Re: [clamav-users] No Solaris OS virus signatures in database?
You might want to read through this thread from almost a year ago: http://lurker.clamav.net/message/20130613.105112.61623690.en.html. I’ll just add my two cents that in general, the database is only as complete as users want it to be. If you want to see more support for your platform, you need to take a proactive role in tracking down and submitting samples to clamav.net, virustotal.com and probably other sources the Sourcefire signature team can draw on. I say this because the OS X community I belong to was in a similar situation not too many years ago. All the discussions in the world didn’t help matters until some of us volunteered our time to actively seek out such samples. One even qualified to write signatures as an adjunct to the signature team. F-Secure is a for profit company and I’m sure not in the habit of sharing everything they find and analyze. Just because they’ve developed techniques to detect such things doesn’t mean they’ve shared that information with the competition, especial one that’s free. -Al- -- Al Varnell Mountain View, CA On Tue, May 27, 2014 at 08:00 PM, R Secrist wrote: There do not appear to be any definitions for Solaris OS in the database doing an inspection of virus names using: sigtool --list-sigs=C:\wherever\ClamWinPortable\Data\db\main.cvd sigtool --list-sigs=C:\wherever\ClamWinPortable\Data\db\daily.cld I see virus names starting Andr., DOS., Java., JS.,OSX., Win, etc. that seem pretty obvious, but no Solaris. or Sun. etc. There are a few UNIX. but those seem to be for Linux, nor do any known Solaris virus signatures seem to turn up in the database (e.g. http://www.f-secure.com/v-descs/worm_solaris_wanuk_a.shtml) Likewise there don't seem to be that many viruses for Solaris either, so it could be covered under some generic name and I am just missing it. Does anyone know that there are in fact Solaris OS virus signatures in the ClamAV database? Thanks! rcs ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Unix.Trojan.ElkKnot FOUND
Thank you very much, that's nice. Very happy about that :) Regards, Birgit On 27. 05. 14 15:08 , Alain Zidouemba wrote: The samples for which you sent us the hashes appear to be benign. - Alain On Tue, May 27, 2014 at 4:25 AM, DUCARROZ Birgit birgit.ducar...@unifr.chwrote: Hello, Is someone actually able to tell me if the list I submitted are false positives or real trojans? Thank you, Birgit On 23. 05. 14 15:28 , Alain Zidouemba wrote: Thanks Birgit. - Alain On Fri, May 23, 2014 at 5:38 AM, DUCARROZ Birgit birgit.ducar...@unifr.chwrote: oki. Here are the md5s of the most of the alerts: f4b3cda094eb5c4c1ab0ce2ee53e0e5f eb693fd5c83093ec70845f2ae111edd9 1c9b1eaef2cc4c55c05b2d0a4cc9d3da fc04088eb26044a4a6f14e257152ee31 77cb6047daab16e9227204fb0a141394 2298d177a5a8e36bedfc84a230b96108 77cb6047daab16e9227204fb0a141394 77cb6047daab16e9227204fb0a141394 77cb6047daab16e9227204fb0a141394 77cb6047daab16e9227204fb0a141394 e32fef846556b7d2455a11835f50cb03 47cfe14d7b665f5324b94c412944a0e5 119db26d3cfbf660bef53f875a6196df 5a2210d0f9cbc3a0db01cfecd51364f8 5a2210d0f9cbc3a0db01cfecd51364f8 5a2210d0f9cbc3a0db01cfecd51364f8 5a2210d0f9cbc3a0db01cfecd51364f8 b47d4f505ba200a216d6bb5897603c06 4a4fef9bee6ef51cc9de56c9fbb7c5fc 8e6a199817effd7de20346d0bd13170e a9b5c8216132bc64438f22a36cd09b7a 87ac4ccf6aa33b8fbfb80aee72619480 aa0b165e01d243ce43810b5cb6c473ac 8ad68b23b3e4c71f82eab9b6ffc07158 da63135571397425b14487d88d7a9d6e db8f68512eea8922527cdbba73740774 5297cf87b3569dc8f577a9aaba26446c 3990511372761ec38a1c8ccffb9d37ca 681b7cc1afedf142dae47ef67c98c332 414002dc88dc0a3f653047d25ca49fbe baa9976c323133b9638afbceb7affe81 fc6df0c9107d38fbb374ea8ece6de9fc 1b55ee9724f26277fcbc5a5cedab63e5 c3193eb5e383ffe3b4cb34f9a82b6d91 a590277f1cde6ff4c58dbc5682af0680 db5a2e1d49bf5a58f0d52e19957ce764 266c6c8c2e13ed19fb34e8f8388352c4 ffb6beb18b1f6b3955a59ad30c3928c5 4a0ffb5cdf684de730f2404b7be83757 3b33768d83da59ed83490d6d1f1e3e92 135c7633b1cd5f8f4f65d2dee099aa23 bc738b31483e8b6be0a7a043045a011e 8917f23ea6169b7e54f5d7569e2184b7 813de8d05d1a5a20ffdc61d961b4e000 038fee0e92aec9ce86a7d7caf59a500c fc04088eb26044a4a6f14e257152ee31 fc04088eb26044a4a6f14e257152ee31 2524d60ef6d2ef87c8fd7e31ec723bef 346a15c88a439820736c0519d3ff39e0 7a23cde62d14667a69a2bc0cdc3fea0f 6184ce319b49c549ba9ce9e6a5ec4fd9 1c9b1eaef2cc4c55c05b2d0a4cc9d3da 1f25cdb1ab6aae385414adc60fd0a31f bd4a2310fd5685e2cdd284c4d3556210 37cff33723b77a7ed8dcc2b625abc443 28a7c2eaf9496d5cf33ab043730c3c8c 2524d60ef6d2ef87c8fd7e31ec723bef f888ca00784a096b13a9a02854ee9a20 3b33768d83da59ed83490d6d1f1e3e92 bc738b31483e8b6be0a7a043045a011e 135c7633b1cd5f8f4f65d2dee099aa23 8917f23ea6169b7e54f5d7569e2184b7 60fe5e50fbcd0d6b1830583ffec47801 ee058862528053302694b193968643a5 eb693fd5c83093ec70845f2ae111edd9 f46c42d218a0a16ffb5e5fa8dfc13249 eeaaf86088287cede457a6a3712cc079 440e888e38bd9886b125b23c31ef1801 9315ba9a21a33f230799f53d76ab6aff 82b3534476879db9cca52ec4d02a2679 1c9b1eaef2cc4c55c05b2d0a4cc9d3da 34452cfdf6846058dc01cb32b32657be 338108166b81204e2fd5ca532ae5ae14 37cff33723b77a7ed8dcc2b625abc443 f973c2962b62835e92742b9698d461f3 c3193eb5e383ffe3b4cb34f9a82b6d91 06ee0cdcdcefa6cd6c5ab0bac33afb3e cc18e761ffb4b5aef8c2c6102cab6783 b0a24ed819ffc554a51abd4bf360ea89 6726b7d93822b6e605370e2df32fe321 0797907a3f3716e2247616dcc6b6ff36 84855f029b32f0a85eadc455bec3797e 0ef1cbe21692649d3b768637233bc411 fc6df0c9107d38fbb374ea8ece6de9fc 027dcb9c1dfa48cac65b6f529bec5c21 7f4c4f9cf4f31970cdddc85dc8d00fa0 c3193eb5e383ffe3b4cb34f9a82b6d91 9df9633bf33e5488986de0c942e33fae bc738b31483e8b6be0a7a043045a011e 84bb4d12d454a56941a4eb15a0474150 08ba8e8942339643d09312119d8ffc3f 78ceb18607b38dcd290bd24c3196ba41 68c037d6b791400ac9b92ad192799d6d 8917f23ea6169b7e54f5d7569e2184b7 5ac2b20d5bb0ccea977e09c51fbbd1b9 3b33768d83da59ed83490d6d1f1e3e92 779b0aa2ada8834c12f34eba7710e50e 135c7633b1cd5f8f4f65d2dee099aa23 cd03e7335580d1e035e962734c801744 9a776ee1eaa1e164d109647970cd3585 e91991170459509664aa3d6209efd2eb c3193eb5e383ffe3b4cb34f9a82b6d91 cc96618e63165bc031f9321229a94084 f4b39a6a822aa3e53325b71900dd6e59 d19bd53c3926df70f8345ccc55e3f1d4 194aab685f474136724e8ddbf4a03f9b ea142a4b76756468bd35e9e479e0d64b 61650e0e765f19a9dc79081b6417e4fa ad2b00cb5946c60227b0939f2913c403 358c7d33cd94f6f4ed73146159d8d8ed fb3e5b630c6baa84285ddc3123bb8a2d f3d3f36c34b9bba73c367f8604c47bbf d474ad9c38679d83c78cdc29f7890bf2 4d604102194a4150f834d8ccda38e288 f973c2962b62835e92742b9698d461f3 fde7d2ff5a02f3b98ac28023cab092ca eb693fd5c83093ec70845f2ae111edd9 f64bb9a4cfc5ad697cea18a29f41d099 fc6df0c9107d38fbb374ea8ece6de9fc 681b7cc1afedf142dae47ef67c98c332 e19af5b54914b3045dbe923b9b52808b 9a776ee1eaa1e164d109647970cd3585 9a776ee1eaa1e164d109647970cd3585 9778505b5f587e6abaac62f4ec709b31 b7146c28f937b07c1e3df73c650a2de0 b1ca954873c9452efb5374c12acee4a6 879ebef6d871ba3a27fed3482a93526f 08ba8e8942339643d09312119d8ffc3f a91e4995c237e0c3848bfd8baeb3bba6 c24adf17f3bc1606e766ab3a4c441a4d 135c7633b1cd5f8f4f65d2dee099aa23 634528ccea8004f13612f3146611cbaa
[clamav-users] ClamAv updates not being published properly?
Latest from clamav-virusdb announcements: ClamAV database updated (28 May 2014 04-17 -0400): daily.cvd Yet freshclam says (with and without -no-dns) # freshclam ClamAV update process started at Wed May 28 09:33:52 2014 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to date (version: 19037, sigs: 970172, f-level: 63, builder: neo) bytecode.cld is up to date (version: 241, sigs: 46, f-level: 63, builder: dgoddard) Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.ukmailto:phil.ran...@hoopleltd.co.uk Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAv updates not being published properly?
Oops, left off the latest version of patterns - 19041, allegedly, yet we're stuck on 19037. Cheers, Phil -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Randal, Phil Sent: 28 May 2014 09:35 To: Clamav-Users (clamav-users@lists.clamav.net) Subject: [clamav-users] ClamAv updates not being published properly? Latest from clamav-virusdb announcements: ClamAV database updated (28 May 2014 04-17 -0400): daily.cvd Yet freshclam says (with and without -no-dns) # freshclam ClamAV update process started at Wed May 28 09:33:52 2014 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to date (version: 19037, sigs: 970172, f-level: 63, builder: neo) bytecode.cld is up to date (version: 241, sigs: 46, f-level: 63, builder: dgoddard) Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.ukmailto:phil.ran...@hoopleltd.co.uk Hoople Ltd, Registered in England and Wales No. 7556595 Registered office: Plough Lane, Hereford, HR4 0LE Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAv updates not being published properly?
On Wed, May 28, 2014 9:35 am, Randal, Phil wrote: Yet freshclam says (with and without -no-dns) Hi Phil, Same here... freshclam... ClamAV update process started at Wed May 28 10:13:11 2014 main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to date (version: 19037, sigs: 970172, f-level: 63, builder: neo db updates... http://lurker.clamav.net/list/clamav-virusdb.html Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAv updates not being published properly?
On Wed, May 28, 2014 at 4:39 AM, Randal, Phil phil.ran...@hoopleltd.co.uk wrote: Oops, left off the latest version of patterns - 19041, allegedly, yet we're stuck on 19037. Same here. DNS says 19037 is the latest: ~$ dig +short txt current.cvd.clamav.net 0.98.3:55:19037:1401269340:1:63:41971:241 -Jim P. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAv updates not being published properly?
Thanks all. We'll take a look! -- Joel Esler Sent from my iPhone On May 28, 2014, at 6:34, Jim Popovitch jim...@gmail.com wrote: On Wed, May 28, 2014 at 4:39 AM, Randal, Phil phil.ran...@hoopleltd.co.uk wrote: Oops, left off the latest version of patterns - 19041, allegedly, yet we're stuck on 19037. Same here. DNS says 19037 is the latest: ~$ dig +short txt current.cvd.clamav.net 0.98.3:55:19037:1401269340:1:63:41971:241 -Jim P. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Tips for low memory systems
On 28.05.14 14:26, Michael Heuberger wrote: Yeah I know but I am very busy these days. Either an easy solution or I'll buy more RAM :( if byuing RAM is an option for you, you shouldn't even think about alternatives. recently we've had requests from people who just could NOT buy RAM to their routers or other appliances... but there's no much help for them either, sorry... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Tips for low memory systems
Michael Heuberger skrev den 2014-05-28 03:47: Too bad :( apt-get source clamav -b possible ask for maintainer support on lunchpad ? come on :=) ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] clamav-users-bounces DKIM signature verify error
Hello, from some days I moved my domain on a DKIM capable server and I’m getting some of this: ** 2014-05-28 18:06:42.217820500 CHKUSER accepted sender: from clamav-users-boun...@lists.clamav.net|remoteinfo/auth:|chkuser-identify: remote helo:lists.clamav.net|remotehostname:unknown|remotehostip:198.148.79.53 rcpt : sender accepted 2014-05-28 18:06:42.222425500 CHKUSER accepted rcpt: from clamav-users-boun...@lists.clamav.net|remoteinfo/auth:|chkuser-identify: remote helo:lists.clamav.net|remotehostname:unknown|remotehostip:198.148.79.53 rcpt ml...@itspecialist.it : found existing recipient 2014-05-28 18:06:42.646673500 qmail-smtpd: message rejected (qmail-dkim: signature verify error: message body does not hash to bh value (#5.7.7)): clamav-users-boun...@lists.clamav.net from 198.148.79.53 to ml...@itspecialist.it helo lists.clamav.net ** Due to this errors the mailing list itself told me that my subscription was disabled due to excessive bounces and I had to enable it manually again. Have you any idea of the reason for this problem and how to let it go away? As now I’m loosing some messages from the list for sure. Thank you Bye Marcello ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav-users-bounces DKIM signature verify error
Marcello Lupo ml...@itspecialist.it wrote: Have you any idea of the reason for this problem and how to let it go away? Other than DKIM breaks stuff As now I’m loosing some messages from the list for sure. Stop using mailing lists OR stop using DKIM Or you might be able to tune DKIM to exclude the message content - which rather defeats the object. http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Annotations_by_mailing_lists SPF has the same problem. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Signature matching email Subject:
Helo Steve, First at all, thanks for your promptly answer. It works flawlessly. After some tests I finally found what was wrong with my signatures. I was using sigtool --hex-dump to build my signatures. I took some time to realize that sigtool was adding \n to my signatures (identified by the 0a character at the end). After removing the 0a from my signatures they magically started to work. Best regards, and, again, thank you for your time and help. Claudio Cuqui On 05/23/2014 04:06 PM, Steve Basford wrote: On Fri, May 23, 2014 4:25 pm, Claudio Cuqui wrote: Hello there ! I would like to known if is it possible to create a virus signature that match the subject of a mail message. I tried everything and the signature only match when the pattern is located in the email body. Something like this... Spam.Subject.001:4:*:5375626A6563743A{-50}4D617373205370616D205375626A656374 Which will match... Subject: (any 50 chars)Mass Spam Subject Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav-users-bounces DKIM signature verify error
On Wednesday, May 28, 2014 17:31:27 Simon Hobson wrote: Marcello Lupo ml...@itspecialist.it wrote: Have you any idea of the reason for this problem and how to let it go away? Other than DKIM breaks stuff As now I’m loosing some messages from the list for sure. Stop using mailing lists OR stop using DKIM Or you might be able to tune DKIM to exclude the message content - which rather defeats the object. http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Annotations_by_maili ng_lists SPF has the same problem. Not at all. SPF suffers in some other scenarios, but mailing lists that aren't just simpler list expanders work just fine with SPF, but isn't this a bit off topic? In this particular case, he's got a local configuration issue nothing really to do with clamav, SPF, or DKIM (as a protocol). Scott K ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml