Re: [Clamav-users] test windows exploit sigs

2004-09-25 Thread Steve Basford
Slight modification to the last one. The new .ndb file allows the signature offset to be defined, so instead of * in the third field you should put 0 to anchor the JPEG magic number to the start of the file. The 5 means it is definitely a graphics file before it is checked against the signature

[Clamav-users] GDI+ bug exploit Mutations

2004-10-17 Thread Steve Basford
Hi, Can someone test ClamAV with these files: http://www.hiddenbit.org/demo_files/jpeg.zip Source: http://lists.netsys.com/pipermail/full-disclosure/2004-October/027530.html Cheers, Steve ___

Re: [Clamav-users] GDI+ bug exploit Mutations

2004-10-17 Thread Steve Basford
Just use http://www.virustotal.com/ - excellent resource for scanning suspicious files with multiple engines at once. As mentioned in the Thanks all for the checking... as a extra site to bookmark, this site is good too: http://virusscan.jotti.dhs.org/ ( Jotti's malware scan: samples are added

Re: [Clamav-users] GDI+ bug exploit Mutations

2004-10-17 Thread Steve Basford
Thanks Jotti ! Really awesome site ! Good work! It's a very useful site, along with VirusTotal's site. Before I go anymore off-topic, just two points to note: a) Jotii isn't running the very lastest CVS version, he will only run the lastest STABLE version, so it won't cope too well with the

[Clamav-users] Zip AV Bypass Vulnerability

2004-10-18 Thread Steve Basford
Hi All, Just came across this: http://www.securiteam.com/securitynews/6E00G2ABFY.html Bit hard to say if this would impact ClamAV? Cheers, Steve ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing and othersocial engineering attacks

2004-11-14 Thread Steve Basford
since ClamAV reached v0.80, I am using it to scan and reject e-mail messages. Today I noticed that ClamAV also detects phishing attacks. Phishing is pure social engineering and poses no threat whatsoever in a technical sense. I'm certainly *very* happy that ClamAV team have added more phishing

[Clamav-users] SaneSecurity Phishing and Scam Signatures

2006-10-25 Thread Steve Basford
Been ages since I posted anything about the sigs... so just a reminder, they are still being updated: Phishing and Scam Signatures for: ClamAV Windows Installer versions for: w32 clamav ClamWin ClamMail http://www.sanesecurity.com/clamav/ Cheers, Steve

Re: [Clamav-users] Error (Cannot connect to 'localhost:3310': IO::Socket::INET: connect: Connection refused )

2006-12-07 Thread Steve Basford
I've noticed the above in my hourly syslog snip thoughout the day today. Its not appearing each and every time a message is checked. Could someone advise me on what the problem may be and what the fix might be? First of all I need to apologise to everyone using the Sanesecurity scam.ndb.gz

Re: [Clamav-users] Trojan.Conka.A

2006-12-23 Thread Steve Basford
Ben Lambrey wrote: We received several samples of Trojan.Conka.A (name by BitDefender) Trojan.MGK (name by FRISK) at our viruswall last week. I've submitted a sample of the captured virus twice to Clamav, but is still undetected by Clamav. I wonder why? Hi Ben, While you wait for

Re: [Clamav-users] Why does clam die on a malformed database ?

2006-12-30 Thread Steve Basford
Christopher X. Candreva wrote: In my experience, it means a database maintainer who made a simple mistake in one line. I don't think this'll really add anything useful to the discussion but I've seen that happen in one of the mrsbl databases.. but there are some small things the

[Clamav-users] phish.ndb (ungzipped version)

2006-12-30 Thread Steve Basford
Hi All, 95% of all SaneSecurity signature users are finally using the gzipped compressed phish.ndb.gz database... so I've now removed all the signatures from the old uncompressed phish.ndb file and just left one test signature, so it doesn't break anyone's system phew FinallyAs the year

Re: [Clamav-users] Re: Mailware passes undetected.... is this a failure within my MTA?

2007-01-16 Thread Steve Basford
[EMAIL PROTECTED] wrote: I am not available at the moment flameproof-suit mode on ducks for cover etc. ;) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] My Bad, sorry

2007-01-16 Thread Steve Basford
Jay Lee wrote: one more. Again, sorry. It's not me you have to worry about... it's the others ;) Good reminder to everyone though :) Cheers, Steve ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net

Re: [Clamav-users] Auto scan problems

2007-02-15 Thread Steve Basford
carren stuart wrote: Is there some reason why my posts aren't even being acknowledged? I can't believe that nobody knows the answer to my question. This IS the users list and I'm a user, so could somebody PLEASE help me with this. Hi, Sorry I can't really help you... but I did find

Re: [Clamav-users] Problem with upgrade

2007-02-20 Thread Steve Basford
Salvatore wrote: FixStaleSocket How about: **FixStaleSocket yes FixStaleSocket no In other words, the format for .conf files changed in 0.90... you need yes/no after the option. Example:

Re: [Clamav-users] clamav vs norton

2007-03-02 Thread Steve Basford
Sean Pinegar wrote: I trusted clamav for a long time but ran across an interesting problem today. I received an e-mail from a friend that included a powerpoint. I opened the powerpoint in linux and wine flagged it as a virus (not sure how wine knew there was a virus...can anyone enlighten

[Clamav-users] msrbl sigs: rsync

2007-03-04 Thread Steve Basford
Hi, Just a heads up for those using the msrbl sigs. As of last week: Downloading of the signature files is currently only available via rsync: rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb /path/MSRBL-SPAM.ndb rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb

Re: [Clamav-users] msrbl sigs: rsync

2007-03-04 Thread Steve Basford
Dennis Peterson wrote: My guess is the MSRBL folks would like it if you downloaded the new files only if the file has been modified. I think you're right... the size of their images .ndb file (un-compressed) jumped to about 7.5 meg in size and I guess shifting that amount of data for x

Re: [Clamav-users] ClamAV 90 to 90.1

2007-04-02 Thread Steve Basford
Thomas Bernthaler wrote: [EMAIL PROTECTED] root]# /usr/bin/clamdscan --quiet /usr/bin/php ERROR: Parse error at line 34: Option LogTime requires boolean argument. Please see: http://wiki.clamav.net/Main/UpgradeNotes090 eg: clamd.conf: change option: 'LogTime' to 'LogTime yes' ( was just

Re: [Clamav-users] ANI xploits

2007-04-02 Thread Steve Basford
Luis Miguel R. wrote: Hi all, Is ClamAV detecting ANI xploits? Hi, Yes from what I can remember, it'll be these sigs: Trojan.Downloader-4467 Exploit.CVE_2007_0038-1 Exploit.CVE_2007_0038-2 Exploit.CVE_2007_0038-3 Cheers, Steve ___ Help us

Re: [Clamav-users] clamav eats emails from myown domain

2007-04-03 Thread Steve Basford
Bill Landry wrote: If it was a SaneSecurity signature that caused the virus match, did you advise Steve Basford You beat me to a reply... you must type faster then me :) Thanks Bill! Cheers, Steve ___ Help us build a comprehensive ClamAV guide

Re: [Clamav-users] clamav eats emails from myown domain

2007-04-03 Thread Steve Basford
Hi Eric, I tried sending you an off-list email, but: SMTP error from remote mail server after RCPT TO:eric at vipstructures.com: host rodan.vipstructures.com [66.195.71.71]: 554 5.7.1 ns1g.dataflame.net[85.13.252.178]: Client host rejected: ripe ncc france block? :( Sorry list!

[Clamav-users] OT: Sanesecurity Sigs: Important News

2007-05-05 Thread Steve Basford
Due to me nearly running out of bandwidth last month (17gb out of a 20gb host package), some urgent changes were needed to the signature hosting, otherwise I'd start getting charged for the extra bandwidth :( So, to keep this short, here's a to-do list ;) *** One: Mirrors *** Three new mirrors

[Clamav-users] OT: Sanesecurity: new urls?

2007-05-08 Thread Steve Basford
Hi All, Firstly thanks for all the scripts and feedback, if I've not replied to anyone via email, bear with me as it's a little hectic right now, with one thing or another :) Okay, thanks to tbb (Nico) for pointing me toward this great redirect/rotator script, with management capabilities. In

Re: [Clamav-users] OT: Sanesecurity: new urls?

2007-05-08 Thread Steve Basford
Christopher X. Candreva wrote: If the script could be on the file name instead of the directory name it would be better. Hmm... would this work for you script? http://www.sanesecurity.com/clamav/phishsigs/index.php http://www.sanesecurity.com/clamav/scamsigs/index.php

Re: [Clamav-users] What is infected attachment (Email.Phishing.RB-827)?

2007-06-28 Thread Steve Basford
554 Failure Messagecontains an infected attachment (Email.Phishing.RB-827) The laptop that is sending the message is not infected with any virus. RB-827 is a phishing signature for regions bank, I won't post the full url for the signature but here's a part of it: /ibsregions/cmserver/ So,

Re: [Clamav-users] cannot resolve www.sanesecurity.co.uk

2007-07-16 Thread Steve Basford
Lyle Giese wrote: Gary V wrote: Looks like I can no longer resolve (from a couple different networks): www.sanesecurity.co.uk sanesecurity.co.uk is down... I think it's a dns issue... going to give the hosting people a kick... The following URLs are the one to make sure you are using:

Re: [Clamav-users] Missed Virus

2007-08-08 Thread Steve Basford
SM wrote: At 11:55 08-08-2007, Jonathan Armitage wrote: It's not a virus, it's these greeting card messages with a link to download the malware. It's currently being identified as Email.Phishing.RB-1222. And this is when it was added to the database:

Re: [Clamav-users] Unofficial malware signatures for Clamav

2007-08-19 Thread Steve Basford
Gerard wrote: I am not sure if Steve has had the time to upload it to his servers yet. He is quite busy. Just uploaded the updated script to both domains :) Cheers, Steve ___ Help us build a comprehensive ClamAV guide: visit

Re: [Clamav-users] signature names

2007-09-12 Thread Steve Basford
Andy Fiddaman wrote: It's not just core Clam signatures either, SaneSecurity recently changed the capitalisation on some of their sigs which caused me a few issues (I'm checking case-insensitively now! Sorry about that... bit of finger trouble on a output script... normal service should now

[Clamav-users] SaneSecurity Sigs

2007-09-19 Thread Steve Basford
Hi All, Just a couple of updates, people who were having problems with ClamAV restarts today and use SaneSecurity signatures (or other Third-Party sigs for that matter) should have a quick peek here: http://sanesecurity.blogspot.com/2007/09/sanesecurity-news-corrupt-signatures.html Sorry for

Re: [Clamav-users] What's this? I can't believe it!

2008-01-20 Thread Steve Basford
umarzuki mochlis wrote: I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or something but calm doesn't seem to detect it. Hi, Might be worth submitting the files to the following sites and see what other AV scanners think of it : http://www.virustotal.com/

Re: [Clamav-users] viruses in comments in scripts not detected by 0.93

2008-05-02 Thread Steve Basford
The implication of the above is that clamav 0.93 would now no longer detect many once prevalent viruses for which it only has hexdump signatures. The whitespace change will cause slightly lower detection rates on some Third Party sigs too (depending on the sig type)... unless the old sigs are

[Clamav-users] Third-Party Signatures: Sanesecurity

2008-06-12 Thread Steve Basford
Sorry to hijack the list...just a few quick updates: 1. Signature Tests I've introduced a few Sanesecurity Signature tests, to help you make sure you are getting the best out of the signatures available. Make sure you pass all three tests (scroll down page) here:

Re: [Clamav-users] Third-Party Signatures: Sanesecurity

2008-06-13 Thread Steve Basford
I ran the 3 tests and I can detect tests 2 3, but not test #1, even if I place the raw text of the e-mail into a file and scan it directly with clamdscan. Thoughts? Same results here. clamdscan being called via simscan. Ooops...Make sure the email you create for test #1 is a HTML

[Clamav-users] Sanesecurity: new database

2008-08-15 Thread Steve Basford
Hi All, Just a few items of news The new Rogue signature database contains hashes of known Rogue Anti-Virus software and also contains known Fake Videos/Codecs. Most of these files are currently being distributed via the current wave of fake CNN/Msnbc/BBC news and fake video emails (54

Re: [Clamav-users] Sanesecurity: new database

2008-08-18 Thread Steve Basford
On Mon, 18 Aug 2008 04:45:58 -0500 libclamav is right, the entry at the line 53 in rogue.hdb is incorrect (double colon before the virus name) Fixed... Thanks Tomasz... ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net

Re: [Clamav-users] PUAs

2008-09-11 Thread Steve Basford
Could anyone knowledgeable comment? I've knocked something quickly together, it won't be 100% accurate and is very vague, but it might give you a few pointers: Vague Outline - PUA is a potentially unwanted application Sub-Type: RAT is Remote Access Trojans Description: tools used

Re: [Clamav-users] false alert - Trojan.FakeAlert-566

2008-09-12 Thread Steve Basford
A lot of files are found with Trojan.FakeAlert-566. I scanned this files with virscan.org with different engines and just only clamav is reporting a trojan. Upload your file here and Select the False Positive option: http://cgi.clamav.net/sendvirus.cgi I report one such FP yesterday

Re: [Clamav-users] Scanning performance issues on some files

2008-09-16 Thread Steve Basford
I have opened a bug #1188 I've added Bug 1190 I've got the same problem, using a windows port too --- SCAN SUMMARY --- Known viruses: 448486 Engine version: 0.94 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 16.54 MB Time: 21.500 sec (0 m 21 s)

Re: [Clamav-users] Lame mirror at [67.15.61.160]

2008-09-29 Thread Steve Basford
Dennis Peterson wrote: I have nothing but problems with (67.15.61.160). Not sure if this is an still up-to-date list checker... but some of the mirrors do look a little ropey: http://www.clamav.net/mirrors.html Cheers, Steve Sanesecurity

[Clamav-users] Sanesecurity Changes

2008-10-06 Thread Steve Basford
Hi All, There are a few changes to the Sanesecurity signature names and database names (including updated downlaod scripts). Please read the following, as it contains all the information on the new changes: http://www.sanesecurity.co.uk/clamav/changes.pdf Cheers, Steve Sanesecurity

Re: [Clamav-users] Rejecting Executables in ZIP Files?

2008-10-15 Thread Steve Basford
My question is what am I doing wrong or what do I need to do in order for Clamav to recognize that a archived attachment contains a banned file extension and to reject it immediately? If you really want to block dangerous runnable attachments, create a .zmd file (and you'll need a .rmd file)

Re: [Clamav-users] Announcing ClamAV 0.94.1 RC1

2008-10-16 Thread Steve Basford
For details of the new features please refer to the Changelog. For an overview please refer to http://www.clamav.net/press/0.94.1-WhatsNew.pdf. Nigel, does the stats sent... only send information regarding ClamAV default signatures (when detected)... or does this also include detections by

Re: [Clamav-users] Announcing ClamAV 0.94.1 RC1

2008-10-17 Thread Steve Basford
There's a special option in freshclam (--submit-stats, currently deactivated) Hi Tomasz, from how I'd use it here, it'd certainly be a good idea to enable this option. As a side note, for users of the windows port... they'd normally run freshclam damonised... and then could run the special

Re: [Clamav-users] False positive

2008-10-17 Thread Steve Basford
Hi, We've got a user whose files are being detected as Worm.Mydoom.M.log. These ones all happen to be PDF files saved from Word 2007. I know this doesn't help... but...looks like that name is a special hard coded name: special.c: int cli_check_mydoom_log(int desc, const char **virname)

Re: [Clamav-users] False Positive W97M.Static

2008-10-30 Thread Steve Basford
Hmm... I can't get it to work either :\ Well, doesn't work on Sanesecurity sigs now either: created a fake sample email and did a quick test local.ign: phish.ndb:9492:Sanesecurity.Phishing.Bank.9492 c:\tmp\test2.eml: Sanesecurity.Phishing.Bank.9492.UNOFFICIAL FOUND grep

Re: [Clamav-users] False Positive W97M.Static

2008-10-30 Thread Steve Basford
On Thu, 30 Oct 2008 14:40:47 - (GMT) The local whitelisting feature is currently not functional, the problem will be fixed in 0.94.1 which is scheduled for November 3rd. Thanks for the confirmation Tomasz. ___ Help us build a comprehensive

Re: [Clamav-users] Twitter

2008-11-09 Thread Steve Basford
Nigel Horne wrote: Notifications of ClamAV signature updates are now available via our Twitter feed at http://twitter.com/clamav. Just to add Sanesecurity updates are also available on Twitter, showing all updates to the signatures, since July: http://twitter.com/sanesecurity

[Clamav-users] Sanesecurity.com download disabled

2008-12-11 Thread Steve Basford
Hi All, My webhost disabled sanesecurity.com due to high cpu usage, they could only give me the following infomation which doesn't mean a lot to me, but does this sound high? Swap: 4096564k total, 408264k used, 3688300k free, 801468k cached PID USER PR NI VIRT RES SHR S %CPU

[Clamav-users] Sanesecurity Announcement

2008-12-14 Thread Steve Basford
14/12/08 Sanesecurity signatures are no longer being updated or distributed due to extremely high server resource usage, which appears to be from a distributed denial of service attack (DDoS). I've moved server hosts twice (which takes time) and both times have resulted in the site being

Re: [Clamav-users] writing rules

2009-01-27 Thread Steve Basford
On Mon, 26 Jan 2009, Tom Shaw wrote: Local.zoosextour:4:*:0a0a687474703a2f2f{-50}2f7a6f6f736578746f75720a0a Just to add something that confused me for a while... lf *or* cr/lf ;) if you use 0a0a, it'll only work on non-windows system if you use 0d0a0d0a, it'll only work on windows system

[Clamav-users] Sanesecurity Signatures

2009-02-05 Thread Steve Basford
Hi All, Just realised that I hadn't posted an update about the signatures in this list, so thought I better had: http://sanesecurity.blogspot.com/2009/01/200109-news.html So, in short the signatures are now back.. but in a new download format. Cheers, Steve Sanesecurity

Re: [Clamav-users] How to test ClamAV

2009-02-06 Thread Steve Basford
Alex Davidson wrote: send myself EICAR test virus strings but firstly only 3 of the 7 tests hit my mail server, and secondly ClamAV doesn't detect anything, yet the next-level AV detects it just fine. I tried to send the 7 tests to my main address... only 3 arrived (the clean one - and 2 of

Re: [Clamav-users] what about sanesecurity phising database

2009-02-11 Thread Steve Basford
Hello, Anyone knows when sanesecurity phishing databases will be online? They are online... but the old scripts wil not work See: http://sanesecurity.co.uk/news.htm Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide:

Re: [Clamav-users] [sanesecurity] clamd now crashes

2009-03-02 Thread Steve Basford
Having used clamd for several years without it ever crashing, I am now faced with it crashing quite often. This follows me setting up the new sanesecurity system! I used the old system, before that was stopped, without any problems (I am using 0.94.2). Hi Phil, Firstly, sorry for the

Re: [Clamav-users] Database reload times

2009-03-04 Thread Steve Basford
Dennis Peterson wrote: Sparc Solaris 9, 500Mhz Known viruses: 563036 Engine version: 0.95rc1 LibClamAV Warning: *** Please update it as soon as possible.*** Known viruses: 208929 Engine version: 0.95rc1 Hi Dennis, 208929 vs 563036 sigs? would that be the speed difference?

Re: [Clamav-users] Crash with Third-Party Sigs

2009-03-04 Thread Steve Basford
Dennis Peterson wrote: I understand that, but look at the title of this thread and the misunderstanding it implies (and spreads!). Help spread the word that it may have nothing to do with third-party sigs, and certainly not Sane Security in particular as the title suggests. When I

Re: [Clamav-users] Database reload times

2009-03-05 Thread Steve Basford
On 2009-03-05 00:09, Bill Landry wrote: clamscan only uses the hardcoded database directory by default, it doesn't look at your clamd.conf settings. Hi Edwin, Just a quick question.. if you use this command it loads *just* the clamav databases fine... clamscan c:\tmp\test.eml

Re: [Clamav-users] Crash withThird-Party Sigs

2009-03-05 Thread Steve Basford
Here is information on my crash of today: Thanks Chris. Out of interest I wonder if it's worth someone who gets crashes.. could have a go at setting up http://www.virtualbox.org/ with a minimal linux system that crashes... then the ClamAV team could then download the image (maybe 2 gig) and

Re: [Clamav-users] Crash withThird-Party Sigs

2009-03-06 Thread Steve Basford
No, it just has all sorts of characters in the virus name, like ][. Chris/All... If you want to manually fix, try replaing ][Date: with - see if that passes the 0.95RC1 tests Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV

Re: [Clamav-users] News about 0.95

2009-03-12 Thread Steve Basford
The safebrowsing.cvd will be distributed under Google's terms and license. Therefore, before enabling SafeBrowsing in freshclam.conf one should check that he's OK with that license. We'll provide all necessary information and links to make it easy to find out. Hi, Just a quick question:

Re: [Clamav-users] ClamAV and VirusTotal

2009-03-17 Thread Steve Basford
Any particular reason why they are using 0.94.1 (and it appears with the most non aggressive settings)? You are not showing off your best side... Hi Tom, They use windows based version of software, as far as I can remember. Having said that... 0.94.2 is available for windows:

Re: [Clamav-users] test for SafeBrowsing?

2009-03-17 Thread Steve Basford
Is there a test string I can use to see if the SafeBrowsing code is working properly? I've just set up 0.95RC2 with SafeBrowsing enabled. I've sent an EICAR and detected that, and scanned the /usr/share/doc/clamav-0.95/test/ directory to find ClamAV-Test-File, but I would like to see a

Re: [Clamav-users] DNS server blocks database.clamav.net?

2009-04-02 Thread Steve Basford
Has anyone else ever experienced such a DNS spoofing attack against database.clamav.net? Hi, I know this doesn't really help... but there is certainly malware out there that will try to block access to Clamav.net

Re: [Clamav-users] Sanesecurity.Spam.7479.UNOFFICIAL issues

2009-04-03 Thread Steve Basford
Hi All, I've been having a few instances of the above getting flagged as a virus. Worryingly it is also flagging some of the automatic virus detected emails that mailscanner sends out. Does anyone know why it is kicking in? That signature matches Xiagra and x pills in the Subject (replace

Re: [Clamav-users] What's this? Sanesecurity.Phishing.Bank.3259

2009-04-16 Thread Steve Basford
Remote host said: 550 ClamAV detected Sanesecurity.Phishing.Bank.3259.UNOFFICIAL Can someone give me some information on this or ask more questions so that I can help. I've searched online but can't seem to find anything? Hi Mike, Could you email the sample to: ste...@webtribe.net I've

Re: [Clamav-users] What's this? Sanesecurity.Phishing.Bank.3259

2009-04-16 Thread Steve Basford
li...@grounded.net wrote: In this particular case though I think the signature is too weak and non-specific, prone to greater failure in a developer's environment than at the local community center, but still weak. It needs a larger context. Agreed... hence it's been dropped. Cheers, Steve

Re: [Clamav-users] What's this? Sanesecurity.Phishing.Bank.3259

2009-04-16 Thread Steve Basford
Glad to hear I didn't find something new. Now, on the other hand, how do I get my output to the users of the mailing list I was trying to reply to? Once of these should do the trick... http://pastebin.ca/ http://jqd.org/pastebin http://papernapkin.org/pastebin/home ... or http://www.rot13.com

Re: [Clamav-users] VIRUS? PHISH? Western Union Transfer MTCN: 0258258718

2009-05-12 Thread Steve Basford
Greetings! Received the following e-mail that looks like a phishing attempt, with an attached zipped .exe file ... Hi Charles, It's been out since yesterday lunchtime... bit more info here: http://www.calendarofupdates.com/updates/index.php?showtopic=19142 Blocked yesterday as:

Re: [Clamav-users] DHL invoices

2009-09-23 Thread Steve Basford
I get lots of 'invoices' from DHL containing a zipped trojan. F-Prot recognizes them as Win32/Bredolab!Generic but ClamAV does not. Hi, Just in case this helps block them... I've been detecting these for a while if its the same sort of fake invoices I've been receiving here, using the

Re: [Clamav-users] DHL invoices

2009-09-24 Thread Steve Basford
Yeah, we already know that. Can you please cutpaste the full message returned by the form? Thanks, Hi Luca, I've *just* uploaded 4 copies of the dhl invoice malware that have been missed by up-to-date official sigs. These were blocked using Sanesecurity.Malware.12505.UNOFFICIAL. Hope it

Re: [Clamav-users] GTUBE test pattern not being picked up

2009-09-25 Thread Steve Basford
ClamAV does not pick up the GTUBE test pattern. GTUBE - the Generic Test for Unsolicited Bulk Email. Hi James, I've added support (should be ready in the next hour on the mirrors) ie: Sanesecurity.TestSig.GTUBE.UNOFFICIAL FOUND Cheers, Steve Sanesecurity

Re: [Clamav-users] Assistance needed with custom signature

2009-09-30 Thread Steve Basford
# echo word1 | sigtool --hex-dump 776f7264310a # echo word2 | sigtool --hex-dump 776f7264320a echo word3 | sigtool --hex-dump 776f7264330a Then I have put it into my test.ndb file: MyVirus:0:*:776f7264310a*776f7264330a*776f7264330a Hi, remove the 0a character(s) as echo introduces

Re: [Clamav-users] Assistance needed with custom signature

2009-09-30 Thread Steve Basford
remove the 0a character(s) as echo introduces them into sigtool. Sorry, forgot to add... this might be quicker in future... printf word0 | sigtool --hex-dump printf word1 | sigtool --hex-dump printf word2 | sigtool --hex-dump Cheers, Steve Sanesecurity

Re: [Clamav-users] Assistance needed with custom signature

2009-09-30 Thread Steve Basford
Steve you are a genius :) Thanks a stack its working 100% now No problem Patric, glad it worked. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

[Clamav-users] [Fwd: Advance Warning: End of Life Announcement: ClamAV 0.94.x]

2009-10-07 Thread Steve Basford
Original Message Subject:Advance Warning: End of Life Announcement: ClamAV 0.94.x Date: Wed, 07 Oct 2009 20:47:57 +0100 From: Steve Basford steveb_cla...@sanesecurity.com To: sanesecur...@freelists.org, sanesecurity_annou...@freelists.org Hi All, While

Re: [Clamav-users] [Fwd: Advance Warning: End of Life Announcement: ClamAV 0.94.x]

2009-10-07 Thread Steve Basford
Tomasz Kojm wrote: Steve, 0.95.3 will be a bugfix-only release and won't include any new features Thanks Tomasz ... so will boundary support (B) /.ign2 format be introduced later next year? Cheers, Steve Sanesecurity ___ Help us build

Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-15 Thread Steve Basford
I am interested in Tom's list of unofficial signatures - but haven't found the recommended way to use the signatures. Do I need to download them periodically - or do I just add an additional freshclam DataBaseMirror directive. In either case - exactly what is the url to download from - or to

Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-15 Thread Steve Basford
Steve, The samples I have of that one are being detected by ClamAV standard sigs as Trojan.Peed-477. Wonder why you and some others didn't detect it with standard sigs? Could this be a problem? Do you have samples that were undetectable? Not sure Tom... here's a quick test... Official

Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-15 Thread Steve Basford
Undetected Outlook Express malware: h t t p :/ / www.iki.fi/jarif/malware/install.zip That's one of 'em: Sanesecurity.Rogue.736.UNOFFICIAL Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net

Re: [Clamav-users] Some Virus not detected by Clamav

2009-10-16 Thread Steve Basford
The script I use has a bit more finesse than this simple overview. I use a randomizer to prevent this process from running at the same minute past the hour Note there's a *tiny* chance if the script runs at 10.07 and then 11.03, you'll get temp block for an hour from some of the mirrors,

Re: [Clamav-users] APER

2009-10-22 Thread Steve Basford
Hope I haven't missed this one being discussed... but ... Has anyone turned this into a regularly updated set of ClamAV signatures? Hi, Firstly, spear.ndb generated from the APER feed and has been for a while now: http://sanesecurity.co.uk/databases.htm Secondly, I've two more databases

Re: [Clamav-users] APER

2009-10-22 Thread Steve Basford
Check out Julian Field's ScamNailer: http://www.scamnailer.info/ 18/10/2009 - New scamnailer.ndb ClamAV signature database is now available from http://www.mailscanner.eu/scamnailer.ndb. This is updated very frequently. Do not download it more than once per hour! Ok, that's the database

[Clamav-users] [Fwd: [sanesecurity] x86_64 users: possible malformed database problems]

2009-10-25 Thread Steve Basford
Hi All, Some users (mainly x86_64 so far) noticed database errors (malformed database) when loading signatures. As signature integrity is checked before upload to the mirrors and the download scripts check integrity before use, this issue should not arise. With help from various people on

[Clamav-users] [Fwd: [sanesecurity_announce] Signature news]

2009-10-25 Thread Steve Basford
Hi All, I'm pleased to announce two new signatures databases: New Database 1: Database name: spearl.ndb Description: phishing_links is a list of generic forms used for e-mail account phishing Provider: APER Risk of FP's: low Website: http://code DOT google DOT

Re: [Clamav-users] Help with clamav-milter white list

2009-10-28 Thread Steve Basford
I am getting some legitimate mail tagged as SPAM. Below is the header from one such e-mail. X-Virus-Status: Infected (Sanesecurity.Phishing.Pay.6348.UNOFFICIAL) Subject: freebsd-stable Digest, Vol 328, Issue 3 Hi, Just a quick note to add that this wasn't a False Positive as such, a

Re: [Clamav-users] where is 0.93 src?

2009-10-28 Thread Steve Basford
Tom Shaw wrote: Link of website goes to SF and there there is the sig but not the gz'd source. Hi Tom, Perhaps it's got something to do with this?: 2009-10-28: Unplanned outage Wednesday, October 28th, 2009 From 16:34 to 18:11 UTC today, Wednesday October 28, 2009, SourceForge.net

Re: [Clamav-users] clamav-0.95.3 fails to compile in Fedora 10

2009-10-29 Thread Steve Basford
Hi same Error on FreeBSD 4.10 This fix was added yesterday, so that might be the issue: http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff;h=e889924a70e881e0d74ade2b53b5255b94523161 ie: unistd.h - standard symbolic constants and types: (int getpagesize(void); (LEGACY))

Re: [Clamav-users] load issues due to sanesecurity signatures

2009-11-03 Thread Steve Basford
Hi everyone, We are using Sanesecurity signatures in clamd for scanning mails. Recently we are seeing some load issues on clamd server due to sanesecurity signatures (load is automatically decreasing when the sanesecurity sigs are removed) Hi Avinash, I guess as others have already asked,

Re: [Clamav-users] load issues due to sanesecurity signatures

2009-11-03 Thread Steve Basford
Last week I offered some help to early diagnose possible problems before they hit the end users and I was trying to establish some cooperation with you and the other db providers in order to improve your QA process. Hi sorry for not replying earlier... I'll email off-list with a few

Re: [Clamav-users] load issues due to sanesecurity signatures

2009-11-05 Thread Steve Basford
Freddie Cash wrote: Yes, I still have this directory. If anyone is interested in it, I can tar it up and make it available. Can also tar up the working directory is needed. Hi, Yep, I'll take a look and see if I can see anything this end. Cheers, Steve Sanesecurity

[Clamav-users] sanesecurity_announce - dns updates new signature decoder

2009-11-15 Thread Steve Basford
Couple of announces for those using Third-Party signatures Original Message Hi All, Due to my dns management provider withdrawing their free dns platform, I've now moved over to their paid dns platform. I've now updated all the public rsync.sanesecurity.net and the private

Re: [Clamav-users] SubmitDetectionStats Error

2009-11-23 Thread Steve Basford
maybe we could just start with a dedicated twitter account (clamav_infrastructure or something similar) where I could post updates regarding planned downtimes similar stuff. I've seen other projects doing the same. Hi Luca, I use both identi.ca and Twitter to post updates, with seemingly

Re: [Clamav-users] TargetType

2010-02-16 Thread Steve Basford
Attached document? I did not see an attachment. Can you send a link? Is this the TargetType you are after... 2.3.4 Extended signature format The extended signature format allows for specification of additional information such as a target file type, virus offset or engine version, making

Re: [Clamav-users] TargetType

2010-02-16 Thread Steve Basford
Tom Shaw wrote: Is there a def of .fmt format? Hi Tom, Ah, see what you wanted now ;) BTW, don't forget Sanesecurity has had additional types for a while now, in sanesecurity.ftm and distributed on the mirrors. Cheers, Steve Sanesecurity ___

Re: [Clamav-users] Missed detection

2010-03-18 Thread Steve Basford
Any ideas? I have a couple more like this in my DB. Hi Tom, Drop me the sample (usual email address) and I'll test things this end. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net

[Clamav-users] www.clamav.net down?

2010-04-16 Thread Steve Basford
Hi, www.clamav.net seems to have been down for short periods of time today, is there extra load due to the EOL announce on the site? Example here: http://host-tracker.com/check_res_ajx/4730986-0/ Cheers, Steve Sanesecurity ___ Help us build a

[Clamav-users] The EOL tweets

2010-04-16 Thread Steve Basford
Hi, Just for interest.. feedback on EOL... http://search.twitter.com/search?q=clamav Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

Re: [Clamav-users] ClamAV on Windows Server 2003

2010-04-20 Thread Steve Basford
Does anyone know if there is still a Windows compilation which will run on Windows Server 2003 SP2? ClamAV (clam-latest-32.exe) refuses to install on this operating system and ClamWin seems to have mutated into a desktop product which lacks clamd and clamdscan etc. Hi Tim, Have you tried

  1   2   3   4   5   6   >