Re: [clamav-users] Problems with 3rd party sigs

2017-03-31 Thread Steve Basford 




On 31 March 2017 18:45:58 Mark Foley  wrote:


Per advice on this list, I downloaded and installed the clamav-unofficial-sigs
scripts from the link on Sanesecurity.


2. I run a cron'd clamscan job to scan mail folders several time a day. I get
the following errors which are new since installing the unofficial-sigs:


See...

you can comment out these lines in the master.conf:

#email/EMAIL_Cryptowall.yar|LOW # CryptoWall Resume phish
#Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti 
virtualization techniques used by malware


See... issues page from here...

https://github.com/extremeshok/clamav-unofficial-sigs

Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problems with 3rd party sigs

2017-03-31 Thread Steven Morgan 
They can be ignored. For yara rules, ClamAV currently ignores any
containing errors or unsupported features.

Steve

On Fri, Mar 31, 2017 at 2:30 PM, Mark Foley  wrote:

> On Fri, 31 Mar 2017 14:01:29 -0400 Steven Morgan 
> wrote:
> >
>
> Thanks Steve. Is then there a way to disable the pe rules or do I just
> have to
> ignore these messages?
>
> --Mark
>
> > Mark,
> >
> > The pe import module of yara rules is not currently implemented in
> ClamAV.
> > Other specifics of using yara rules in Clam may be found in
> > docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara
> > rule?
> >
> > Hope this helps,
> > Steve
> >
> > On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley 
> wrote:
> >
> > > Per advice on this list, I downloaded and installed the
> > > clamav-unofficial-sigs
> > > scripts from the link on Sanesecurity.
> > >
> > > I've not been able to get it running. Two problems:
> > >
> > > 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from
> > > crond. I get an email:
> > >
> > > /bin/sh: clamav: command not found
> > >
> > > I've searched the computer and the clamav-unofficial-sigs.sh script
> > > looking for a
> > > reference to a clamav command and simply cannot find such a command.
> I've
> > > sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and
> > > redirected
> > > the cron script's output to a log file. I never get anything in the
> > > logfile.
> > > Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.
> > >
> > > 2. I run a cron'd clamscan job to scan mail folders several time a
> day. I
> > > get
> > > the following errors which are new since installing the
> unofficial-sigs:
> > >
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 497
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 512
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 528
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 544
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 557
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 603
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 614
> > > undefined identifier "pe"
> > > LibClamAV Error: cli_loadyara: failed to parse rules file
> > > /var/lib/clamav/antidebug_antivm.yar, error count 7
> > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line
> 34
> > > duplicate identifier "CryptoWall_Resume_phish"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line
> 52
> > > duplicate identifier "docx_macro"
> > > LibClamAV Error: cli_loadyara: failed to parse rules file
> > > /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2
> > >
> > > The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:
> > >
> > > 496 contition:
> > > 497 pe.imports("kernel32.dll","
> CheckRemoteDebuggerPresent")
> > > and
> > > 498 pe.imports("kernel32.dll","IsDebuggerPresent")
> > >
> > > These seem like rather basic programming bugs.  Nevertheless, it does
> > > appear to
> > > catch new signatures, e.g.:
> > >
> > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456.
> > > M955042P32209.mail,S=13067,W=13269:2,S: Sanesecurity.Foxhole.Zip_
> fs226.UNOFFICIAL
> > > FOUND
> > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151.
> > > M124643P21974.mail,S=30684,W=31217:2,S: Sanesecurity.Spam.12404.Ml.
> UNOFFICIAL
> > > FOUND
> > > /home/HPRS/shay/Maildir/.Trash/cur/1485781802.
> M776532P6090.mail,S=2905,W=
> > > 2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL
> > > FOUND
> > > /home/HPRS/shay/Maildir/.Trash/cur/1486393658.
> M60634P26487.mail,S=48881,W=49823:2,S:
> > > Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
> > > /home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877.
> > > M266324P18041.mail,S=22511,W=22844:2,S: Sanesecurity.Foxhole.Zip_
> Wordexe.1.UNOFFICIAL
> > > FOUND
> > >
> > > etc.
> > >
> > > Has anyone on this list encountered the same problem and if so were you
> > > able to
> > > fix them? I'm running Slackware.
> > >
> > > Thanks, Mark
> > > ___
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> >

Re: [clamav-users] Problems with 3rd party sigs

2017-03-31 Thread Mark Foley 
On Fri, 31 Mar 2017 14:01:29 -0400 Steven Morgan  wrote:
>

Thanks Steve. Is then there a way to disable the pe rules or do I just have to
ignore these messages?

--Mark

> Mark,
>
> The pe import module of yara rules is not currently implemented in ClamAV.
> Other specifics of using yara rules in Clam may be found in
> docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara
> rule?
>
> Hope this helps,
> Steve
>
> On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley  wrote:
>
> > Per advice on this list, I downloaded and installed the
> > clamav-unofficial-sigs
> > scripts from the link on Sanesecurity.
> >
> > I've not been able to get it running. Two problems:
> >
> > 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from
> > crond. I get an email:
> >
> > /bin/sh: clamav: command not found
> >
> > I've searched the computer and the clamav-unofficial-sigs.sh script
> > looking for a
> > reference to a clamav command and simply cannot find such a command. I've
> > sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and
> > redirected
> > the cron script's output to a log file. I never get anything in the
> > logfile.
> > Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.
> >
> > 2. I run a cron'd clamscan job to scan mail folders several time a day. I
> > get
> > the following errors which are new since installing the unofficial-sigs:
> >
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603
> > undefined identifier "pe"
> > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614
> > undefined identifier "pe"
> > LibClamAV Error: cli_loadyara: failed to parse rules file
> > /var/lib/clamav/antidebug_antivm.yar, error count 7
> > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 34
> > duplicate identifier "CryptoWall_Resume_phish"
> > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 52
> > duplicate identifier "docx_macro"
> > LibClamAV Error: cli_loadyara: failed to parse rules file
> > /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2
> >
> > The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:
> >
> > 496 contition:
> > 497 pe.imports("kernel32.dll","CheckRemoteDebuggerPresent")
> > and
> > 498 pe.imports("kernel32.dll","IsDebuggerPresent")
> >
> > These seem like rather basic programming bugs.  Nevertheless, it does
> > appear to
> > catch new signatures, e.g.:
> >
> > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456.
> > M955042P32209.mail,S=13067,W=13269:2,S: 
> > Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL
> > FOUND
> > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151.
> > M124643P21974.mail,S=30684,W=31217:2,S: 
> > Sanesecurity.Spam.12404.Ml.UNOFFICIAL
> > FOUND
> > /home/HPRS/shay/Maildir/.Trash/cur/1485781802.M776532P6090.mail,S=2905,W=
> > 2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL
> > FOUND
> > /home/HPRS/shay/Maildir/.Trash/cur/1486393658.M60634P26487.mail,S=48881,W=49823:2,S:
> > Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
> > /home/HPRS/dsmith/Maildir/.Deleted Items.Sent/cur/1443025877.
> > M266324P18041.mail,S=22511,W=22844:2,S: 
> > Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL
> > FOUND
> >
> > etc.
> >
> > Has anyone on this list encountered the same problem and if so were you
> > able to
> > fix them? I'm running Slackware.
> >
> > Thanks, Mark
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Problems with 3rd party sigs

2017-03-31 Thread Mark Foley 
Per advice on this list, I downloaded and installed the clamav-unofficial-sigs
scripts from the link on Sanesecurity.

I've not been able to get it running. Two problems:

1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from crond. I 
get an email:

/bin/sh: clamav: command not found

I've searched the computer and the clamav-unofficial-sigs.sh script looking for 
a
reference to a clamav command and simply cannot find such a command. I've
sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and redirected
the cron script's output to a log file. I never get anything in the logfile.
Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.

2. I run a cron'd clamscan job to scan mail folders several time a day. I get
the following errors which are new since installing the unofficial-sigs:

LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 
undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file 
/var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 34 
duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line 52 
duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file 
/var/lib/clamav/EMAIL_Cryptowall.yar, error count 2

The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:

496 contition:
497 pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and
498 pe.imports("kernel32.dll","IsDebuggerPresent")

These seem like rather basic programming bugs.  Nevertheless, it does appear to
catch new signatures, e.g.:

/home/HPRS/mpress/Maildir/.Deleted 
Items/cur/1463485456.M955042P32209.mail,S=13067,W=13269:2,S: 
Sanesecurity.Foxhole.Zip_fs226.UNOFFICIAL FOUND
/home/HPRS/mpress/Maildir/.Deleted 
Items/cur/1460374151.M124643P21974.mail,S=30684,W=31217:2,S: 
Sanesecurity.Spam.12404.Ml.UNOFFICIAL FOUND
/home/HPRS/shay/Maildir/.Trash/cur/1485781802.M776532P6090.mail,S=2905,W=2971:2,S!(1)MAIL:mixedtextportion:
 Sanesecurity.Junk.33365.UNOFFICIAL FOUND
/home/HPRS/shay/Maildir/.Trash/cur/1486393658.M60634P26487.mail,S=48881,W=49823:2,S:
 Sanesecurity.Spam.12427.FakeRenew.UNOFFICIAL FOUND
/home/HPRS/dsmith/Maildir/.Deleted 
Items.Sent/cur/1443025877.M266324P18041.mail,S=22511,W=22844:2,S: 
Sanesecurity.Foxhole.Zip_Wordexe.1.UNOFFICIAL FOUND

etc.

Has anyone on this list encountered the same problem and if so were you able to
fix them? I'm running Slackware.

Thanks, Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml