Julien Reveret | 15 Feb 09:20 2011

clamscan can't detect malware inside a debian package

Hello,

I've made a few tests lately to embed malwares inside UNIX packages like
RPM or DEB packages. Once done, I scanned the packages with many
anti-virus products to check their efficiency.

Concerning clamav, there was no problem finding malware embedded into a
RPM package. Nevertheless clamscan was unable to detect a known malware
(the C99 PHP Backdoor) added to a preinst or postinst file.

Should I report this as a bug ?

Regards

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Török Edwin | 15 Feb 14:42 2011
Picon

Re: clamscan can't detect malware inside a debian package

On 2011-02-15 10:20, Julien Reveret wrote:
> Hello,
> 
> I've made a few tests lately to embed malwares inside UNIX packages like
> RPM or DEB packages. Once done, I scanned the packages with many
> anti-virus products to check their efficiency.
> 
> Concerning clamav, there was no problem finding malware embedded into a
> RPM package. Nevertheless clamscan was unable to detect a known malware
> (the C99 PHP Backdoor) added to a preinst or postinst file.
> 
> Should I report this as a bug ?

Just published bytecode.cvd version 138, is the .deb detected now?

(Run freshclam, make sure you get bytecode.cvd 138, and that you run
0.96.4+)

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Renato Botelho | 23 Feb 13:09 2011
Picon

Clamav 0.97 doesn't recognize old database

Hi guys,

A FreeBSD user reported a problem when he upgraded to 0.97
as you can see at [1]. Does it make any sense for you?

Thanks

[1] - http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/154608
--

-- 
Renato Botelho
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Török Edwin | 23 Feb 13:12 2011
Picon

Re: Clamav 0.97 doesn't recognize old database

On 2011-02-23 14:09, Renato Botelho wrote:
> Hi guys,
> 
> A FreeBSD user reported a problem when he upgraded to 0.97
> as you can see at [1]. Does it make any sense for you?
> 

This has been reported on -users already, one of the 3rdparty signatures
is invalid:  it uses a size of 0 for an MD5 signature.
The fix is to remove the offending line from the 3rdparty DB.

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Ibrahim Harrani | 24 Feb 14:35 2011
Picon

old FreeBSD threat patch

Hi,

There is a patch for clamav on FreeBSD at the following url.
http://www.mail-archive.com/clamav-devel <at> lists.clamav.net/msg02775.html

It seems that this patch was created for FreeBSD 6.X.
Do you think that this patch should be applied to FreeBSD 8.X also?

Thanks.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

David F. Skoll | 28 Feb 15:47 2011

QA request: Please test signature DBs against 0.95 and later

Hi,

Referring to threads at:
http://lurker.clamav.net/thread/20110228.124343.f4b93b47.en.html#20110228.124343.f4b93b47
http://lurker.clamav.net/thread/20110210.215042.63ffc4bc.en.html#20110210.215042.63ffc4bc

and especially:
http://lurker.clamav.net/message/20110211.235527.4079e33f.en.html

which quotes:

> 3-4 days after v0.97 is released, v0.95 is considered obsolete and
> no longer worth testing databases for. 

Is that really true?  Is it actually infeasible to test signature
updates against all versions of ClamAV from v0.95 on?  I don't know
which SCM system you use, but it seems to me a pre-commit hook that
validates signatures before allowing the commit shouldn't be that hard
to create.

I was a little upset by the forced-obsolescence of 0.94.x, but at
least we had plenty of warning.  The surprise de-facto obsolescence
of 0.95 with no warning at all is not so much fun...

Regards,

David.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
(Continue reading)


Gmane