1278abb02f:68:Win.Test.EICAR_HDB-1 main.hsb:275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Win.Test.EICAR_HSB-1 main.mdb:45056:3ea7d00dedd30bcdf46191358c36ffa4:Win.Test.EICAR_MDB-1

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Is anyone still seeing this or have they fixed it? -J Sent via iPhone > On Mar 17, 2016, at 02:44, Mark Allan wrote: > > Just to confirm, I'm also seeing everything being flagged as > Win.Trojan.Trojan-476 with the new main/daily.cvd files. > > Mark > >> On 17 Mar

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Disregard, I found it here after they got the new main.cvd: I’ll

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

There have not been any additional updates released yet, so nothing could have changed. -Al- On Thu, Mar 17, 2016 at 10:25 AM, Jason Williams wrote: > > Is anyone still seeing this or have they fixed it? > > -J > > Sent via iPhone > >> On Mar 17, 2016, at 02:44, Mark Allan

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

We're not yet sure if it's broken or a result of renaming signatures. dp On 3/17/16 10:25 AM, Jason Williams wrote: Is anyone still seeing this or have they fixed it? -J Sent via iPhone On Mar 17, 2016, at 02:44, Mark Allan wrote: Just to confirm, I'm also seeing

[clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

As of the latest daily update, running ClamAV against the EICAR test string reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature. -J ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Thanks. Hopefully it'll sync up soon. I'm getting weird download errors out of freshclam: WARNING: getfile: Error while reading database from db.local.clamav.net (IP: 200.236.31.1): Operation now in progress WARNING: getpatch: Can't download daily-21465.cdiff from db.local.clamav.net

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

I just ran a scan against the ClamAV test files contained in the 0.99.1 source file and I’m getting all Win.Trojan.Trojan-476: File Name Infection Name Status /Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe Win.Trojan.Trojan-476

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Pulled down 21466 (and force restarted clamd) but it's still classifying EICAR as Win.Trojan.Trojan: https://gist.github.com/williamsjj/b8104402e80f44475df5 Databases are up to date now: main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) Empty script

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Hey Al, I submitted a FP report with one attached. Just put the EICAR string into a txt file and that'll trigger it. -J Sent via iPhone > On Mar 16, 2016, at 22:16, Al Varnell wrote: > > I don’t know why sanesecurity-porcupine.ndb is causing this, but I can now > see

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Culprit seems to be sanesecurity-porcupine.ndb ( http://sanesecurity.com/usage/signatures/). Moving it out causes Win.Test.EICAR_NDB-1 FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 FP. Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is. -J On Wed,

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Yeah, the sanesecurity sigs. Moving them out, causes Win.Test.EICAR_NDB-1 FOUND to be found. Which I assume is the new name. Not sure why the update is suddenly causing the SaneSecurity sigs to get checked first. I'll track it down. -J On Wed, Mar 16, 2016 at 9:32 PM, Al Varnell

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

I don’t know why sanesecurity-porcupine.ndb is causing this, but I can now see that the signatures for Win.Test.EICAR_LDB-1 and Win.Trojan.Trojan-605 are identical, so this is an FP situation which would be reported.

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

I’m still looking, but so far I can’t find any Win.Trojan.Trojan signatures in the ClamAV Official database or listed in clamav-virusdb e-mail list. Nor can I confirm your results using my own EICAR. Are you using any Unofficial signatures from a different source? -Al- On Wed, Mar 16, 2016

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Sorry - didn't intend to send this to the list. On 3/17/16 12:02 AM, Dennis Peterson wrote: sigtool --unpack=main.cvd rm -f main.cvd grep EICAR main.* main.hdb:44d88612fea8a8f36de82e1278abb02f:68:Win.Test.EICAR_HDB-1

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Those are normal messages for an update of this kind. The 21465.cdiff was purposely blank in order to force you to download the entire daily.cvd. Give it plenty of time as the main.cvd is 109MB. Technical details: