Re: [clamav-users] CryLocker and Cryptolocker
Matus UHLAR - fantomas wrote: > On 15.09.16 00:51, Reindl Harald wrote: >> frankly i have seen companies blocking every .doc and .xls attachment >> with a reject info that you should use .docx and .xslx becasue they >> can't contain macros (would be .docm for the new formats) > > .docm is docx with macros, so they would want to block them too :-) ... and there's nothing stopping a malicious sender (human or program) from misrepresenting a document to bypass filename-based filters. -kgd ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CryLocker and Cryptolocker
Am 15.09.2016 um 10:12 schrieb Matus UHLAR - fantomas: Am 14.09.2016 um 17:47 schrieb Alex: The problem with setting OLE2BlockMacros to yes is that if you don't implement your own signatures against macro code, setting OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros to be returned and disables all official and unofficial signatures. If OLE2BlockMacros is Yes then the only option is to treat every file with macros as a virus and eg discard if you want to block the files that do contain a macro virus, as outlined by David Shrimpton on this list a few weeks ago On 15.09.16 00:51, Reindl Harald wrote: which is the whole point it's impossible to get them all catched with sgnatures because they change all the time and so if you want to be sure you need to treat every office macro as bad - they don't belong into emails these days frankly i have seen companies blocking every .doc and .xls attachment with a reject info that you should use .docx and .xslx becasue they can't contain macros (would be .docm for the new formats) .docm is docx with macros, so they would want to block them too :-) did i say anything else? i just pointed out that people even start to block FILETYPES which *could* contain macros ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CryLocker and Cryptolocker
Am 14.09.2016 um 17:47 schrieb Alex: The problem with setting OLE2BlockMacros to yes is that if you don't implement your own signatures against macro code, setting OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros to be returned and disables all official and unofficial signatures. If OLE2BlockMacros is Yes then the only option is to treat every file with macros as a virus and eg discard if you want to block the files that do contain a macro virus, as outlined by David Shrimpton on this list a few weeks ago On 15.09.16 00:51, Reindl Harald wrote: which is the whole point it's impossible to get them all catched with sgnatures because they change all the time and so if you want to be sure you need to treat every office macro as bad - they don't belong into emails these days frankly i have seen companies blocking every .doc and .xls attachment with a reject info that you should use .docx and .xslx becasue they can't contain macros (would be .docm for the new formats) .docm is docx with macros, so they would want to block them too :-) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CryLocker and Cryptolocker
Am 14.09.2016 um 17:47 schrieb Alex: The problem with setting OLE2BlockMacros to yes is that if you don't implement your own signatures against macro code, setting OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros to be returned and disables all official and unofficial signatures. If OLE2BlockMacros is Yes then the only option is to treat every file with macros as a virus and eg discard if you want to block the files that do contain a macro virus, as outlined by David Shrimpton on this list a few weeks ago which is the whole point it's impossible to get them all catched with sgnatures because they change all the time and so if you want to be sure you need to treat every office macro as bad - they don't belong into emails these days frankly i have seen companies blocking every .doc and .xls attachment with a reject info that you should use .docx and .xslx becasue they can't contain macros (would be .docm for the new formats) ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CryLocker and Cryptolocker
On 14 September 2016 18:20:17 Alex wrote: I also don't always get the feedback from the >users on the specific Word documents that were missed, >only that their desktop was compromised. Without having a sample it's a bit difficult but if you do get a sample that would be great. Also drive by infection could also be the desktop cause... unless they are telling you they clicked on a document. Steve Twitter: @sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CryLocker and Cryptolocker
Hi, >> Yes, I'm using all the third-party sigs, including sanesecurity, but >> they are still getting through. >> > Hi Alex, > > What types are getting through JavaScript or docs etc. JavaScript (.js files) is rejected outright. I don't have any examples, particularly of the cryptolocker type, but it's what customers are complaining about. It's almost always Word documents. I also don't always get the feedback from the users on the specific Word documents that were missed, only that their desktop was compromised. I hate to have to completely block macros because a better solution doesn't exist. One customer recently did an eval with another company that used F-Secure, and it continually outperformed clamav with blocking macro viruses that would otherwise have been missed. It made us look real bad. > What dbs are you using ? Here is the full list: badmacro.ndb blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_attach.hdb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb bytecode.cld crdfam.clamav.hdb daily.cld foxhole_filename.cdb foxhole_generic.cdb foxhole_js.cdb hackingteam.hsb javascript.ndb junk.ndb jurlbla.ndb jurlbl.ndb lott.ndb main.cvd malwarehash.hsb malwarepatrol.ndb mirrors.dat phish.ndb phishtank.ndb porcupine.hsb porcupine.ndb rogue.hdb safebrowsing.cld sanesecurity.ftm scamnailer.ndb scam.ndb securiteinfoascii.hdb securiteinfo.hdb securiteinfohtml.hdb securiteinfo.ign2 sigwhitelist.ign2 spamattach.hdb spamimg.hdb spam.ldb spearl.ndb spear.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow.complex.patterns.ldb winnow_extended_malware.hdb winnow_extended_malware_links.ndb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CryLocker and Cryptolocker
On Wed, September 14, 2016 5:51 pm, Philip Parsons wrote: > I am also still having a bunch get through. .doc .zip .docm most of the > java script ones are not making in it. Hi Philip, If you zip up a few samples with a password: samp...@sanesecurity.me.uk -- Cheers, Steve Twitter: @sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CryLocker and Cryptolocker
I am also still having a bunch get through. .doc .zip .docm most of the java script ones are not making in it. -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Steve basford Sent: September 14, 2016 9:43 AM To: ClamAV users ML Subject: Re: [clamav-users] CryLocker and Cryptolocker On 14 September 2016 16:48:45 Alex wrote: > > Yes, I'm using all the third-party sigs, including sanesecurity, but > they are still getting through. > Hi Alex, What types are getting through JavaScript or docs etc. What dbs are you using ? Can you send some missed samples offlist and I'll check. Sorry this is brief .. mobile atm Cheers, Steve Twitter: @sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CryLocker and Cryptolocker
On 14 September 2016 16:48:45 Alex wrote: Yes, I'm using all the third-party sigs, including sanesecurity, but they are still getting through. Hi Alex, What types are getting through JavaScript or docs etc. What dbs are you using ? Can you send some missed samples offlist and I'll check. Sorry this is brief .. mobile atm Cheers, Steve Twitter: @sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CryLocker and Cryptolocker
>Does anyone think it's reasonable/acceptable to block all macros in >any sizable organization? Yes. We are 2-4 million messages/day, dunno if that is "sizable" to you. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CryLocker and Cryptolocker
Hi, >> What's being done about blocking attacks from the new crylocker and >> the various types of cryptolocker? > all that crap needs to make it somehow to the vicitims machine > http://sanesecurity.com/foxhole-databases/ Yes, I'm using all the third-party sigs, including sanesecurity, but they are still getting through. I was also curious about the specific signatures that exist to catch these, so I can watch for them in my logs. > use all of them and score any attachment with macros high combined with > bayes training if you can't reject it at all with a milter instance > > [root@mail-gw:/etc/clamd.d]$ cat scan.conf | grep -i ole > ScanOLE2 yes > OLE2BlockMacros no > > [root@mail-gw:/etc/clamd.d]$ cat scan-sa.conf | grep -i ole > ScanOLE2 yes > OLE2BlockMacros yes The problem with setting OLE2BlockMacros to yes is that if you don't implement your own signatures against macro code, setting OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros to be returned and disables all official and unofficial signatures. If OLE2BlockMacros is Yes then the only option is to treat every file with macros as a virus and eg discard if you want to block the files that do contain a macro virus, as outlined by David Shrimpton on this list a few weeks ago. Unless that was your intent? Are you disabling the blocking of these viruses by scoring emails with macro attachments so high that they're quarantined? This doesn't appear to be what you're explaining, however, because you're advocating sanesecurity. Does anyone think it's reasonable/acceptable to block all macros in any sizable organization? This is an ongoing issue for us, while other systems with F-Secure appear to be blocking them all. *disclaimer* I know clamav isn't responsible for blocking, only marking. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CryLocker and Cryptolocker
Am 14.09.2016 um 17:08 schrieb Alex: What's being done about blocking attacks from the new crylocker and the various types of cryptolocker? https://fightransomware.com/ransomware-articles/crylocker-ransomware-compiles-victims-data-fake-image-file-uploads-imgur/?linkId=28721757 Are there specific patterns that have been designed to block these attempts with the default daily rules, or is it third-party rules, or otherwise? all that crap needs to make it somehow to the vicitims machine http://sanesecurity.com/foxhole-databases/ use all of them and score any attachment with macros high combined with bayes training if you can't reject it at all with a milter instance [root@mail-gw:/etc/clamd.d]$ cat scan.conf | grep -i ole ScanOLE2 yes OLE2BlockMacros no [root@mail-gw:/etc/clamd.d]$ cat scan-sa.conf | grep -i ole ScanOLE2 yes OLE2BlockMacros yes ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
