Andrew McGlashan | 31 Mar 22:19 2016
Picon

Email.Phishing.DblDom-60 -- issue

Hi,
  --  resend ????? ---

I have server log messages coming through that are being rejected as
having "Email.Phishing.DblDom-60" ....

How can I determine what it is that is triggering this claim?

Thanks
AndrewM
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Steve Basford | 31 Mar 17:09 2016

Re: Email.Phishing.DblDom-60 -- issue


On Thu, March 31, 2016 4:01 pm, Alessandro Vesely wrote:
> This was a false positive itself.  I got:
> Virus-Found: Email.Phishing.DblDom-53
> Sanesecurity.Phishing.Cur.744.UNOFFICIAL
>
Thanks for the FP report. Fixed

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter:  <at> sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

polloxx | 31 Mar 15:33 2016
Picon

PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

Since the new Clamav database we have a lot more false positives for
PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1.
What can we do about this, except disabling PUA?

p.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Andrew McGlashan | 30 Mar 18:23 2016
Picon

Email.Phishing.DblDom-60 -- issue

Hi,

I have server log messages coming through that are being rejected as
having "Email.Phishing.DblDom-60" ....

How can I determine what it is that is triggering this claim?

Thanks
AndrewM
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Matthias Hank | 30 Mar 10:54 2016
Picon

Whitelisting a signature

Hi,

we have a problem with a lot of false positives of signature
"Email.Phishing.Bank-1204"

We are running ClamAV 0.95.2 and i tried to create a local.ign DB
which contains

main.cvd:1204:Email.Phishing.Bank-1204

but that did not help.

Can anybody help how to whitelist this sig?

Updating ClamAV ist not possible atm.

Greetings,

Matze
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

C.D. Cochrane | 25 Mar 22:06 2016

Locky Dridex plan

Hi,
I receive a Locky-ransomware variant almost every day as an email attachment.  So far ClamAV has failed to
detect it.  Each file has had a unique signature.  Does ClamAV have a detection plan and/or work in progress
that will start to detect future variants of this?
thanks,
Chris
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Konstantin | 24 Mar 22:29 2016
Picon

Unexpected behaviour

Hello

I have 2 Gentoo based SMTP servers. Both hosts have the same packages
installed with the same USE flags.
I'm using clamav-0.98.7 with amavisd. Output from clamconf attached to
this message. Clamav settings and signature files are equal.

I have a custom signature
e350ca9b3b6ddbdabd3845a66f755f22122b8eb5ed79b9d19bd87e34e4aa5008:340992:Trojan.DNC4
for this doc file
https://malwr.com/analysis/ZTdiYjRiMDZlNzEyNDUwZmI3OTdiYjg4NTYxMDMyNmM/

Both hosts found malware in this file with clamscan command. No
problem in this case.

Here is the problem i have.
When a message scanned with clamd then only host1 detect trojan with
custom signature.
host1:
echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat -
"UNIX-CONNECT:/var/run/clamav/clamd.sock"
/tmp/feb_invoice_1426277.doc: Trojan_Generic.DNC4.UNOFFICIAL FOUND

host2 detect it as Heuristics.OLE2.ContainsMacros:
echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat -
"UNIX-CONNECT:/var/run/clamav/clamd.sock"
/tmp/feb_invoice_1426277.doc: Heuristics.OLE2.ContainsMacros FOUND

Another interesting thing is that host1 detect that trojan not by
signature with size 340992(original doc file).
(Continue reading)

Dave McMurtrie | 24 Mar 12:05 2016
Picon

Curious clamd behavior

Hi,

I created a local pdb database so I can catch phishing attempts when
URLs in an email display our domain name but actually link to a
malicious URL.  In testing, I found something that I don't understand.

When I run clamdscan on a test message it correctly detects a spoofed
domain in the message.  When my MTA connects to the clamd socket and
asks it to scan the same exact message, it does not detect it.

I ran into a very similar problem before with a gdb database and never
did figure it out.  The big difference that I notice in looking at
libclamav debug output is that when I ran clamdscan it detects it to be
an email message and it calls cli_scanmail():

LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized ASCII text
LibClamAV debug: Matched signature for file type Mail file
LibClamAV debug: cache_check: 2abdd56b32d91583175dfd071e7019d1 is
negative
LibClamAV debug: Starting cli_scanmail(), recursion = 1

However, when my MTA connects to clamd it does not:

LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized ASCII text
LibClamAV debug: cache_check: 94e3a1ba1c23e73cb98e9a8e8a801479 is
positive
LibClamAV debug: cli_magic_scandesc: returning 0  at line 2791 (no post,
no cache)
(Continue reading)

Andrew McGlashan | 24 Mar 08:29 2016
Picon

GPG key verification please

Hi,

Can someone 'official' please verify the GPG key used for signing files?

gpg --verify clamwin-0.99-setup.exe.asc clamwin-0.99-setup.exe

gpg: Signature made 01/17/16 14:36:59 AUS Eastern Daylight Time using
DSA key ID 8CC6DDB4
gpg: Good signature from "ClamWin Free Antivirus Software Distribution
(For signing ClamWin Free Antivirus source code and binaries)
<clamwin <at> clamwin.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: DF56 551A 55CD E5A6 DEC6  1847 0839 CC71 8CC6 DDB4

gpg --list-sigs --keyid-format long --fingerprint --fingerprint clamwin

pub   1024D/0839CC718CC6DDB4 2005-06-09
      Key fingerprint = DF56 551A 55CD E5A6 DEC6  1847 0839 CC71 8CC6 DDB4
uid               [ unknown] ClamWin Free Antivirus Software
Distribution (For signing ClamWin Free Antivirus source code and
binaries) <clamwin <at> clamwin.com>
sig 3        0839CC718CC6DDB4 2005-06-09  ClamWin Free Antivirus
Software Distribution (For signing ClamWin Free Antivirus source code
and binaries) <clamwin <at> clamwin.com>
sub   2048g/98E5FBFAE4BADE44 2005-06-09
      Key fingerprint = 272E 7BE7 8A8C 513D 1E3A  C9CF 98E5 FBFA E4BA DE44
sig          0839CC718CC6DDB4 2005-06-09  ClamWin Free Antivirus
Software Distribution (For signing ClamWin Free Antivirus source code
(Continue reading)

Marco | 23 Mar 11:12 2016
Picon

signature by recipient or domain (clamav-milter)?

Hello,

  I would like to exclude a set of signatures only for a defined list  
of recipient domains.

I would appreciate an ExcludeSignatures option, a kind of whitelist table with

<SignatureDBFile>  <recipient fqdn>

Can I already achieve this with some configuration?

Thank you very much
Best Regards
Marco

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Al Varnell | 23 Mar 08:00 2016
Picon
Gravatar

Re: No updates with signatures for last few days.

There were two updates today:
> Datefile:       daily
> Version:        21468
> Publisher:      Alain Zidouemba
> New Sigs:       5
> Dropped Sigs:   1
> Ignored Sigs:   2

> Datefile:       daily
> Version:        21469
> Publisher:      Joel Esler
> New Sigs:       0
> Dropped Sigs:   0
> Ignored Sigs:   2
The ignored sigs were the same in both updates.

These would appear to be test runs and there was earlier traffic indicating the ignore function might not be
working properly.

-Al-

On Tue, Mar 22, 2016 at 11:49 PM, ANANT S ATHAVALE wrote:
> 
> List,
> 
> I am getting the same output as shown below and don't find any updates
> happening with signature count.  Any issues with my setup? 
> 
> ClamAV update process started at Wed Mar 23 08:59:00 2016
> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
(Continue reading)


Gmane