[clamav-users] WannaCry Homeland Security yara script. False positives?

I added the yara script published by Homeland security to the clamav database directory. I believe I am getting a substantial number of false positives on this including messages containing PDF and JPG attachments, the latter known to be OK. $ clamscan "/home/HPRS/mpress/Maildir/.Sent

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

Thanks Carlos I see what you saying. I checked my previous sessions and I found the below one from the 'Oct 2016' session where I see that the clam-miller.socket is owned by clamav:clamav, where as my latest one is owned by clamav:root. Is it causing the below error? If so how can I make sure the

Re: [clamav-users] DNS Caching Problem AGAIN with current.cvd.clamav.net?

I am not understanding your point here. Where are you seeing an indication that the database had been updated at the time you wrote? The first indication of an update was an email announcing daily 23390 at 8:30am PDT, about four hours after you posted and almost 30 hours after the previous

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

> # cat /etc/rc.d/rc.local > #!/bin/sh > # > # This script will be executed *after* all the other init scripts. > # You can put your own initialization stuff in here if you don't > # want to do the full Sys V style init stuff. > touch /var/lock/subsys/local > /usr/local/sbin/clamd >

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

On 05/15/2017 01:04 PM, Mark Foley wrote: > On Mon May 15 15:06:07 2017 "Eric Tykwinski" wrote: >> Here's links to sample files, ie use at your own risk: >> https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 >> >> Sincerely, >> >> Eric Tykwinski >> TrueNet,

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

Rdp was a factor, but only locally. No initial vector has been established. The only propagation method we have seen is via SMB. Check the blog post. We laid it all out there. -- Sent from my iPhone > On May 16, 2017, at 12:40, Eric Tykwinski wrote: > > I

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

I don't think anyone really knows the initial vector, but RDP was an entry point according to the site I was reading: Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

If not email what is the vector? dp On 5/15/17 5:11 PM, Joel Esler (jesler) wrote: To be clear let me link to our blog post on the subject: http://blog.talosintelligence.com/2017/05/wannacry.html There has been No email vector seen in WannaCry to date. Almost everyone that has claimed

Re: [clamav-users] ScanOnAcess

Hi Roelof, The on-access scanner is configured through clamd.conf. This is a freshclam.conf file. As such, it makes sense that freshclam would complain about that configuration option, since freshclam and clamd are separate applications. Remove the erroneous option and freshclam should pull

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

Hi Carlos Velasco Our RHEL 6.8 runs on an IBM Power 8 server(ppc64), for which we dont' have a ClamAV package. So I had to compile it from source. I have uninstalled the old version and installed the *ClamAV 0.99.2. * So I can confirm that I have only one instance running. Here's the detailed

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

> Yes, I usually verify after running any command. So yes verified the > process is properly killed. I even rebooted it couple time. Even after a > clean reboot, the output of clamd status gives the same error. What is the > output of your clamd status? Can you share it please? Kishore, I think

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

Hi Reindl Harald Yes, I usually verify after running any command. So yes verified the process is properly killed. I even rebooted it couple time. Even after a clean reboot, the output of clamd status gives the same error. What is the output of your clamd status? Can you share it please? Thanks

[clamav-users] DNS Caching Problem AGAIN with current.cvd.clamav.net?

The same problem had been "fixed" a few weeks ago: http://network-tools.com/nslook/Default.asp?domain=current.cvd.clamav.net =16=67.222.132.213=1=53=5000=12=7 current.cvd.clamav.net

Re: [clamav-users] ScanOnAcess

Hello Remi, I use a server Centos 7 and as client Fedora 25. and I checked both and both support FANOTIFY Roelof Van: clamav-users namens Remi Bruggeman Verzonden: dinsdag 16 mei 2017

Re: [clamav-users] ScanOnAcess

Roelof, Which OS are you running? Does the kernel support FANOTIFY? Best regards, Remi Bruggeman -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Roelof Wobben Sent: Tuesday, May 16, 2017 10:23 AM To: clamav-users@lists.clamav.net

[clamav-users] ScanOnAcess

Hello, I have this clamv,conf : ## ## Example config file for freshclam ## Please read the freshclam.conf(5) manual before editing this file. ## # Comment or remove the line below. # Example # Path to the database directory. # WARNING: It must match clamd.conf's directive! # Default:

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

Am 15.05.2017 um 23:53 schrieb Kishore Pawar: Yes, I see the clamd process. I tried to kill and restart it many times, but when I run the 'clamd status' I get the same error about the socket file. Earlier when I was running the older version, I used to see the complete details about the clamd