This virus seems to be very basic one, still not being detected by clamav. Does anti virus programs like immunet add logical signatures upon the static signatures provided by clamav official anti-virus database? or am i missing something?
Please clarify. Thanks Gaurav Singh Software Engineer On Fri, Sep 14, 2012 at 8:53 PM, gaurav singh <gaurav.the.iiit...@gmail.com>wrote: > Although i have successfully submitted the file to sigmaker through web > interface at http://www.clamav.net/, but this was successfully detected > as w32.generic.trojan virus using Immunet 3.0(which is based on clamav > engine) in windows. > > Also i have attached the complete log. > > > Please help. > > Thanks > Gaurav Singh > > On Fri, Sep 14, 2012 at 7:20 PM, David Raynor <dray...@sourcefire.com>wrote: > >> On Fri, Sep 14, 2012 at 1:36 AM, gaurav singh >> <gaurav.the.iiit...@gmail.com>wrote: >> >> > I have clamav with latest virus database on Ubuntu. >> > When i try to scan a .exe file which is basically a trojan(detected by >> > other anti-virus on Windows), it just passes as OK. >> > >> > Message with clamscan --debug logs following : >> > >> > ... >> > LibClamAV debug: Ignoring signature Exploit.PDF-20301 >> > LibClamAV debug: main.hdb loaded >> > LibClamAV debug: Ignoring signature Worm.Sohanad-8 >> > LibClamAV debug: Ignoring signature Adware.WhenU-6 >> > LibClamAV debug: hashtab.c:Growing hashtable 0xb6e6ec70, because it has >> > exceeded maxfill, old size:16384 >> > LibClamAV debug: hashtab.c: new capacity: 32768 >> > LibClamAV debug: Table 0xb6e6ec70 size after grow:32768 >> > LibClamAV debug: Ignoring signature Trojan.Fakedoc-2 >> > LibClamAV debug: Ignoring signature Trojan.Dropper-5055 >> > LibClamAV debug: hashtab.c:Growing hashtable 0xb6e6ec70, because it has >> > exceeded maxfill, old size:32768 >> > LibClamAV debug: hashtab.c: new capacity: 65536 >> > LibClamAV debug: Table 0xb6e6ec70 size after grow:65536 >> > LibClamAV debug: Ignoring signature Trojan.Dropper-6931 >> > LibClamAV debug: Ignoring signature Trojan.Agent-28377 >> > LibClamAV debug: Ignoring signature Trojan.Dopper >> > LibClamAV debug: Ignoring signature Trojan.Dropper-10500 >> > LibClamAV debug: Ignoring signature Trojan.SdBot-9715 >> > LibClamAV debug: Ignoring signature Trojan.Dropper-18547 >> > LibClamAV debug: Ignoring signature Trojan.Agent-98408 >> > LibClamAV debug: Ignoring signature Trojan.Agent-118736 >> > ... >> > >> > Maybe it is ignoring signatures that's why it is not detecting virus. >> > Please help. >> > >> > Thanks >> > Gaurav Singh >> > _______________________________________________ >> > Help us build a comprehensive ClamAV guide: visit >> http://wiki.clamav.net >> > http://www.clamav.net/support/ml >> > >> >> The important part of the logs would be closer to the bottom where it is >> scanning the file. This log section is from engine initialization and >> signature loading. The ignored signatures within the CVD files are >> intentional and end up replaced by other more accurate signatures. That >> should not be the issue. >> >> If you come across malware that is not being detected you can send it to >> our team of sigmakers. You can find details online by going to >> http://www.clamav.net/ and clicking on the "Submit a file" link. >> Submissions help us improve detections. >> >> Thanks, >> >> Dave R. >> >> -- >> --- >> Dave Raynor >> Sourcefire Vulnerability Research Team >> dray...@sourcefire.com >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml >> > > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
