Re: [clamav-users] missed virus
Hi winnow.attachments.hdb winnow_bad_cw.hdb winnow_malware_links.ndb Also work to stop these On Nov 15, 2012, at 4:55 PM, Steve Basford wrote: OK, I'm stumped as to why clamav-milter did not catch this virus. It was from this address, being masked as from UPS: File: Invoices-14-2012.htm Hi Jamen, I've been seeing these java/htm combos over the last few days and been adding detection to phish.ndb. The other bad stuff coming in should be detected with: phish.ndb, rogue.hdb and blurl.ndb OITC's sigs are also recommended. More details here: http://www.sanesecurity.com/clamav/databases.htm Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] missed virus
OK, I'm stumped as to why clamav-milter did not catch this virus. It was from this address, being masked as from UPS: File: Invoices-14-2012.htm Hi Jamen, I've been seeing these java/htm combos over the last few days and been adding detection to phish.ndb. The other bad stuff coming in should be detected with: phish.ndb, rogue.hdb and blurl.ndb OITC's sigs are also recommended. More details here: http://www.sanesecurity.com/clamav/databases.htm Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] missed virus
On Thu, Nov 15, 2012 at 4:25 PM, McGranahan, Jamen jamen.mcgrana...@vanderbilt.edu wrote: OK, I'm stumped as to why clamav-milter did not catch this virus. It was from this address, being masked as from UPS: rowanhorst...@live.camailto:rowanhorst...@live.ca, masked as customerdesk_upsdeliveryservi...@ups.commailto: customerdesk_upsdeliveryservi...@ups.com Nov 14 14:13:33 XX sendmail[13983]: qAEKDT7f013983: from= rowanhorst...@live.camailto:rowanhorst...@live.ca, size=3297, class=0, nrcpts=1, msgid=ca5501cdc2ac$e6c228e0$a87b5229@customerdesk_upsdeliveryservices, proto=ESMTP, daemon=MTA, relay=[41.82.123.168] Nov 14 14:13:33 libdig10 sendmail[13983]: qAEKDT7f013983: Milter insert (1): header: X-Virus-Scanned: clamav-milter 0.97.6 at ..edu Nov 14 14:13:33 libdig10 sendmail[13983]: qAEKDT7f013983: Milter insert (1): header: X-Virus-Status: Clean It actually missed it on two servers. Thankfully our network security caught it before it went out. Here's what they detected the virus as: It was detected as Blacole.OZ (Blackhole rootkit stuff). Incident Name: Blacole.OZ File: Invoices-14-2012.htm Jamen McGranahan Systems Services Librarian Vanderbilt University LIbrary Central Library Room 811 419 21st Avenue South Nashville, TN 37214 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Good question. Any chance you can submit the attachment to us by using the Submit a file link on www.clamav.net? Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Missed Virus
* Jason Bennett [EMAIL PROTECTED]: Hi everyone, We're using ClamAV on our mail gateway which is in front of our exchange server. It's been running great for a long time and stops thousands of virus per day for us. Lately however our McAfee which is installed on exchange itself is picking up this virus: W32/Zhelatin.gen!eml It seems our ClamAV is not seeing it. We get a couple hundred of these a day and they're all the same virus. Any ideas? False positive? By any means, submit it to the team. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Missed Virus
* Ralf Hildebrandt [EMAIL PROTECTED]: False positive? By any means, submit it to the team. http://www.clamav.net/sendvirus/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Missed Virus
Jason Bennett wrote: Hi everyone, We're using ClamAV on our mail gateway which is in front of our exchange server. It's been running great for a long time and stops thousands of virus per day for us. Lately however our McAfee which is installed on exchange itself is picking up this virus: W32/Zhelatin.gen!eml I hate to say Me Too!, but I thought I should point out this is not an isolated incident. We have a similar set-up (0.90.3 on Solaris/Exim in fact), and the same virus got in and got picked up by McAfee this afternoon. Didn't I read somewhere recently that there have been a lot of new variants of this virus? Jon Systems Admin, 365 Media Group ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Missed Virus
Jason Bennett wrote: Hi everyone, We're using ClamAV on our mail gateway which is in front of our exchange server. It's been running great for a long time and stops thousands of virus per day for us. Lately however our McAfee which is installed on exchange itself is picking up this virus: W32/Zhelatin.gen!eml It seems our ClamAV is not seeing it. We get a couple hundred of these a day and they're all the same virus. Any ideas? Thanks for any help Jason Zhelatin is the Email.Phishing.RB-1xxx If you are using amavisd-new you shoud give clamd with the full email message. @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking )); ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Missed Virus
At 11:55 08-08-2007, Jonathan Armitage wrote: Didn't I read somewhere recently that there have been a lot of new variants of this virus? It's not a virus, it's these greeting card messages with a link to download the malware. It's currently being identified as Email.Phishing.RB-1222. Regards, -sm ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Missed Virus
SM wrote: At 11:55 08-08-2007, Jonathan Armitage wrote: It's not a virus, it's these greeting card messages with a link to download the malware. It's currently being identified as Email.Phishing.RB-1222. And this is when it was added to the database: http://lurker.clamav.net/message/20070703.205510.1500cf2a.en.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Missed Virus
Jason Bennett wrote: Hi everyone, We're using ClamAV on our mail gateway which is in front of our exchange server. It's been running great for a long time and stops thousands of virus per day for us. Lately however our McAfee which is installed on exchange itself is picking up this virus: W32/Zhelatin.gen!eml It seems our ClamAV is not seeing it. We get a couple hundred of these a day and they're all the same virus. Any ideas? Is it possible it's only a partial message? It does happen that different tools looking at different parts of a message that is broken will see or miss the parts they use to identify a virus. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html