Chris | 15 Jul 05:44 2014

98.4 under Ubuntu 14.04.LTS

I had to get a new box this weekend and since I was starting from
scratch decided to go with Ubuntu instead of the old Mandriva. When
installing from apt-get I find that it's an older version so I decided
to go ahead and install from source since I've done it that way before
on Mandriva. The config.log shows the errors shown here. AFAIK I've got
OpenSSL installed however this distro has got me fuddled in some ways.
The link to the config.log - http://pastebin.com/B3bTDDnX

Thanks for any assistance. This is slow going, luckily I'm retired and
can spend as much time as I want on it.

Chris

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Al Varnell | 14 Jul 19:03 2014
Picon

Re: Heuristics.Phishing.Email.SpoofedDomain FP fixed upstream?

You have certainly found the correct pair as your message is still showing up immediately as infected here.

Heuristics detections are accomplished by the engine, not a specific signature.  The line you found in
daily.hdb identifies this as one of several hundred mostly financial institutions that are analyzed by
the heuristics engine for hyperlinks that do not route the user to a web site the same or a specifically
associated URL.  In this case tdcanadatrust.com has not been associated with aeroplan.com by using an
“M:” whitelist database record.

I’m not sure why a --debug run didn’t show this.  You should see the words "Phishcheck:" and/or
"cli_magic_scandesc:” somewhere around those domains, as I always do when I run across such FP’s.

-Al-
--

-- 
Al Varnell
Mountain View, CA

On Mon, Jul 14, 2014 at 08:55 AM, Kris Deugau wrote:
> 
> I just came across a FP report for a hit from
> Heuristics.Phishing.Email.SpoofedDomain.
> 
> On checking the message by hand, it no longer triggers this test, either
> on my desktop test/dev system running 0.98.4, or on the production
> servers running 0.97.6.
> 
> Examining the message by hand, the best guess I can make about the
> triggering URL is:

<snip>

(Continue reading)

Gene Heskett | 12 Jul 00:48 2014

New virus warning on a 2 year old file


home/gene/NookColor/wrar420.exe: Win.Trojan.Small-10237 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3871705
Engine version: 0.98.1
Scanned directories: 16196
Scanned files: 191633
Infected files: 1
Total errors: 1
Data scanned: 17001.15 MB
Data read: 30419.67 MB (ratio 0.56:1)
Time: 9855.813 sec (164 m 15 s)

Methinks this is an FP.

Cheers, Gene Heskett
--

-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Chris | 11 Jul 17:37 2014

Datebase Warning

Restarting clamd since I made a change to the .conf file I see this:

Starting Clam AntiVirus Daemon: LibClamAV Warning:
**************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************

Latest freshclam run shows:

Fri Jul 11 09:04:07 2014 -> main.cld is up to date (version: 55, sigs:
2424225, f-level: 60, builder: neo)
Fri Jul 11 09:04:07 2014 -> daily.cvd version from DNS: 19181
Fri Jul 11 09:04:10 2014 -> Retrieving
http://db.us.clamav.net/daily-19181.cdiff
Fri Jul 11 09:04:11 2014 -> Trying to download
http://db.us.clamav.net/daily-19181.cdiff (IP: 198.148.78.4)
Fri Jul 11 09:04:11 2014 -> Downloading daily-19181.cdiff [100%]
Fri Jul 11 09:04:12 2014 -> cdiff_apply: Parsed 210 lines and executed
210 commands
Fri Jul 11 09:04:15 2014 -> Loading signatures from daily.cld
Fri Jul 11 09:04:19 2014 -> Properly loaded 1079731 signatures from new
daily.cld
Fri Jul 11 09:04:19 2014 -> daily.cld updated (version: 19181, sigs:
1079715, f-level: 63, builder: neo)

So why is my database out of date?

--

-- 
Chris
(Continue reading)

Chris | 10 Jul 22:38 2014

[Heuristics.Structured.SSN]

How do I turn off the above rule? I have this in my /etc/clamd.conf:

# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5

# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
StructuredSSNFormatNormal no

# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
StructuredSSNFormatStripped no

I don't even know what's causing these FP hits unless it's a URL with a
lot of numbers in it in the message.

Chris

--

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11°N 97.89°W (Elev. 1092 ft)
15:33:33 up 14 days, 22:02, 1 user, load average: 0.14, 0.22, 0.25
Mandriva Linux 2010.2, kernel 2.6.33.7-desktop586-2mnb

_______________________________________________
(Continue reading)

Joel Esler (jesler | 9 Jul 21:14 2014
Picon

ClamAV®: Compiling OpenSSL For Windows

Compiling OpenSSL For Windows

In order to support more advanced features planned in future releases, ClamAV has switched to using
OpenSSL for hashing. The ClamAV Visual Studio project included with ClamAV's source code requires the
OpenSSL distributables to be placed in a specific directory. This article will teach you how to compile
OpenSSL on a Microsoft Windows system and how to link ClamAV against OpenSSL.

Read More here:
http://blog.clamav.net/2014/07/compiling-openssl-for-windows.html <http://blog.clamav.net/2014/07/compiling-openssl-for-windows.html>

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Shawn Webb | 9 Jul 15:32 2014

Re: ClamAV(R): ClamAV 0.98.5 beta has been posted!

On Wed, Jul 9, 2014 at 9:01 AM, Frank Elsner <frank <at> moltke28.b.shuttle.de>
wrote:

> On Wed, 9 Jul 2014 14:48:31 +0200 Matus UHLAR - fantomas wrote:
> > >On Tue, 8 Jul 2014 23:15:12 +0000 Joel Esler (jesler) wrote:
> > >> ClamAV 0.98.5 beta has been posted!
> > >> The ClamAV team is proud to announce the availability of ClamAV
> 0.98.5 beta ready for testing!
> >
> > On 09.07.14 13:07, Frank Elsner wrote:
> > >Fedora 17, compiled ok, but
> > >
> > ># service clamav restart
> > >Stopping ClamAV                                            [  OK  ]
> > >Starting ERROR: This tool requires libclamav with functionality level
> 78 or higher (current f-level: 77)
> > >                                                           [FAILED]
> >
> > do you have older clamav (library) installation somewhere by any chance?
>
> No. Same call to configure as for clamav-0.98.4.
>
>
> --Frank Elsner

Hey Frank,

Where is ClamAV installed to? Can you show me the output of: ls
[installbase]/lib/libclamav*

(Continue reading)

Joel Esler (jesler | 9 Jul 01:15 2014
Picon

ClamAV®: ClamAV 0.98.5 beta has been posted!


ClamAV 0.98.5 beta has been posted!
The ClamAV team is proud to announce the availability of ClamAV 0.98.5 beta ready for testing!

http://blog.clamav.net/2014/07/clamav-0985-beta-has-been-posted.html

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

alex | 8 Jul 16:41 2014
Picon

Custom signature question

Hello,

I'm trying to create signatures for clamav, to detect exe and mp3
files. Seems to work for exe, but strangely not for mp3, despite
the fact I did excatly the same in both cases:

Getting signatures for both files:

alex:~$ dd if=exefile.exe count=1 | sigtool --hex-dum 
1+0 Datensätze ein
1+0 Datensätze aus
512 Bytes (512 B) kopiert, 2.9117e-05 s, 17.6 MB/s
4d5a90000300000004000000ffff0000b8000000000000004000000000[...]

alex:~$ dd if=mp3file.mp3 count=1 | sigtool --hex-dump
1+0 Datensätze ein
1+0 Datensätze aus
512 Bytes (512 B) kopiert, 2.9032e-05 s, 17.6 MB/s
49443303000000000e4c5452434b00000005000000322d303954454e43[...]

Creating custom ndb:

alex:~$ cat /var/lib/clamav/notallowed.ndb 
filetype.not.allowed.mp3:0:*:4944??
filetype.not.allowed.exe:0:*:4d5a??

Testing:

alex:~$ clamscan exefile.exe 
exefile.exe: filetype.not.allowed.exe.UNOFFICIAL FOUND
(Continue reading)

DUCARROZ Birgit | 7 Jul 12:04 2014
Picon
Picon

Win.Trojan.Zwangi-432 / Osx.Exploit.CVE_2006_0848 / PHP.Shell-29

Hello list,

I beleave those are false positives.
Please would you check the md5 hashes?
Thank you a lot!
Regards,
Birgit

Win.Trojan.Zwangi-432 FOUND --> md5 --> 9052a26074751a4a3668764ddfac0b55
Osx.Exploit.CVE_2006_0848 FOUND --> md5 --> 92fdafd02acc4f968d897dc861decb7c
PHP.Shell-29 FOUND --> md5 --> b4a09911a5b23e00b55abe546ded691c
Osx.Exploit.CVE_2006_0848 FOUND --> md5 --> 6434722cffeb95b95e32efd6f5523636
Osx.Exploit.CVE_2006_0848 FOUND --> md5 --> f3ce0e00c7277c60903156c7b349e92d

----------- SCAN SUMMARY -----------
Known viruses: 3493754
Engine version: 0.97.8
Infected files: 5

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

G.W. Haywood | 5 Jul 19:15 2014
Picon

Re: clamav 0.98.4 on Centos4

Hi there,

On Sat, 5 Jul 2014, Ren? Bellora wrote:

> this is a server that I don't control ...

Use a different server.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml


Gmane