subject:"Re\: \[clamav\-users\] Latest samba source contains Win.Trojan.Qhost\-106\?"

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-31 Thread Jerry

On Wed, 30 Mar 2016 20:46:27 -0400, Paul Kosinski stated:

>The bug is called "BadLock", and, since Microsoft is working on it too,
>I'd guess it's an SMB protocol bug.

You can check out these URLs:

http://www.securityweek.com/microsoft-samba-preparing-patch-severe-badlock-flaw

https://nakedsecurity.sophos.com/2016/03/24/badlock-critical-vulnerability-nice-logo-no-details/

-- 
Jerry
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Dennis Peterson

This appears to be both a legitimate test file (wintest.py) and a useful 
signature. Clamav has a built-in solution for resolving these conflicts. You 
create a *.fp file that contains the checksum of the specific file and it will 
be ignored after the next reload.


sigtool --md5 wintest.py >sambatest.fp

Place the resulting file in the clamav sig directory and reload.

Sometimes these things happen.

dp

On 3/30/16 7:00 PM, Al Varnell wrote:

With all the name changing that happened in the new database, I don’t think I 
can come close to guessing how old the signature might be.

It is in Extended Signature Format (.ndb) looking for an ASCII text file 
(normalized) with any offset and an ASCII string of:

netsh firewall set_opmode mode = disable

except that I substituted an underscore “_" for one space to prevent a copy 
from this e-mail from being identified as infected.

I have confirmed that the wintest.py file does contain this string and that 
there is no subsequent command to re-enable the firewall

I’ll have to let those familiar with how advisable it is to disabling the 
firewall on a Windows machine would be under these circumstances.

-Al-

On Wed, Mar 30, 2016 at 05:46 PM, Paul Kosinski wrote:

The only file that was flagged as containing a virus (trojan) was
"wintest.py" in the "wintest" directory of the Samba source code. This
sounds like it's only a file for testing Samba (when built for
Windows?), and, unless it's something really sneaky, shouldn't be able
to affect a running Samba.

The bug is called "BadLock", and, since Microsoft is working on it too,
I'd guess it's an SMB protocol bug. Furthermore, some years ago MS was
stonewalling Samba. If it were a Samba-only bug, MS probably wouldn't
actively work on it, but rather would use it to tout the advantages of
Windows Server.

Paul Kosinski

On Thu, 31 Mar 2016 10:51:55 +1100
Andrew McGlashan  wrote:



On 31/03/2016 5:32 AM, Alain Zidouemba wrote:

Paul:

Thanks for reporting this FP. This will be fixed momentarily.

Is it really a false positive?

There has been a heads up that SAMBA code has a problem and that both
Microsoft and Samba are working on a solution that will be released on
the next patch Tuesday.

That download could be part of this somehow, I don't know.  But it
shouldn't blindly be considered a FP, that's for sure!


- Alain

On Wed, Mar 30, 2016 at 2:18 PM, Paul Kosinski
 wrote:


I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org,
and, after downloading via HTTPS, ClamAV (0.99.1/21479) reports
that the gz file contains Win.Trojan.Qhost-106. In particular, the
single file wintest.py in the subdirectory wintest is reported.

Kind Regards
AndrewM


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Paul Kosinski

The "wintest.py" file does seem to be able to turn off the Windows
firewall, but it also has a bunch of other potentially nasty functions
built in, including  deleting whole directories, manipulating VMs and
modifying IP addresses. Since it's apparently for testing, and isn't
for Linux, I doubt if it could cause my Linux Samba any trouble. People
who build and run Samba on Windows should be careful, and of course read
the documentation.


On Wed, 30 Mar 2016 19:00:46 -0700
Al Varnell  wrote:

> With all the name changing that happened in the new database, I don’t
> think I can come close to guessing how old the signature might be.
> 
> It is in Extended Signature Format (.ndb) looking for an ASCII text
> file (normalized) with any offset and an ASCII string of:
> 
> netsh firewall set_opmode mode = disable
> 
> except that I substituted an underscore “_" for one space to prevent
> a copy from this e-mail from being identified as infected.
> 
> I have confirmed that the wintest.py file does contain this string
> and that there is no subsequent command to re-enable the firewall
> 
> I’ll have to let those familiar with how advisable it is to disabling
> the firewall on a Windows machine would be under these circumstances.
> 
> -Al-
> 
> On Wed, Mar 30, 2016 at 05:46 PM, Paul Kosinski wrote:
> > 
> > The only file that was flagged as containing a virus (trojan) was
> > "wintest.py" in the "wintest" directory of the Samba source code.
> > This sounds like it's only a file for testing Samba (when built for
> > Windows?), and, unless it's something really sneaky, shouldn't be
> > able to affect a running Samba.
> > 
> > The bug is called "BadLock", and, since Microsoft is working on it
> > too, I'd guess it's an SMB protocol bug. Furthermore, some years
> > ago MS was stonewalling Samba. If it were a Samba-only bug, MS
> > probably wouldn't actively work on it, but rather would use it to
> > tout the advantages of Windows Server.
> > 
> > Paul Kosinski
> > 
> > On Thu, 31 Mar 2016 10:51:55 +1100
> > Andrew McGlashan  wrote:
> > 
> >> 
> >> 
> >> On 31/03/2016 5:32 AM, Alain Zidouemba wrote:
> >>> Paul:
> >>> 
> >>> Thanks for reporting this FP. This will be fixed momentarily.
> >> 
> >> Is it really a false positive?
> >> 
> >> There has been a heads up that SAMBA code has a problem and that
> >> both Microsoft and Samba are working on a solution that will be
> >> released on the next patch Tuesday.
> >> 
> >> That download could be part of this somehow, I don't know.  But it
> >> shouldn't blindly be considered a FP, that's for sure!
> >> 
> >>> - Alain
> >>> 
> >>> On Wed, Mar 30, 2016 at 2:18 PM, Paul Kosinski
> >>>  wrote:
> >>> 
>  I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org,
>  and, after downloading via HTTPS, ClamAV (0.99.1/21479) reports
>  that the gz file contains Win.Trojan.Qhost-106. In particular,
>  the single file wintest.py in the subdirectory wintest is
>  reported.
> >> 
> >> Kind Regards
> >> AndrewM
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Al Varnell

With all the name changing that happened in the new database, I don’t think I 
can come close to guessing how old the signature might be.

It is in Extended Signature Format (.ndb) looking for an ASCII text file 
(normalized) with any offset and an ASCII string of:

netsh firewall set_opmode mode = disable

except that I substituted an underscore “_" for one space to prevent a copy 
from this e-mail from being identified as infected.

I have confirmed that the wintest.py file does contain this string and that 
there is no subsequent command to re-enable the firewall

I’ll have to let those familiar with how advisable it is to disabling the 
firewall on a Windows machine would be under these circumstances.

-Al-

On Wed, Mar 30, 2016 at 05:46 PM, Paul Kosinski wrote:
> 
> The only file that was flagged as containing a virus (trojan) was
> "wintest.py" in the "wintest" directory of the Samba source code. This
> sounds like it's only a file for testing Samba (when built for
> Windows?), and, unless it's something really sneaky, shouldn't be able
> to affect a running Samba.
> 
> The bug is called "BadLock", and, since Microsoft is working on it too,
> I'd guess it's an SMB protocol bug. Furthermore, some years ago MS was
> stonewalling Samba. If it were a Samba-only bug, MS probably wouldn't
> actively work on it, but rather would use it to tout the advantages of
> Windows Server.
> 
> Paul Kosinski
> 
> On Thu, 31 Mar 2016 10:51:55 +1100
> Andrew McGlashan  wrote:
> 
>> 
>> 
>> On 31/03/2016 5:32 AM, Alain Zidouemba wrote:
>>> Paul:
>>> 
>>> Thanks for reporting this FP. This will be fixed momentarily.
>> 
>> Is it really a false positive?
>> 
>> There has been a heads up that SAMBA code has a problem and that both
>> Microsoft and Samba are working on a solution that will be released on
>> the next patch Tuesday.
>> 
>> That download could be part of this somehow, I don't know.  But it
>> shouldn't blindly be considered a FP, that's for sure!
>> 
>>> - Alain
>>> 
>>> On Wed, Mar 30, 2016 at 2:18 PM, Paul Kosinski
>>>  wrote:
>>> 
 I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org,
 and, after downloading via HTTPS, ClamAV (0.99.1/21479) reports
 that the gz file contains Win.Trojan.Qhost-106. In particular, the
 single file wintest.py in the subdirectory wintest is reported.
>> 
>> Kind Regards
>> AndrewM


smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Paul Kosinski

The only file that was flagged as containing a virus (trojan) was
"wintest.py" in the "wintest" directory of the Samba source code. This
sounds like it's only a file for testing Samba (when built for
Windows?), and, unless it's something really sneaky, shouldn't be able
to affect a running Samba.

The bug is called "BadLock", and, since Microsoft is working on it too,
I'd guess it's an SMB protocol bug. Furthermore, some years ago MS was
stonewalling Samba. If it were a Samba-only bug, MS probably wouldn't
actively work on it, but rather would use it to tout the advantages of
Windows Server.

Paul Kosinski

On Thu, 31 Mar 2016 10:51:55 +1100
Andrew McGlashan  wrote:

> 
> 
> On 31/03/2016 5:32 AM, Alain Zidouemba wrote:
> > Paul:
> > 
> > Thanks for reporting this FP. This will be fixed momentarily.
> 
> Is it really a false positive?
> 
> There has been a heads up that SAMBA code has a problem and that both
> Microsoft and Samba are working on a solution that will be released on
> the next patch Tuesday.
> 
> That download could be part of this somehow, I don't know.  But it
> shouldn't blindly be considered a FP, that's for sure!
> 
> > - Alain
> > 
> > On Wed, Mar 30, 2016 at 2:18 PM, Paul Kosinski
> >  wrote:
> > 
> >> I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org,
> >> and, after downloading via HTTPS, ClamAV (0.99.1/21479) reports
> >> that the gz file contains Win.Trojan.Qhost-106. In particular, the
> >> single file wintest.py in the subdirectory wintest is reported.
> 
> Kind Regards
> AndrewM
> 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Andrew McGlashan

On 31/03/2016 5:32 AM, Alain Zidouemba wrote:
> Paul:
> 
> Thanks for reporting this FP. This will be fixed momentarily.

Is it really a false positive?

There has been a heads up that SAMBA code has a problem and that both
Microsoft and Samba are working on a solution that will be released on
the next patch Tuesday.

That download could be part of this somehow, I don't know.  But it
shouldn't blindly be considered a FP, that's for sure!

> - Alain
> 
> On Wed, Mar 30, 2016 at 2:18 PM, Paul Kosinski 
> wrote:
> 
>> I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org, and,
>> after downloading via HTTPS, ClamAV (0.99.1/21479) reports that the gz
>> file contains Win.Trojan.Qhost-106. In particular, the single file
>> wintest.py in the subdirectory wintest is reported.

Kind Regards
AndrewM

signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Paul Kosinski

I use ClamAV not only because it costs nothing, but also, and mainly,
because it is Open Source, and as such, I trust it more than I trust
proprietary AV software, much of which is bloated, and some of which is
reputed to do creepy things. (Not to mention there isn't very much AV
software for Linux.)  Our one Windows 7 machine also has Microsoft's
free AV scanner for "defense in depth" because ... if you're using
Windows, you pretty much have to trust Microsoft.

I not only use ClamAV to scan email, I also use it with HAVP to scan
HTTP, and am even thinking about maybe setting up a MITM for HTTPS
(like much commercial AV does, which is part of the reason I am
suspicious of it). Since I currently can't scan HTTPS traffic, I scan
everything I download via HTTPS manually, especially such critical items
as Samba source.

I also use ClamAV to scan removable drives. In other words, I think
ClamAV is much more than just an email scanner.

Paul Kosinski

P.S. I compile Samba myself because I make a slight change to the way
the VFS-Recycle component names versions: I name the backup of "X" to
be "X.1" rather than "Copy-of-X". (That may be the Microsoft Way, but
it sorts neither alphabetically nor chronologically next to "X".)

On Wed, 30 Mar 2016 22:53:08 +0200
"C.D. Cochrane"  wrote:

> Hi, I am the new guy here so please forgive my ignorance :)  But
> "ClamAV is the open source standard for mail gateway scanning
> software"  It sure seems like a lot of people are getting hot about
> FPs on files that are NOT received as emails?  I keep seeing log
> files, samba distributions and full Windows C:\ scans where people
> complain about false positives.  Shouldn't that be product other than
> ClamAV doing these scans?  I mean if it's not arriving in your inbox
> as an attachment why are you scanning it with ClamAV?
> 
> 
> >>Sent: Wednesday, March 30, 2016 at 2:18 PM
> >>From: "Paul Kosinski" 
> >>To: clamav-users@lists.clamav.net
> >>Subject: [clamav-users] Latest samba source contains
> >>Win.Trojan.Qhost-106? I just downloaded samba-4.4.0.tar.gz (the
> >>latest) from samba.org, and, after downloading via HTTPS, ClamAV
> >>(0.99.1/21479) reports that the gz file contains
> >>Win.Trojan.Qhost-106. In particular, the single file wintest.py in
> >>the subdirectory wintest is reported.
> >>___
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Al Varnell

My impression has long been that the majority of signatures are not e-mail 
content or attachment related.

Sent from Janet's iPad

-Al-

On Mar 30, 2016, at 2:27 PM, "C.D. Cochrane"  wrote:
> It just appears from reading this list that any FP on a non-standard use of 
> the product (not email attachment) gets a high priority among the ClamAV 
> team.  One would think that non-standard FPs would be pushed way down on the 
> to-do list.  If they are getting 1 million virus reports per day, then fixing 
> a false positive on a downloaded distribution should take a few weeks to get 
> to.
> 
>>> Still, people have choices and they can do what they want. Whilst there
>>> is the option, and a belief that an AV solution should be effective,
>>> then naturally people will expect it and report their FP's. (And who
>>> can blame them).
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread C.D. Cochrane

It just appears from reading this list that any FP on a non-standard use of the 
product (not email attachment) gets a high priority among the ClamAV team.  One 
would think that non-standard FPs would be pushed way down on the to-do list.  
If they are getting 1 million virus reports per day, then fixing a false 
positive on a downloaded distribution should take a few weeks to get to.

>>Still, people have choices and they can do what they want. Whilst there
>>is the option, and a belief that an AV solution should be effective,
>>then naturally people will expect it and report their FP's. (And who
>>can blame them).
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Groach


On 30/03/2016 22:53, C.D. Cochrane wrote:

Hi, I am the new guy here so please forgive my ignorance :)  But "ClamAV is the open 
source standard for mail gateway scanning software"  It sure seems like a lot of 
people are getting hot about FPs on files that are NOT received as emails?  I keep seeing 
log files, samba distributions and full Windows C:\ scans where people complain about 
false positives.  Shouldn't that be product other than ClamAV doing these scans?  I mean 
if it's not arriving in your inbox as an attachment why are you scanning it with ClamAV?
In case it came in by a worm.  Or through a drive-by on a web page.  Or 
a downloaded program.  Or transferred from a USB stick But of course 
despite the the very strong recommendation to not rely (at all) on 
ClamAV for detecting anything and that it should only be used as a 
backup to a more reliable product (which itself doesnt make much sense 
as if the more reliable product isnt going to catch an infection then 
this certainly wont), people still do use it by itself.  Tthe best 
advice would be:


a,  dont use ClamAV to protect your system
b,  if you do, use more reliable 3rd party definitions to give a better 
chance


with the implied additions:

c,  if you choose to ignore a and b, please dont bother complaining 
about FP's

d,  do (c) anyway.

Still, people have choices and they can do what they want.  Whilst there 
is the option, and a belief that an AV solution should be effective, 
then naturally people will expect it and report their FP's.  (And who 
can blame them).

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Joel Esler (jesler)

The largest place where ClamAV is deployed is on mail gateways.  However ClamAV 
is deployed everywhere.  Desktops, servers, mail gateways, I’ve even heard of 
people compiling for their Android platform, and of course Windows.

--
Joel Esler
Manager, Talos Group




On Mar 30, 2016, at 4:53 PM, C.D. Cochrane 
> wrote:

Hi, I am the new guy here so please forgive my ignorance :)  But "ClamAV is the 
open source standard for mail gateway scanning software"  It sure seems like a 
lot of people are getting hot about FPs on files that are NOT received as 
emails?  I keep seeing log files, samba distributions and full Windows C:\ 
scans where people complain about false positives.  Shouldn't that be product 
other than ClamAV doing these scans?  I mean if it's not arriving in your inbox 
as an attachment why are you scanning it with ClamAV?


Sent: Wednesday, March 30, 2016 at 2:18 PM
From: "Paul Kosinski" >
To: clamav-users@lists.clamav.net
Subject: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?
I just downloaded samba-4.4.0.tar.gz (the latest) from 
samba.org, and,
after downloading via HTTPS, ClamAV (0.99.1/21479) reports that the gz
file contains Win.Trojan.Qhost-106. In particular, the single file
wintest.py in the subdirectory wintest is reported.
___
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread C.D. Cochrane

Hi, I am the new guy here so please forgive my ignorance :)  But "ClamAV is the 
open source standard for mail gateway scanning software"  It sure seems like a 
lot of people are getting hot about FPs on files that are NOT received as 
emails?  I keep seeing log files, samba distributions and full Windows C:\ 
scans where people complain about false positives.  Shouldn't that be product 
other than ClamAV doing these scans?  I mean if it's not arriving in your inbox 
as an attachment why are you scanning it with ClamAV?


>>Sent: Wednesday, March 30, 2016 at 2:18 PM
>>From: "Paul Kosinski" 
>>To: clamav-users@lists.clamav.net
>>Subject: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?
>>I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org, and,
>>after downloading via HTTPS, ClamAV (0.99.1/21479) reports that the gz
>>file contains Win.Trojan.Qhost-106. In particular, the single file
>>wintest.py in the subdirectory wintest is reported.
>>___
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Alain Zidouemba

Paul:

Thanks for reporting this FP. This will be fixed momentarily.

- Alain

On Wed, Mar 30, 2016 at 2:18 PM, Paul Kosinski 
wrote:

> I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org, and,
> after downloading via HTTPS, ClamAV (0.99.1/21479) reports that the gz
> file contains Win.Trojan.Qhost-106. In particular, the single file
> wintest.py in the subdirectory wintest is reported.
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

13 matches

Site Navigation

Mail list logo

Footer information