Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Joel Esler (jesler)]

Because the address is bugzilla.clamav.net.  

This will be fixed by removing the bugs.clamav.net dns entry.   But I don't 
want to remove it until the links inside the tarball + any documentation has 
been adjusted to say bugzilla.  

--
Sent from my iPhone

> On Dec 29, 2016, at 10:05 AM, Benny Pedersen  wrote:
> 
>> On December 29, 2016 13:06:51 "Steve Basford" 
>>  wrote:
>> 
>> https://bugs.clamav.net/show_bug.cgi?id=11708
> 
> still ssl error
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Reindl Harald]

Am 29.12.2016 um 16:15 schrieb Kris Deugau:

Groach wrote:

  If I could exclude the Clam default
signatures and just continue to use Sane then I would and then I could
turn back on quarantining to make our systems safe again.


You can;  turn off freshclam and delete the stock signature files.

Also make sure that you don't use the --official-db-only option to
clamscan, or have the OfficialDatabaseOnly option set in clamd.conf.

I was investigating using clamd with just a select set of
custom/third-party signatures for another segment of mail filtering and
this worked just fine.

So long as you have at least one signature file (and I think at least
one signature;  never tested quite that far), clamd will start up quite
happily


better solution - since i have to feed two cland instances (one scored 
and the other bsides scoring in SpamAssassin unconditional in the 
clamav-milter after spamass-milter) i changed the complete logic to 
download updates in a different folder and fill the sig-folders for 
clamd with hardlinks


voila instead 2 clamd instances with 400 MB RAM now one with 400 and the 
other with 40 MB - 99% is caught b the first one, adds 5.5 points to the 
spamassassin-score and most cases have enough other scorings to reach 
the 8.0 sa-milter-reject score


from July to now 48 hits and likely the would have been caught by 
sanesecurity too, only the first hit is logged


cat clamscan.log | grep FOUND | grep  -v UNOFFICIAL | grep -v 
Heuristics.Phishing.Email.SSL-Spoof | grep -v Heuristics.OLE2 | grep -v 
Heuristics.Safebrowsing | grep -v Eicar-Test | grep -v 
Heuristics.Encrypted | wc -l

48

Thu Sep 22 19:21:36 2016 -> stream(127.0.0.1@31701): 
Pdf.Malware.Agent-1698531(22de8171028faf80d14de53e055e2ddf:599666) FOUND
Fri Oct  7 16:45:04 2016 -> stream(127.0.0.1@31271): 
Pdf.Malware.Agent-1709179(3b20801242cd7e7e941e8d76a0dddaea:294532) FOUND
Sun Oct  9 19:06:42 2016 -> stream(127.0.0.1@31058): 
Doc.Dropper.Agent-1699052(68b26613b35db9afafb1fc647c56bbc9:300621) FOUND
Thu Oct 13 09:46:11 2016 -> stream(127.0.0.1@31031): 
Doc.Dropper.Agent-1737217(08d69e9953e35c44c5787237b18fb49e:461568) FOUND
Fri Oct 14 07:22:33 2016 -> stream(127.0.0.1@31871): 
Pdf.Malware.Agent-1766342(ca005ff260fefde2d400fcc1f4e8f967:1016310) FOUND
Thu Oct 27 04:51:40 2016 -> stream(127.0.0.1@31526): 
Pdf.Malware.Agent-1698589(19397927151f6619c5f988a2db68ee08:537318) FOUND
Thu Oct 27 08:11:32 2016 -> stream(127.0.0.1@31048): 
Pdf.Malware.Agent-1698589(71acd385c84c99ee05a42cfc2ec90728:537324) FOUND
Thu Oct 27 17:37:39 2016 -> stream(127.0.0.1@31504): 
Pdf.Malware.Agent-1788565(08f29ce88878b4c9c238ec01cc6130da:913407) FOUND
Thu Oct 27 17:40:42 2016 -> stream(127.0.0.1@31929): 
Pdf.Malware.Agent-1788565(1fbb604fa838f427198251d1c7fec306:913433) FOUND
Thu Oct 27 17:48:30 2016 -> stream(127.0.0.1@31928): 
Pdf.Malware.Agent-1788565(128498d13b68f9917957ff69360a58d7:913409) FOUND
Thu Oct 27 17:51:46 2016 -> stream(127.0.0.1@31965): 
Pdf.Malware.Agent-1788565(a92425ae5ac9dbfeec70587af369ccc6:913220) FOUND
Thu Oct 27 17:52:08 2016 -> stream(127.0.0.1@31381): 
Pdf.Malware.Agent-1788565(18a53ed9dbfbf41a249fdc44dd0730a5:913477) FOUND
Thu Oct 27 18:01:44 2016 -> stream(127.0.0.1@31382): 
Pdf.Malware.Agent-1788565(6c8ccadbff7bd80f641147f6efca67b9:913450) FOUND
Thu Oct 27 18:06:53 2016 -> stream(127.0.0.1@31142): 
Pdf.Malware.Agent-1788565(8098ab704930237d778c79402d4380be:913431) FOUND
Thu Oct 27 18:09:17 2016 -> stream(127.0.0.1@31374): 
Pdf.Malware.Agent-1788565(ed77b00b9160a03f30cec7683ddb8c10:913440) FOUND
Thu Oct 27 18:10:26 2016 -> stream(127.0.0.1@31161): 
Pdf.Malware.Agent-1788565(602b7640af223e18ed9048c6e19db94f:913420) FOUND
Thu Oct 27 18:11:01 2016 -> stream(127.0.0.1@31232): 
Pdf.Malware.Agent-1788565(4d52eecd6163806b66a4074ac41891c9:913446) FOUND
Thu Oct 27 18:13:02 2016 -> stream(127.0.0.1@31257): 
Pdf.Malware.Agent-1788565(68ee922f39ab01e899945199b3e68cb4:913368) FOUND
Thu Oct 27 18:13:36 2016 -> stream(127.0.0.1@31676): 
Pdf.Malware.Agent-1788565(1add8331f8d88088e96fd295575fe1a0:913171) FOUND
Thu Oct 27 18:13:45 2016 -> stream(127.0.0.1@31478): 
Pdf.Malware.Agent-1788565(c72f150823faf2cd01ed738c3bf5ae28:913362) FOUND
Thu Oct 27 18:15:01 2016 -> stream(127.0.0.1@31019): 
Pdf.Malware.Agent-1788565(d56e53d28faeb8ffe32be8b7a14b2aa5:913364) FOUND
Thu Oct 27 18:16:24 2016 -> stream(127.0.0.1@31965): 
Pdf.Malware.Agent-1788565(87b36a7683eefe518b060282723dd05e:913371) FOUND
Thu Oct 27 18:18:16 2016 -> stream(127.0.0.1@31004): 
Pdf.Malware.Agent-1788565(ea210b20c40233beef96cd2b48c9962d:913356) FOUND
Thu Oct 27 18:18:28 2016 -> stream(127.0.0.1@31300): 
Pdf.Malware.Agent-1788565(24804e2eff8dbabdca30e89fe0cbb829:913404) FOUND
Thu Oct 27 18:37:42 2016 -> stream(127.0.0.1@31811): 
Pdf.Malware.Agent-1788565(743666d3e66e6399b825d1f45cea7dad:913406) FOUND
Thu Oct 27 18:39:08 2016 -> stream(127.0.0.1@31368): 
Pdf.Malware.Agent-1788565(52118a5a430bc9ffe57bccef7bd9ae8a:913430) FOUND
Thu Oct 27 18:47:38 2016 -> stream(127.0.0.1@31547): 

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Gene Heskett]

On Thursday 29 December 2016 07:06:38 Groach wrote:

> On 29/12/2016 09:32, Reindl Harald wrote:
> > Am 29.12.2016 um 10:21 schrieb Reindl Harald:
> >> state of the official sgnatures is that clamav don't catch many
> >> real malware all over the time without sanesecurity 3rd party
> >> signatures and the official
> >
> > given how much memory the instance with the officical signatures i
> > am going so far to say that i would love to be able to *completly*
> > exclude "daily.cld", "daily.cvd" and "main.cvd" and only update
> > "safebrowsing.cvd" and just keep the few sanesecurity signatures in
> > the clamd-instance which is allowed to reject directly via milter
>
> I couldnt agree more. Clam sigs have *never* caught a single threat -
> in many cases many MANY months after the threat had been and gone (I
> have documented evidence if anyone cares to read it). The only thing
> Clam has ever done is 'catch' false positives (yes, I mean "ONLY") -
> so much so that I have been forced to turn off quarantine/action upon
> threat and put it in to REPORT MODE only.  If I could exclude the Clam
> default signatures and just continue to use Sane then I would and then
> I could turn back on quarantining to make our systems safe again.  The
> irony is that Sane has been tested and proven by me to be the best
> Zero hour threat detector and thats why I have chosen it (even against
> all the big commercial boys)  but its built on and uses the Clam
> engine - yet its the default Clam signatures that stop me keeping my
> system safe despite Sane doing its work properly. (Its like Sane being
> employed by the police and telling the police of the intruder but the
> police not doing anything about it because they would simploy go about
> arresting the intruder and even the innocent premises owners and
> general public. Answer: done tell the police and just write it down
> instead.) ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
I don't enjoy piling on in the middle of a fight, but the catch times as 
logged here, are very revealing. Only on incoming mail does a catch 
result in its being quarantined by sending it to /var/spool/mail/virii.
But the date on that files creation was june 6th. And I've tried every 
way to make ls show me last mod time, and it stubbornly remains June 
6th.  About 117 kilobytes.

clamscan says its:
/var/spool/mail/virii: Win.Worm.Mydoom-90 FOUND

So either my isp is doing a great job of black holeing questionable 
stuff, or 10,000 emails have been deleted by me without reading them.  
And I've done a hell of a lot of that.

It seems to me, with all this hoorah about viri about in the wild, I 
ought to be getting hit more often than nearly 7 months ago.

My $0.02.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Kris Deugau]

Groach wrote:
>   If I could exclude the Clam default
> signatures and just continue to use Sane then I would and then I could
> turn back on quarantining to make our systems safe again.

You can;  turn off freshclam and delete the stock signature files.

Also make sure that you don't use the --official-db-only option to
clamscan, or have the OfficialDatabaseOnly option set in clamd.conf.

I was investigating using clamd with just a select set of
custom/third-party signatures for another segment of mail filtering and
this worked just fine.

So long as you have at least one signature file (and I think at least
one signature;  never tested quite that far), clamd will start up quite
happily.

-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Reindl Harald]

Am 29.12.2016 um 14:40 schrieb Mark Allan:



On 29 Dec 2016, at 12:06 pm, Steve Basford  
wrote:

In clamscan there is:

--official-db-only[=yes/no(*)]   Only load official signatures

in clamd.conf there is:

OfficialDatabaseOnly#Only loading official signatures.

I suppose there could be a:

--3rd-party-db-only=[=yes/no(*)]

and the same thing in clamd.conf.

but this may not then load safebrowsing.cvd.

You may also need to keep daily.ftm as that contains filetypes.


It seems a little overkill to add a new feature for this. Couldn't you just 
delete the cvd/cld file and prevent freshclam from running? Or better yet, 
write a wrapper around freshclam so the update still takes place and then 
unpack the cvd/cld file and delete the bits you don't want to keep.


and how do you tell freshclam (which is resposnible to keep 
safebrowsing.cvd up2date) *not* update the other stuff?


jusst delete it would be plain stupid because then you would have the 
full download everytime instead a fast rsync

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Reindl Harald]

Am 29.12.2016 um 13:06 schrieb Steve Basford:

On Thu, December 29, 2016 9:32 am, Reindl Harald wrote:





i would love to be able to *completly* exclude
"daily.cld", "daily.cvd" and "main.cvd" and only update
"safebrowsing.cvd"


daily.cvd and main.cvd are compressed versions of multiple databases...

--3rd-party-db-only=[=yes/no(*)]

and the same thing in clamd.conf.

but this may not then load safebrowsing.cvd.

You may also need to keep daily.ftm as that contains filetypes


looks like you completly missed that there are already *two* instances 
of clamd with 2 differnt signature folders and one don't contain the 
official signatures - point is that freshclam should have a option to 
skip all the signatures and as example update "daily.ftm" and whatever 
should be there but leave us in peace with signatures eating hundrets of 
MB disk space and RAM with no benefit than false positives


[root@mail-gw:~]$ ls /var/lib/clamav/
insgesamt 211M
-rw-r--r-- 1 clamupdate clamupdate  75K 2016-12-28 12:53 
foxhole_filename.cdb

-rw-r--r-- 1 clamupdate clamupdate  44K 2016-06-28 09:58 foxhole_generic.cdb
-rw-r--r-- 1 clamupdate clamupdate 4,1K 2016-06-18 16:55 
thelounge_blocked_extensions.cdb

-rw-r--r-- 1 clamupdate clamupdate  79M 2016-12-29 13:25 daily.cld
-rw-r--r-- 1 clamupdate clamupdate  85K 2016-07-04 14:30 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate  26M 2016-12-18 01:25 daily.cvd
-rw-r--r-- 1 clamupdate clamupdate 105M 2016-07-04 14:29 main.cvd
-rw-r--r-- 1 clamupdate clamupdate  11K 2016-10-18 15:56 sanesecurity.ftm
-rw-r--r-- 1 clamupdate clamupdate 103K 2016-12-29 14:47 
bofhland_malware_attach.hdb

-rw-r--r-- 1 clamupdate clamupdate   82 2016-07-13 21:44 crdfam.clamav.hdb
-rw-r--r-- 1 clamupdate clamupdate  14K 2016-12-29 11:54 rogue.hdb
-rw-r--r-- 1 clamupdate clamupdate  86K 2016-12-29 14:45 
winnow_extended_malware.hdb

-rw-r--r-- 1 clamupdate clamupdate 264K 2016-12-29 14:45 winnow_malware.hdb
-rw-r--r-- 1 clamupdate clamupdate  48K 2015-08-05 09:24 hackingteam.hsb
-rw-r--r-- 1 clamupdate clamupdate  15K 2016-08-10 15:06 malwarehash.hsb
-rw-r--r-- 1 clamupdate clamupdate  11K 2016-12-29 14:46 porcupine.hsb
-rw-r--r-- 1 clamupdate clamupdate 6,7K 2016-11-25 09:56 sigwhitelist.ign2
-rw-r--r-- 1 clamupdate clamupdate  196 2016-08-10 09:57 
thelounge_whitelist.ign2

-rw-r--r-- 1 clamupdate clamupdate  56K 2016-12-27 20:39 badmacro.ndb
-rw-r--r-- 1 clamupdate clamupdate  60K 2016-12-29 14:53 blurl.ndb
-rw-r--r-- 1 clamupdate clamupdate 1012 2016-12-29 14:47 
bofhland_malware_URL.ndb

-rw-r--r-- 1 clamupdate clamupdate 337K 2016-12-29 14:46 porcupine.ndb
-rw-r--r-- 1 clamupdate clamupdate   61 2016-10-10 19:47 
thelounge_custom_sigs.ndb
-rw-r--r-- 1 clamupdate clamupdate 1,3M 2016-12-29 14:45 
winnow_malware_links.ndb


[root@mail-gw:~]$ ls /var/lib/clamav-spam/
insgesamt 77M
-rw-r--r-- 1 clamupdate clamupdate 9,1K 2016-11-28 16:00 foxhole_all.cdb
-rw-r--r-- 1 clamupdate clamupdate 2,7K 2016-12-06 09:52 foxhole_js.cdb
-rw-r--r-- 1 clamupdate clamupdate 5,7K 2016-06-18 16:55 
thelounge_tagged_extensions.cdb

-rw-r--r-- 1 clamupdate clamupdate  85K 2016-07-04 14:30 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate  43M 2016-11-04 18:27 safebrowsing.cvd
-rw-r--r-- 1 clamupdate clamupdate  11K 2016-10-18 15:56 sanesecurity.ftm
-rw-r--r-- 1 clamupdate clamupdate 1,3K 2016-12-12 16:53 spamattach.hdb
-rw-r--r-- 1 clamupdate clamupdate 6,0K 2016-12-08 10:53 spamimg.hdb
-rw-r--r-- 1 clamupdate clamupdate 515K 2016-12-29 14:45 
winnow.attachments.hdb

-rw-r--r-- 1 clamupdate clamupdate   66 2016-12-29 14:45 winnow_bad_cw.hdb
-rw-r--r-- 1 clamupdate clamupdate 6,7K 2016-11-25 09:56 sigwhitelist.ign2
-rw-r--r-- 1 clamupdate clamupdate  196 2016-08-10 09:57 
thelounge_whitelist.ign2

-rw-r--r-- 1 clamupdate clamupdate 1011 2016-11-29 17:56 shelter.ldb
-rw-r--r-- 1 clamupdate clamupdate  556 2016-10-06 15:53 spam.ldb
-rw-r--r-- 1 clamupdate clamupdate  660 2016-12-29 14:45 
winnow.complex.patterns.ldb

-rw-r--r-- 1 clamupdate clamupdate  60K 2016-12-29 14:53 blurl.ndb
-rw-r--r-- 1 clamupdate clamupdate  656 2016-12-29 14:47 
bofhland_cracked_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 1012 2016-12-29 14:47 
bofhland_malware_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 2,2K 2016-12-29 14:47 
bofhland_phishing_URL.ndb

-rw-r--r-- 1 clamupdate clamupdate 5,7K 2016-11-21 09:55 foxhole_all.ndb
-rw-r--r-- 1 clamupdate clamupdate  230 2016-11-21 09:55 foxhole_js.ndb
-rw-r--r-- 1 clamupdate clamupdate 6,5M 2016-12-20 16:53 junk.ndb
-rw-r--r-- 1 clamupdate clamupdate 230K 2016-12-29 14:53 jurlbla.ndb
-rw-r--r-- 1 clamupdate clamupdate 198K 2016-12-29 14:53 jurlbl.ndb
-rw-r--r-- 1 clamupdate clamupdate 240K 2016-07-29 18:20 lott.ndb
-rw-r--r-- 1 clamupdate clamupdate 3,8M 2016-12-28 12:53 phish.ndb
-rw-r--r-- 1 clamupdate clamupdate 3,5M 2016-12-29 14:46 phishtank.ndb
-rw-r--r-- 1 clamupdate clamupdate  14M 2016-12-29 14:45 scamnailer.ndb
-rw-r--r-- 1 clamupdate clamupdate 1,8M 2016-11-28 16:24 scam.ndb
-rw-r--r-- 1 

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Benny Pedersen]

On December 29, 2016 13:06:51 "Steve Basford" 
 wrote:



https://bugs.clamav.net/show_bug.cgi?id=11708


still ssl error
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Steve Basford]

On Thu, December 29, 2016 1:40 pm, Mark Allan wrote:

> It seems a little overkill to add a new feature for this. Couldn't you
> just delete the cvd/cld file and prevent freshclam from running? Or
> better yet, write a wrapper around freshclam so the update still takes
> place and then unpack the cvd/cld file and delete the bits you don't want
> to keep.
Hi Mark,

You could do that yes, there's always different ways of doing things,
but if it's easy-ish to add the feature then the option is there for
clamwin etc. to use too.
--
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Mark Allan]

> On 29 Dec 2016, at 12:06 pm, Steve Basford  
> wrote:
> 
> In clamscan there is:
> 
> --official-db-only[=yes/no(*)]   Only load official signatures
> 
> in clamd.conf there is:
> 
> OfficialDatabaseOnly#Only loading official signatures.
> 
> I suppose there could be a:
> 
> --3rd-party-db-only=[=yes/no(*)]
> 
> and the same thing in clamd.conf.
> 
> but this may not then load safebrowsing.cvd.
> 
> You may also need to keep daily.ftm as that contains filetypes.

It seems a little overkill to add a new feature for this. Couldn't you just 
delete the cvd/cld file and prevent freshclam from running? Or better yet, 
write a wrapper around freshclam so the update still takes place and then 
unpack the cvd/cld file and delete the bits you don't want to keep.

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Groach]

Noted.  Confirmed FP's no longer being reported.

(Still looking forward to the new improved QA system, and one that 
doesnt require a mailing list uproar before the issues get identified).




On 29/12/2016 13:14, Joel Esler (jesler) wrote:

We are showing that all Toa signatures have been dropped.  Please run freshclam 
to drop the sigs.

--
Sent from my iPhone


On Dec 29, 2016, at 8:03 AM, Joel Esler (jesler)  wrote:

I'm not dismissing anything. (Except the notion that I am dismissing things).  
I know one of our guys is monitoring the list during the holiday.  I'll ping 
him.

--
Sent from my iPhone

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Joel Esler (jesler)]

We are showing that all Toa signatures have been dropped.  Please run freshclam 
to drop the sigs.  

--
Sent from my iPhone

> On Dec 29, 2016, at 8:03 AM, Joel Esler (jesler)  wrote:
> 
> I'm not dismissing anything. (Except the notion that I am dismissing things). 
>  I know one of our guys is monitoring the list during the holiday.  I'll ping 
> him.  
> 
> --
> Sent from my iPhone
> 
>>> On Dec 29, 2016, at 7:07 AM, Groach  
>>> wrote:
>>> 
 On 29/12/2016 09:32, Reindl Harald wrote:
 
 Am 29.12.2016 um 10:21 schrieb Reindl Harald:
 
 state of the official sgnatures is that clamav don't catch many real
 malware all over the time without sanesecurity 3rd party signatures and
 the official
>>> 
>>> given how much memory the instance with the officical signatures i am going 
>>> so far to say that i would love to be able to *completly* exclude 
>>> "daily.cld", "daily.cvd" and "main.cvd" and only update "safebrowsing.cvd" 
>>> and just keep the few sanesecurity signatures in the clamd-instance which 
>>> is allowed to reject directly via milter
>> 
>> I couldnt agree more. Clam sigs have *never* caught a single threat - in 
>> many cases many MANY months after the threat had been and gone (I have 
>> documented evidence if anyone cares to read it). The only thing Clam has 
>> ever done is 'catch' false positives (yes, I mean "ONLY") - so much so that 
>> I have been forced to turn off quarantine/action upon threat and put it in 
>> to REPORT MODE only.  If I could exclude the Clam default signatures and 
>> just continue to use Sane then I would and then I could turn back on 
>> quarantining to make our systems safe again.  The irony is that Sane has 
>> been tested and proven by me to be the best Zero hour threat detector and 
>> thats why I have chosen it (even against all the big commercial boys)  but 
>> its built on and uses the Clam engine - yet its the default Clam signatures 
>> that stop me keeping my system safe despite Sane doing its work properly. 
>> (Its like Sane being employed by the police and telling the police of the 
>> intruder but the police not doing anyth
 i
> ng about it because they would simploy go about arresting the intruder and 
> even the innocent premises owners and general public.  Answer: done tell the 
> police and just write it down instead.)
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Joel Esler (jesler)]

I'm not dismissing anything. (Except the notion that I am dismissing things).  
I know one of our guys is monitoring the list during the holiday.  I'll ping 
him.  

--
Sent from my iPhone

> On Dec 29, 2016, at 7:07 AM, Groach  
> wrote:
> 
>> On 29/12/2016 09:32, Reindl Harald wrote:
>> 
>>> Am 29.12.2016 um 10:21 schrieb Reindl Harald:
>>> 
>>> state of the official sgnatures is that clamav don't catch many real
>>> malware all over the time without sanesecurity 3rd party signatures and
>>> the official
>> 
>> given how much memory the instance with the officical signatures i am going 
>> so far to say that i would love to be able to *completly* exclude 
>> "daily.cld", "daily.cvd" and "main.cvd" and only update "safebrowsing.cvd" 
>> and just keep the few sanesecurity signatures in the clamd-instance which is 
>> allowed to reject directly via milter
> 
> I couldnt agree more. Clam sigs have *never* caught a single threat - in many 
> cases many MANY months after the threat had been and gone (I have documented 
> evidence if anyone cares to read it). The only thing Clam has ever done is 
> 'catch' false positives (yes, I mean "ONLY") - so much so that I have been 
> forced to turn off quarantine/action upon threat and put it in to REPORT MODE 
> only.  If I could exclude the Clam default signatures and just continue to 
> use Sane then I would and then I could turn back on quarantining to make our 
> systems safe again.  The irony is that Sane has been tested and proven by me 
> to be the best Zero hour threat detector and thats why I have chosen it (even 
> against all the big commercial boys)  but its built on and uses the Clam 
> engine - yet its the default Clam signatures that stop me keeping my system 
> safe despite Sane doing its work properly. (Its like Sane being employed by 
> the police and telling the police of the intruder but the police not doing 
> anythi
 ng about it because they would simploy go about arresting the intruder and 
even the innocent premises owners and general public.  Answer: done tell the 
police and just write it down instead.)
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Steve Basford]

On Thu, December 29, 2016 9:32 am, Reindl Harald wrote:
>

>i would love to be able to *completly* exclude
>"daily.cld", "daily.cvd" and "main.cvd" and only update
>"safebrowsing.cvd"

daily.cvd and main.cvd are compressed versions of multiple databases...

eg. sigtool --unpack-current=daily


29/12/2016  11:5246,364,915 daily.hsb
29/12/2016  11:5229,004,820 daily.hdb
29/12/2016  11:52 4,850,079 daily.mdb
29/12/2016  11:52   825,187 daily.ndu
29/12/2016  11:52   629,105 daily.ldb
29/12/2016  11:5276,399 daily.ndb
29/12/2016  11:5269,427 daily.mdu
18/02/2016  06:3849,553 daily.crtdb
29/12/2016  11:5236,126 daily.idb
29/12/2016  11:5226,043 daily.fp
18/02/2016  06:3825,227 daily.db
18/02/2016  06:3810,943 daily.zmd
29/12/2016  11:5210,739 daily.ldu
29/12/2016  11:5210,095 daily.wdb
29/12/2016  11:52 9,965 daily.ftm
29/12/2016  11:52 6,040 daily.crb
29/12/2016  11:52 4,094 daily.pdb
29/12/2016  11:52 3,530 daily.hdu
18/02/2016  06:38 2,991 daily.rmd
29/12/2016  11:52 2,914 daily.ign
29/12/2016  11:52 2,269 daily.info
29/12/2016  11:52 2,168 daily.ign2
29/12/2016  11:52   424 daily.cfg
29/12/2016  11:52   378 daily.cdb
29/12/2016  11:5292 daily.msb
29/12/2016  11:5292 daily.msu
29/12/2016  11:5289 daily.hsu
29/12/2016  11:5287 daily.sfp

82,023,791 bytes

In clamscan there is:

--official-db-only[=yes/no(*)]   Only load official signatures

in clamd.conf there is:

OfficialDatabaseOnly#Only loading official signatures.

I suppose there could be a:

--3rd-party-db-only=[=yes/no(*)]

and the same thing in clamd.conf.

but this may not then load safebrowsing.cvd.

You may also need to keep daily.ftm as that contains filetypes.

I guess the best thing is to raise a bugzilla enhancement, if
people want to add their comments:

https://bugs.clamav.net/show_bug.cgi?id=11708


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Reindl Harald]

Am 29.12.2016 um 10:21 schrieb Reindl Harald:

Am 29.12.2016 um 03:54 schrieb Al Varnell:

Over 11,000 of them were dropped several days ago, but a few were
added at the same time. I have no idea what the status of those new
ones are and maybe I've lost track, but I believe only one of the new
ones has been brought up here.

Since all signatures are put through their QA process before release,
I'm not clear on what it is you are proposing.


probably that the QA process is not working the last 2 months?

state of the official sgnatures is that clamav don't catch many real
malware all over the time without sanesecurity 3rd party signatures and
the official

cat clamscan.log | grep FOUND | wc -l
5267

cat clamscan.log | grep FOUND | grep UNOFFICIAL | wc -l
4281

i bet the 25% would have been caught by sanesecurity sigs too


these are 99.9% false positives and hence only scored

cat clamscan.log | grep FOUND | grep 
"Heuristics.Phishing.Email.SSL-Spoof" | wc -l

662

these are not signatures and only scored

cat clamscan.log | grep FOUND | grep "Heuristics.OLE2.ContainsMacros" | 
wc -l

225

given how much memory the instance with the officical signatures i am 
going so far to say that i would love to be able to *completly* exclude 
"daily.cld", "daily.cvd" and "main.cvd" and only update 
"safebrowsing.cvd" and just keep the few sanesecurity signatures in the 
clamd-instance which is allowed to reject directly via milter


[root@mail-gw:~]$ ls /var/lib/clamav
insgesamt 210M
-rw-r--r-- 1 clamupdate clamupdate  75K 2016-12-28 12:53 
foxhole_filename.cdb

-rw-r--r-- 1 clamupdate clamupdate  44K 2016-06-28 09:58 foxhole_generic.cdb
-rw-r--r-- 1 clamupdate clamupdate 4,1K 2016-06-18 16:55 
thelounge_blocked_extensions.cdb

-rw-r--r-- 1 clamupdate clamupdate  79M 2016-12-29 09:25 daily.cld
-rw-r--r-- 1 clamupdate clamupdate  85K 2016-07-04 14:30 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate  26M 2016-12-18 01:25 daily.cvd
-rw-r--r-- 1 clamupdate clamupdate 105M 2016-07-04 14:29 main.cvd
-rw-r--r-- 1 clamupdate clamupdate  11K 2016-10-18 15:56 sanesecurity.ftm
-rw-r--r-- 1 clamupdate clamupdate 103K 2016-12-29 09:47 
bofhland_malware_attach.hdb

-rw-r--r-- 1 clamupdate clamupdate   82 2016-07-13 21:44 crdfam.clamav.hdb
-rw-r--r-- 1 clamupdate clamupdate  14K 2016-12-22 10:51 rogue.hdb
-rw-r--r-- 1 clamupdate clamupdate  86K 2016-12-29 09:45 
winnow_extended_malware.hdb

-rw-r--r-- 1 clamupdate clamupdate 264K 2016-12-29 09:45 winnow_malware.hdb
-rw-r--r-- 1 clamupdate clamupdate  48K 2015-08-05 09:24 hackingteam.hsb
-rw-r--r-- 1 clamupdate clamupdate  15K 2016-08-10 15:06 malwarehash.hsb
-rw-r--r-- 1 clamupdate clamupdate  16K 2016-12-29 09:46 porcupine.hsb
-rw-r--r-- 1 clamupdate clamupdate 6,7K 2016-11-25 09:56 sigwhitelist.ign2
-rw-r--r-- 1 clamupdate clamupdate  196 2016-08-10 09:57 
thelounge_whitelist.ign2

-rw-r--r-- 1 clamupdate clamupdate  56K 2016-12-27 20:39 badmacro.ndb
-rw-r--r-- 1 clamupdate clamupdate  59K 2016-12-29 09:52 blurl.ndb
-rw-r--r-- 1 clamupdate clamupdate 1012 2016-12-29 09:47 
bofhland_malware_URL.ndb

-rw-r--r-- 1 clamupdate clamupdate 337K 2016-12-29 09:46 porcupine.ndb
-rw-r--r-- 1 clamupdate clamupdate   61 2016-10-10 19:47 
thelounge_custom_sigs.ndb
-rw-r--r-- 1 clamupdate clamupdate 1,3M 2016-12-29 09:45 
winnow_malware_links.ndb


[root@mail-gw:~]$ ls /var/lib/clamav-spam/
insgesamt 77M
-rw-r--r-- 1 clamupdate clamupdate 9,1K 2016-11-28 16:00 foxhole_all.cdb
-rw-r--r-- 1 clamupdate clamupdate 2,7K 2016-12-06 09:52 foxhole_js.cdb
-rw-r--r-- 1 clamupdate clamupdate 5,7K 2016-06-18 16:55 
thelounge_tagged_extensions.cdb

-rw-r--r-- 1 clamupdate clamupdate  85K 2016-07-04 14:30 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate  43M 2016-11-04 18:27 safebrowsing.cvd
-rw-r--r-- 1 clamupdate clamupdate  11K 2016-10-18 15:56 sanesecurity.ftm
-rw-r--r-- 1 clamupdate clamupdate 1,3K 2016-12-12 16:53 spamattach.hdb
-rw-r--r-- 1 clamupdate clamupdate 6,0K 2016-12-08 10:53 spamimg.hdb
-rw-r--r-- 1 clamupdate clamupdate 515K 2016-12-29 09:45 
winnow.attachments.hdb

-rw-r--r-- 1 clamupdate clamupdate   66 2016-12-29 09:45 winnow_bad_cw.hdb
-rw-r--r-- 1 clamupdate clamupdate 6,7K 2016-11-25 09:56 sigwhitelist.ign2
-rw-r--r-- 1 clamupdate clamupdate  196 2016-08-10 09:57 
thelounge_whitelist.ign2

-rw-r--r-- 1 clamupdate clamupdate 1011 2016-11-29 17:56 shelter.ldb
-rw-r--r-- 1 clamupdate clamupdate  556 2016-10-06 15:53 spam.ldb
-rw-r--r-- 1 clamupdate clamupdate  660 2016-12-29 09:45 
winnow.complex.patterns.ldb

-rw-r--r-- 1 clamupdate clamupdate  59K 2016-12-29 09:52 blurl.ndb
-rw-r--r-- 1 clamupdate clamupdate  656 2016-12-29 09:47 
bofhland_cracked_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 1012 2016-12-29 09:47 
bofhland_malware_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 2,2K 2016-12-29 09:47 
bofhland_phishing_URL.ndb

-rw-r--r-- 1 clamupdate clamupdate 5,7K 2016-11-21 09:55 foxhole_all.ndb
-rw-r--r-- 1 clamupdate clamupdate  230 2016-11-21 09:55 foxhole_js.ndb
-rw-r--r-- 1 clamupdate 

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Reindl Harald]

Am 29.12.2016 um 03:54 schrieb Al Varnell:

Over 11,000 of them were dropped several days ago, but a few were added at the 
same time. I have no idea what the status of those new ones are and maybe I've 
lost track, but I believe only one of the new ones has been brought up here.

Since all signatures are put through their QA process before release, I'm not 
clear on what it is you are proposing.


probably that the QA process is not working the last 2 months?

state of the official sgnatures is that clamav don't catch many real 
malware all over the time without sanesecurity 3rd party signatures and 
the official


cat clamscan.log | grep FOUND | wc -l
5267

cat clamscan.log | grep FOUND | grep UNOFFICIAL | wc -l
4281

i bet the 25% would have been caught by sanesecurity sigs too
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Al Varnell]

On Dec 28, 2016, at 2:13 PM, Groach wrote:
> Ok, I know it has already been mentioned before in another 2 threads but it 
> seems once again Joel is dismissing the claims or the responsibilities of it 
> being damaging to peoples systems (regularly quarantining genuine files and 
> emails) and instead expects everyone to keep sending in FP reports for every 
> spreadsheet or file that gets hit by this rogue signature.  Not only is this 
> impractical, its often impossible due to quantity and least of all data 
> sensitivity issues.  I have them every day.  Ive submitted FP reports, Ive 
> watched others raise the issue too, Ive waited a week but still it goes on.
> 
> Many have called for it to be reviewed, modified or removed - even people 
> such as Steve Basford who is respected in providing signatures of his own:
> 
> "IMHO, Win.Trojan.Toa* CDB sigs should ALL be pulled ASAP and QA testing done 
> in full after holidays."

Over 11,000 of them were dropped several days ago, but a few were added at the 
same time. I have no idea what the status of those new ones are and maybe I've 
lost track, but I believe only one of the new ones has been brought up here.

Since all signatures are put through their QA process before release, I'm not 
clear on what it is you are proposing.

> http://lists.clamav.net/pipermail/clamav-users/2016-December/003932.html and 
> so on.
> 
> The cause of the problem has even been identified (vbaproject.bin 
> http://lists.clamav.net/pipermail/clamav-users/2016-December/003945.html) but 
> still no acknowledgement and it continues.
> 
> So it leaves me with the thread title...
> 
> ...just dump this signature.  Learn that when HUNDREDS or thousands of files 
> are incorrectly being hit then acknowledge there is something wrong with it!  
> Consider it a QA failure.  What else do you need to see before things are 
> seen for what they are?!

I believe the problem has been identified earlier today as being that all 
'vbaproject.bin' are being identified as infected. Whether that should be true 
or not seems doubtful, but only conjecture so far. You are probably right, but 
the decision is ultimately the signature team's based on the evidence presented 
and their knowledge of what the threat is. I have no idea what the latter is.

-Al-
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml