JD Ackle | 22 Jul 14:23 2015
Picon

How to clean infection by Docx.Exploit.CVE_2015_1770

Hello,

Currently, ClamAV run from Linux reports Docx.Exploit.CVE_2015_1770 in my Windows 8.1 install, in files:
- pageFile.sys
- Windows/System32/config/SOFTWARE (a piece of the Windows registry)

If I understand it correctly, pageFile.sys works much like a Linux swap, hence basically containing RAM
dumps. After removing the file from the Windows system and booting to it I noticed Windows just made a new
one when needed, as I expected. Thus I am actually using that file as a checkpoint to track whether the
system is clean or not - whether the virus appears in the volatile memory when Windows is run.
When I first noticed the infection, pageFile.sys did not get infected upon a Windows startup without
logging on a user (it would however otherwise, regardless of whether the user was and administrator or a
regular one).

I noticed the infection on Windows/System32/config/SOFTWARE later and moved it to Linux to try and fix it -
even though I was not really sure how to do it. Upon giving up on the later plan I simply tried booting onto
Windows which failed. Since copying the SOFTWARE file back in, pageFile.sys now becomes infected even if
I don't logon any user.
I presume the reason for this may be that the file lost its Windows permission upon being copied to my Linux
install and is now world-accessible, thus being run by the system even before an allowed user is logged on...?

On another hand, I am hesitant to consider this a false positive as ClamAV did detect another virus in my
Windows system:
- Program Files (x86)/Hewlett-Packard/Shared/WizLink.exe: Win.Worm.Tenga-113 FOUND
I don't need that file at all, so I simply deleted and no further infections of that virus have been detected
since. My Windows install was running considerably slow (specially network-related tasks) before
removing that file and seems to have picked back up on its speed, so I am assuming the said virus was indeed,
at least for the most common use of that system, been removed.
However, I'm not sure whether this worm and the Docx.Exploit.CVE_2015_1770 are not related...?

(Continue reading)

Paul Kosinski | 21 Jul 19:58 2015

Re: Streaming support in ClamD

I'm still using HAVP for HTTP scanning, and it seems to still work OK
with the latest ClamAV (i.e., libclamav etc.).

I hope that ClamAV doesn't become incompatible in a way that can't be
accommodated. (I had to change HAVP's init temporarily during to the
openssl hiccup).

Paul Kosinski

On Tue, 21 Jul 2015 12:00:01 -0400
clamav-users-request <at> lists.clamav.net wrote:

> > ------------------------------
> >
> > Message: 2
> > Date: Thu, 2 Jul 2015 12:55:54 +0300
> > From: Henrik K <hege <at> hege.li>
> > To: clamav-users <at> lists.clamav.net
> > Subject: Re: [clamav-users] Streaming support in ClamD
> > Message-ID: <20150702095554.GA32277 <at> hege.li>
> > Content-Type: text/plain; charset=us-ascii
> >
> >
> > Let's say you have a zip file. How do you expect ClamAV to scan it
> > packet by
> > packet?  Or any other data really.  I think there are very few wild
> > signatures in database that are allowed to match any position
> > anywhere in a "file".  Only reliable way is to scan a complete
> > file, so it knows the length and can decode it properly etc.
> >
(Continue reading)

Schubling | 21 Jul 17:39 2015
Picon

Clamdscan on centos 7 and Apache

Hello,

We're trying to use clamav on a centos 7 server in order to scan
directly uploaded files on our web apps (Moodle for example). When
trying to execute a clamdscan from apache, we got this error (the file
belong to apache:apache and has correct rights 755)

<?php
exec('/usr/bin/clamdscan --stdout --fdpass
/var/www/html/test/filetoscan', $output, $return);
print "<pre>";
print_r($output);
print_r($return);
?>

And the return is :

Array
(
[0] => Failed to parse reply: "No file descriptor received. ERROR"
[1] =>
[2] => ----------- SCAN SUMMARY -----------
[3] => Infected files: 0
[4] => Total errors: 1
[5] => Time: 0.000 sec (0 m 0 s)
)
2

Of course, if we try to do it directly through command lines, we have
same error..
(Continue reading)

Jörg Stephan | 21 Jul 16:55 2015
Picon

HackingTeam hashes

Hi there,

I guess you know that a team has released a tool to check for HackingTeam
files. The provided a test tool including the file hashes of the files.

As I am seem to be "under"-skilled to create a database for this, I will
hand this over to you... maybe you can do better than I am.

--

-- 
Regards

Joerg Stephan
IDSBlog: http://sendmespamids.blogspot.nl/
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Robert Boyl | 17 Jul 16:48 2015
Picon

Re: clamav-users Digest, Vol 130, Issue 9

Thanks, will report it.

2015-07-15 13:00 GMT-03:00 <clamav-users-request <at> lists.clamav.net>:

> Send clamav-users mailing list submissions to
>         clamav-users <at> lists.clamav.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> or, via email, send a message with subject or body 'help' to
>         clamav-users-request <at> lists.clamav.net
>
> You can reach the person managing the list at
>         clamav-users-owner <at> lists.clamav.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of clamav-users digest..."
>
>
> Today's Topics:
>
>    1. Banload not detected (Robert Boyl)
>    2. Re: Banload not detected (Alain Zidouemba)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 14 Jul 2015 13:22:35 -0300
> From: Robert Boyl <robertboyl <at> gmail.com>
(Continue reading)

P K | 3 Jul 06:54 2015
Picon

Re: clamav-users Digest, Vol 130, Issue 2

I agree Henrik.

But my question is if we are supplying a text unzip data of 10-20M and if
clamAv reads all
10-20M data before scanning its a big overhead in clamAv server and
infrastructure providing
data to it. since they have to buffer complete 10-20M data.

It will increase CPU and memory of Infrastructure.

I think other commercial anti virus vendors be supporting streaming mode
for virus scanning.

Thanks

On Thu, Jul 2, 2015 at 9:30 PM, <clamav-users-request <at> lists.clamav.net>
wrote:

> Send clamav-users mailing list submissions to
>         clamav-users <at> lists.clamav.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> or, via email, send a message with subject or body 'help' to
>         clamav-users-request <at> lists.clamav.net
>
> You can reach the person managing the list at
>         clamav-users-owner <at> lists.clamav.net
>
> When replying, please edit your Subject line so it is more specific
(Continue reading)

kmatsui | 19 Jul 10:46 2015
Picon

The number of scanned files by clamdscan

I've installled ClamAV on debian jessie.
I want to check the number of scanned files by clamdscan.

$ find /tmp/folder1/ -type f
/tmp/folder1/1.txt
/tmp/folder1/folder2/3.txt
/tmp/folder1/2.txt

$ clamdscan -v /tmp/folder1/
/tmp/folder1: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)

The number of scanned files is unclear.

$ clamdscan -v /tmp/folder1/*
/tmp/folder1/1.txt: OK
/tmp/folder1/2.txt: OK
/tmp/folder1/folder2: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)

This method doesn't scan /tmp/folder1/folder2/3.txt .

$ find /tmp/folder1/ -type f | while read line ; do clamdscan -v  
${line} ; done
/tmp/folder1/1.txt: OK
----------- SCAN SUMMARY -----------
(Continue reading)

Daphne Galme (daphgalm | 17 Jul 00:30 2015
Picon

FP Detection / Reclassify Request

Hi,

I submitted these info several days ago (and someone also did, several weeks ago) for FP.

File MD5: 574e52839d9453a0c0b9c32c11f6157e
File SHA1: 8530c174909e06ebfde906b94a7c4777aa9dd4a6

I’m still seeing it on VirusTotal though as Win.Trojan.Genpack-445 for ClamAV.

If it’s ok, I’d like to know how long do you process FP request? And once it’s processed, do you publish
the result/change in VT right away?

Thanks a bunch!

Daphne

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

P K | 16 Jul 17:28 2015
Picon

ClamAv not detecting virus when Uploaded as file

Hi Guys,

I am trying to send EICAR data to ClamAv by two ways:

*1.  By sending eicher file data as POST data  -> It detects it as virus.*

*    command ->  curl -X POST -d  <at> eicar.com.txt http://localhost/test.html
<http://localhost/test.html>*

     POST /abcd.html HTTP/1.1
     User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1  zlib/1.2.3.4 libidn/1.23 librtmp/2.3
     Accept: */*
     Content-Length: 68
     Content-Type: application/x-www-form-urlencoded

      44
     X5O!P% <at> AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
      0

2. *When i send same with file -> it doesn't detect virus.*

     *command -> curl -i -F name=eicar.com.txt -F filedata= <at> eicar.com.txt*
*http://localhost/test.html <http://localhost/test.html>*

      POST / HTTP/1.1
      User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
      Accept: */*
      Content-Length: 369
(Continue reading)

Bowie Bailey | 16 Jul 17:21 2015

gpg key

Where can I find the gpg key for the clamav tarball?  I've poked through 
the website and sourceforge and can't find it anywhere.

--

-- 
Bowie
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Robert Boyl | 14 Jul 18:22 2015
Picon

Banload not detected

Dear Sir,

Our mail server Qmail has latest ClamAV:

main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder:
neo)
daily.cld is up to date (version: 20691, sigs: 1477959, f-level: 63,
builder: neo)
bytecode.cld is up to date (version: 265, sigs: 47, f-level: 63, builder:
neo)

But it did NOT detect a virus which is detected by Clam.

This one:
https://www.virustotal.com/pt/file/eb495bcdfb517743ced48d1b165b046739fb621cc693cb09fed8c879684851f3/analysis/1436790221/

I see it was added in June updated

The following submissions have been processed and published:
-  Win.Trojan.Banload-6197
-  Win.Trojan.Banload-6198

See http://lists.clamav.net/pipermail/clamav-virusdb/2015-June/

Pls advise?

Thanks,
Robert
_______________________________________________
Help us build a comprehensive ClamAV guide:
(Continue reading)


Gmane