Bumped to find out current status of this one as I didn't see any of our questions answered last week.
Is this an active signature or just listed in a disabled section. sigtool doesn't find it either. Last I checked it was up to v1.4 to work with iOS 6.1.2. Are you trying to keep up with the changes or can we all ignore it? Also thought it might be appropriate to point out that Apple never added it to it's own XProtect system which I would expect them to have done if they considered it a threat. -Al- ------------------------------------------- And during the time we've all been talking about this, evasi0n has been revised several times and is now at v1.3 since Monday, Feb 11, so even if the more accurate signature was active, it would not catch any of the more recent releases: evasi0n-mac-1.3-1cb32faf1e4f4f6c890e6fcbeb004cb694c386f5-release.dmg https://www.virustotal.com/en/file/7b4bafa6e1278eb72bb7683b8eb10e266a556be73 cfdf07212a9c333e60f8e21/analysis/1361073803/ MD5: de1bb84cefc9869fd94d58db83f595ac -Al ---------------------------------------------- <snip> Osx.Exploit.Iosjailbreak-1 does appear in <http://clamav-du.securesites.net/cgi-bin/clamgrok> and I can locate it in daily.cvd, but it appears to be in the disabled section and a scan of my evasi0n-mac-1.0-3c53ba10e2448d311b0f4157f2d7eb568f106c4f-release.dmg sample with ClamXav does not identify it as infected. So it would seem that both statements are true. There is a modified signature in the database, but it was removed from active use, is that correct? -Al- On 2/16/13 11:16 AM, "Joel Esler" wrote: We dropped the original signature, and have replaced it with a much more accurate one. -- Joel Esler Sent from my iPhone On Feb 16, 2013, at 1:48 PM, Jim Preston <jimli...@commspeed.net> wrote: > Note: I have combined too messages for clarity > > On 02/14/2013 09:50 AM, Joel Esler wrote: >> In any case. This signature was dropped a couple days ago, and beyond that, >> users can ignore it on their end. >> >> -- Joel Esler Senior Research Engineer, VRT Open Source Community Manager > > > On 02/16/2013 05:15 AM, Joel Esler wrote: >> Thanks to you all for your input on this matter. I don't think we need to >> continue this thread any further. >> >> The signature is in place. If users want to remove the jailbreak from >> quarantine or whitelist the signature, they are more than welcome to do so. >> >> We apologize if this has caused any inconvenience for anyone. ClamAV runs in >> all kinds of places, from the Linux desktop to the mail filter, to the >> enterprise AV solution. Trying to anticipate the needs of everyone is >> impossible, and sometimes we have to rely on the flexibility and openness of >> the project. >> >> We appreciate your feedback and again, apologize for any inconvenience it has >> caused. >> >> -- >> Joel Esler >> Sent from my iPhone >> >> On Feb 16, 2013, at 6:26 AM, Peter Bonivart<boniv...@opencsw.org> wrote: > [snip] > > I have to agree we have beat this enough and now digressed to who is in the > majority, "honest" or "jailbreaking" iphone users. > > This reply is just to request a clarification on Joel's statements. They > appear to be conflicting in my opinion. To end this thread, please clarify the > signature status, is or is not evasi0n currently being detected? I am fine > with either and using a local solution (whitelist or .ign). > > And while I could query the databases to find out, I did want the answer in > the thread. > > -- > Jim Preston _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
