Re: [clamav-users] Grizzly Steppe

http://blog.talosintel.com/2017/01/grizzly-steppe.html -- Joel Esler | Talos: Manager | jes...@cisco.com On Jan 5, 2017, at 11:40 AM, Joel Esler (jesler) > wrote: AMP has far more coverage than ClamAV. As the coverage

Re: [clamav-users] Grizzly Steppe

AMP has far more coverage than ClamAV. As the coverage can be generated much more quickly and without a DB to download, it happens in real time. As far as coverage for ClamAV, and Alain can correct me if I am wrong, I believe coverage has been pushed out. -- Joel Esler | Talos: Manager |

Re: [clamav-users] Grizzly Steppe

Where did you sent them? -- Joel Esler | Talos: Manager | jes...@cisco.com On Jan 4, 2017, at 7:12 PM, TR Shaw > wrote: I have offered sigs to ClamAV official but have heard nothing back yet. On Jan 4, 2017, at 6:52 PM, Eric

Re: [clamav-users] Grizzly Steppe

I have checked VirusTotal and none of the 23 samples submitted yesterday were detected at the time of submission by ClamAV. I'd estimate that an average of 20 of 55 scanners did detect them as infected. On the basis of that I would have to guess that ClamAV signatures will not detect Grizzly

Re: [clamav-users] Grizzly Steppe

I have offered sigs to ClamAV official but have heard nothing back yet. > On Jan 4, 2017, at 6:52 PM, Eric Tykwinski wrote: > > This was my concern about Cisco’s AMP product on ASA’s and NGIPS’s. I’m > going to be beta testing stuff out shortly, but don’t have high

Re: [clamav-users] Grizzly Steppe

This was my concern about Cisco’s AMP product on ASA’s and NGIPS’s. I’m going to be beta testing stuff out shortly, but don’t have high hopes besides the Snort rules. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 > On Jan 4, 2017, at 6:23 PM, Reindl Harald

Re: [clamav-users] Grizzly Steppe

Am 04.01.2017 um 23:12 schrieb Al Varnell: Can somebody with access to those samples run them against a virgin ClamAV signature database to answer the question? I'd be happy to if there are samples I can access. official, virgin signatures don't and probably will never recognize recent

Re: [clamav-users] Grizzly Steppe

Tom, It's not that I don't want to use your sigs, but in order to assist ClamXav users I need my setup to match theirs and it currently only uses ClamXav macOS/OS X specific unofficial. There is talk of adding others in the future, but not now. -Al- On Wed, Jan 04, 2017 at 02:17 PM, TR Shaw

Re: [clamav-users] Grizzly Steppe

Doesn’t detect to RAT Al, if you don’t want to run my unofficial sigs I would be happy to provide them to Joel for incorporation into official db. > On Jan 4, 2017, at 5:12 PM, Al Varnell wrote: > > Can somebody with access to those samples run them against a virgin

Re: [clamav-users] Grizzly Steppe

Can somebody with access to those samples run them against a virgin ClamAV signature database to answer the question? I'd be happy to if there are samples I can access. -Al- On Wed, Jan 04, 2017 at 07:33 AM, TR Shaw wrote: > > I added detection in winnow_extended_malware.hdb which is

Re: [clamav-users] Grizzly Steppe

I added detection in winnow_extended_malware.hdb which is distributed is the sanesecurity feed the day after the JAR was released. I also searched for the RAT and added signatures for that as well in winnow_malware_links.ndb Signatures are identified as winnow.Trojan.GRIZZLY_STEPPE. Tom >

Re: [clamav-users] Grizzly Steppe

* Andrew McGrath : > I'm being asked a question by our security team that I am struggling > to answer. The question is "Does ClamAV detect Grizzly Steppe?". > > I've hunted around the archives, support pages and google, but do not > see any discussion about this, could

[clamav-users] Grizzly Steppe

I'm being asked a question by our security team that I am struggling to answer. The question is "Does ClamAV detect Grizzly Steppe?". I've hunted around the archives, support pages and google, but do not see any discussion about this, could anyone comment? Thank you!