Hi All,
Firstly thanks for all the scripts and feedback, if I've not replied to
anyone via email, bear with me as it's a
little hectic right now, with one thing or another :)
Okay, thanks to tbb (Nico) for pointing me toward this great
redirect/rotator script, with management capabilities.
In a
Due to me nearly running out of bandwidth last month (17gb out of a 20gb
host package), some urgent changes were needed to the signature hosting,
otherwise I'd start getting charged for the extra bandwidth :(
So, to keep this short, here's a to-do list ;)
*** One: Mirrors ***
Three new mirrors a
Hi Eric,
I tried sending you an off-list email, but:
SMTP error from remote mail server after RCPT TO::
host rodan.vipstructures.com [66.195.71.71]: 554 5.7.1
:
Client host rejected: ripe ncc france block?
:(
Sorry list!
Cheers,
Steve
___
Bill Landry wrote:
> If it was a SaneSecurity signature that caused the virus match, did
> you advise Steve Basford
You beat me to a reply... you must type faster then me :)
Thanks Bill!
Cheers,
Steve
___
Help us build a comprehensive ClamAV
Luis Miguel R. wrote:
> Hi all, Is ClamAV detecting ANI xploits?
>
Hi,
Yes from what I can remember, it'll be these sigs:
Trojan.Downloader-4467
Exploit.CVE_2007_0038-1
Exploit.CVE_2007_0038-2
Exploit.CVE_2007_0038-3
Cheers,
Steve
___
Help us
Thomas Bernthaler wrote:
> [EMAIL PROTECTED] root]# /usr/bin/clamdscan --quiet /usr/bin/php
> ERROR: Parse error at line 34: Option LogTime requires boolean argument.
Please see: http://wiki.clamav.net/Main/UpgradeNotes090
eg:
clamd.conf:
change option: 'LogTime' to 'LogTime yes' ( was just 'Lo
Dennis Peterson wrote:
>
> My guess is the MSRBL folks would like it if you downloaded the new
> files only if the file has been modified.
>
I think you're right... the size of their images .ndb file
(un-compressed) jumped to about 7.5 meg in size and I guess shifting
that amount of data for x us
Hi,
Just a heads up for those using the msrbl sigs.
As of last week:
"Downloading of the signature files is currently only available via rsync":
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb /path/MSRBL-SPAM.ndb
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb
/path/MSRB
Sean Pinegar wrote:
> I trusted clamav for a long time but ran across an interesting problem today.
> I received an e-mail from a friend that included a powerpoint. I opened the
> powerpoint in linux and wine flagged it as a virus (not sure how wine knew
> there was a virus...can anyone enligh
Salvatore wrote:
> FixStaleSocket
>
How about:
**FixStaleSocket yes
FixStaleSocket no
In other words, the format for .conf files changed in 0.90... you need yes/no
after the option.
Example:
http://svn.clamav.net/websvn/filedetails.php?repname=clamav-devel&path=%2Ftrunk%2Fetc%2Fclamd.conf&rev
carren stuart wrote:
> Is there some reason why my posts aren't even being acknowledged? I
> can't believe that nobody knows the answer to my question. This IS the
> users list and I'm a user, so could somebody PLEASE help me with this.
>
>
Hi,
Sorry I can't really help you... but I did find
Jay Lee wrote:
> one more. Again, sorry.
>
It's not me you have to worry about... it's the "others" ;)
Good reminder to everyone though :)
Cheers,
Steve
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clama
[EMAIL PROTECTED] wrote:
> I am not available at the moment
etc. ;)
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Hi All,
95% of all SaneSecurity signature users are finally using the gzipped
compressed phish.ndb.gz database...
so I've now removed all the signatures from the old uncompressed
phish.ndb file and just left one "test" signature,
so it doesn't break anyone's system
FinallyAs the year draws t
Christopher X. Candreva wrote:
> In my experience, it means a database maintainer who made a simple mistake
> in one line.
>
I don't think this'll really add anything useful to the discussion
but I've seen that happen in one of the mrsbl
databases.. but there are some small things the non
Ben Lambrey wrote:
> We received several samples of Trojan.Conka.A (name by BitDefender)
> Trojan.MGK
> (name by FRISK) at our viruswall last week.
> I've submitted a sample of the captured virus twice to Clamav, but is still
> undetected by Clamav. I wonder why?
>
Hi Ben,
While you wait f
> I've noticed the above in my hourly syslog snip thoughout the day today.
> Its
> not appearing each and every time a message is checked. Could someone
> advise
> me on what the problem may be and what the fix might be?
First of all I need to apologise to everyone using the Sanesecurity
scam.ndb.
Been ages since I posted anything about the sigs... so just a reminder,
they are still being updated:
Phishing and Scam Signatures for:
ClamAV
Windows Installer versions for:
w32 clamav
ClamWin
ClamMail
http://www.sanesecurity.com/clamav/
Cheers,
Steve
___
Hi All,
Anyone else seeing this sort of thing?
C:\CLAMAV~1\bin>freshclam
ClamAV update process started at Fri Aug 4 18:52:23 2006
main.cvd is up to date (version: 39, sigs: 58116, f-level: 8, builder:
tkojm)
ERROR: getfile: daily-1635.cdiff not found on remote server
ERROR: getpatch: Can't downl
Odhiambo Washington wrote:
> ..and today there were so many false positives
>
>
Hi,
If you haven't already... contact them with the raw email that
matched and the virus name that was reported and
I'm sure they'll get it fixed.
Cheers,
Steve
__
> Hii ,
> From last few days i am getting lot of mail hits containing
> "Win32/TrojanDownloader.Small.CIE" Virus. Guys have any one come across
> this virus what does it do and how hazardous it is.
All I could find was:
http://www.sophos.com/security/analyses/trojdwnldrdda.html
If the trojan is
Sorry about this but will people please check their download
scripts, to make sure that they are:
a) only downloading the phish.ndb.gz file
b) only downloading the above file, when there has been a change to it.
c) only checking for changes - no less than hourly.
Realistically, I would thin
> On Monday 24 Apr 2006 22:35, Steve Basford wrote:
> Steve, is it your intention to name the file inside the .gz phishc.ndb,
> consistently, so I can script on that basis?
Arghhh... sorry that really should have been phish.ndb, I've now
corrected the script
> u
Christopher X. Candreva wrote:
I've atached my updated Perl script. It will now check the compressed
archive, and if it is updated download and upcompress it.
Thank you!
I'll sort out the website tomorrow hopefully, with some of sample
"recommended" scripts.
Cheers,
Steve
Bill Landry wrote:
a) phish.ndb.gz
Definately.
I agree.
Okay folks, I've put together a dos script to create the phish.ndb.gz
file and have just updated both the compressed
and un-compressed versions.
The file you need is: http://www.sanesecurity.com/clamav/phish.ndb.gz
I'll pop back he
Leonardo Rodrigues Magalhães wrote:
sanesecurity.com would need rsync daemon running.
Sure it will work. But is it rsync really needed for syncinc a
single file that bzip/gzipped will hardly get over 300k ??
Hi All,
Firstly, I just wanted to say a big thank you for everybody's feedbac
Hi All,
In order to optimize the use of my bandwidth for the unofficial phishing
signatures, I want to put up a few
example scripts on the main page of my site that users should use to
download the phish.ndb file.
The reason is that I've got quite a few users, downloading every 15
mins, the
Firstly, I just wanted to say a big thanks to everyone who's sent
samples, encouragement and comments,
regarding the unofficial phishing signatures!
Secondly, just updated the Unofficial ClamAV Phishing Signatures, which
now contain 690 sigs :)
I've updated the site here with links to live st
Tomasz Kojm wrote:
It's not worrying at all. It would be worrying if ClamAV was silently using
a broken signature somehow but it properly reports an error:
Thanks for confirming checking. Well, under cygwin, this is what it does:
C:\CLAMAV~1\bin>clamscan c:\samples
C:\CLAMAV~1\bin>
Tha
BitFuzzy wrote:
I decoded the hex string and it actually matches "Dear PayPal Member\n"
(PayPal instead of Paypal)
Yea, I caught that, it doesn't make any difference
Hi,
In your first post you said you'd tried these:
Email.Phishing.Paypal.Test.0227001:0:*:446561722050617950616c204d656d62
I was looking for this but I did not find a lot of info about it this
morning and I was wondering if anyone could give me some help... I
would like to setup my ClamAV with Phishing Signatures but as I said I
was unable to find much info on how to do it. I did find lots of
sources with differe
Hi,
You'll all be glad to hear I don't intend to post here every time I do
an update of the sigs,
but as I've added a few sigs today and updated the main website a
little, I thought post to the list:
http://www.sanesecurity.com/clamav/
For those interested, here are some stats from a couple
Can someone please tell me how ClamAV goes about phishing detection? I presume
it has something to do with libcurl going out to a web site and some checks
being performed on whatever is returned.
Not normally... most fishing detection is done by matching text/html
that is common, looks odd
Hi,
Just thought this was interesting, now that Sven has recently added some
up-to-date phishing signatures (official, of course):
Virus Stats, from my ISP, for 12 hours today:
HTML.Phishing.Bank-303: 25,025 copies stopped (sig added 2006-02-04)
HTML.Phishing.Bank-292: 12,995 copies stopped (
Dennis Peterson wrote:
I can verify it blocks legitimate mail from Ebay (outbidnotice and endofitem).
I cannot provide samples for obvious reasons.
Thanks to all for the reports... the signature was faulty and I've now
disabled it.I've re-uploaded, with it removed.
Sorry for all this
I'm getting false positives with
Html.Phishing.Auction.Gen009.Sanesecurity.06020102
Marking legit eBay communications as Phish; bid confirmations, outbid
notices, "you won" notices.
Okay, I've disabled this sig and re-uploaded... that should fix it until
i can find sample email.
One thing
jef moskot wrote:
The latest batch seems to include a number of false positives, so I had to
revert. I don't want to submit private user data, but an example is the
apparently legit report from eBay entitled "Changes to eBay User Agreement
and Privacy Policy".
Other issues include apparently
Mark Twells wrote:
Where might I obtain these unofficial signatures?
http://www.sanesecurity.com/clamav/
Cheers,
Steve
___
http://lurker.clamav.net/list/clamav-users.html
Dennis Davis wrote:
Very useful. I started using these signatures on this University's
mail servers on Monday. Appended below are the stats on the
incoming crap they stopped yesterday (Tuesday).
Virus Count
-
Webmaster wrote:
Your signatures are based on HTML (Filetype = 3).
Shouldn't it be based on Mail (Filetype = 4) ?
Interesting... I'll do some tests later today changing the type.
The interesting thing though, is that when you go to the online database
search site http://clamav-du.securesi
Oliver Stöneberg wrote:
You should really cleanup your signatures. I have a Phishing set of
512 Phishing of which 23 are not recognised by ClamAV. From those
only 4 are captured by your signatures, which are the following:
Firstly, thanks for the feedback. Although I must say, I'm
disappo
Dennis Peterson wrote:
It's worth repeating the question I asked over a week ago - what
methodology is used in collecting these so that dupes are avoided?
Nobody answered, unfortunately, so now we see we have dupes.
Sorry for the delay... apart from being more than a little busy... I
must a
Hi,
Firstly, I've done an update to the Unofficial Phishing Signatures.
Secondly... will whoever is using ip address 216.35.188.119, please sort
out their wget config file:
216.35.188.119 - - [29/Jan/2006:20:36:01 +] "HEAD /clamav/phish.ndb
HTTP/1.0" 200 0 "-" "Wget/1.10.2"
216.35.188.11
Mike Robinson wrote:
The first question is, does clamd automatically detect changes to .ndb
files?
Sorry for the late reply...
I did a quick test and it seems to only get "re-loaded", after running
freshclam,
ie: like this:
1) example phish.ndb has two sigs
2) clamd is running
3) you o
Todd Lyons wrote:
Any reason to call it phish.ndb instead of phish.db? Just a way to make
automating it easier?
Hi Todd,
If you look at the current signature pdf docs here:
http://www.clamav.net/doc/0.88/signatures.pdf
If you look at Section 3.3 (Basic Signature format) you'll see that
the
There are already a number of great phishing signatures in ClamAV but
the Official ClamAV signature makers are obviously very busy taking care
of the higher priority Virus/Trojan signatures.
As, I've seen a number of new phishing attempts get past the Official
ClamAV signatures, I thought I'd
since ClamAV reached v0.80, I am using it to scan and reject e-mail
messages. Today I noticed that ClamAV also detects phishing attacks.
Phishing is pure social engineering and poses no threat whatsoever in a
technical sense.
I'm certainly *very* happy that ClamAV team have added more phishing
de
Hi All,
Just came across this:
http://www.securiteam.com/securitynews/6E00G2ABFY.html
Bit hard to say if this would impact ClamAV?
Cheers,
Steve
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Thanks Jotti ! Really awesome site ! Good work!
It's a very useful site, along with VirusTotal's site.
Before I go anymore off-topic, just two points to note:
a) Jotii isn't running the very lastest CVS version, he will only
run the lastest STABLE version, so it won't cope too well with the .CAB/U
Just use http://www.virustotal.com/ - excellent resource for scanning
suspicious files with multiple engines at once. As mentioned in the
Thanks all for the checking... as a extra site to bookmark, this site is
good too:
http://virusscan.jotti.dhs.org/ ( Jotti's malware scan: samples are added
Hi,
Can someone test ClamAV with these files:
http://www.hiddenbit.org/demo_files/jpeg.zip
Source:
http://lists.netsys.com/pipermail/full-disclosure/2004-October/027530.html
Cheers,
Steve
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-use
Hi,
Is it just me or the the seach database not returning any results any more?
ie: http://clamav-du.securesites.net/cgi-bin/clamgrok
Cheers,
Steve
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in you
Slight modification to the last one. The new .ndb file allows the
signature offset to be defined, so instead of * in the third field you
should put 0 to anchor the JPEG magic number to the start of the file.
The 5 means it is definitely a graphics file before it is checked against
the signature but
501 - 553 of 553 matches
Mail list logo