Hi Guys,
Again troubling you. Can you please let me know why same virus is not
detected for windows server.
Do i need to enable any setting in ClamAv configuration?
md5sum exploit.pdf
a3e8a7602797c69f6320225e8137d063 exploit.pdf
I was trying same exploit.pdf virus file (CVE-2009-4324) to upload in
Windows server and its not detected by ClamAv Antivirus.
*I tried with detect-pua also and it didn't worked for me*.
It works fine with curl and other software. *Maybe we have to handle
separately for windows server*.
Looks like its due to way windows servers work to upload file using
Boundary mechanism.
Below is output of virus file to clamav:
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWBAK5276uAwLv4ZO6DgLmgPS1DQL374fcBaj9ZhJYdIZVwZS464ZHv7T3ou6w
-----------------------------21154944191352840482619583850
Content-Disposition: form-data; name="destination"
*/AnalyticsReports-----------------------------21154944191352840482619583850Content-Disposition:
form-data; name="ctl00$PlaceHolderMain$ctl01$ctl05$InputFile";
filename="exploit.pdf"Content-Type: application/force-download*
%PDF-1.1
1 0 obj
<< /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 5 0 R >>
endobj
2 0 obj
<< /Type /Outlines /Count 0 >>
endobj
3 0 obj
<< /Type /Pages /Kids [4 0 R] /Count 1 >>
endobj
4 0 obj
<< /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] >>
endobj
5 0 obj
<< /Type /Action /S /JavaScript /JS (
VIRUS DATA .....................
...........................................
spray_heap();
trigger_bug();
) >>
endobj
xref
0 6
0000000000 65535 f
0000000010 00000 n
0000000096 00000 n
0000000145 00000 n
0000000205 00000 n
0000000279 00000 n
trailer
<< /Size 6 /Root 1 0 R >>
startxref
1787
%%EOF
-----------------------------21154944191352840482619583850
Content-Disposition: form-data;
name="ctl00$PlaceHolderMain$ctl01$ctl05$OverwriteSingle"
on
-----------------------------21154944191352840482619583850
Content-Disposition: form-data; name="__spText1"
-----------------------------2115494419135284048261958385
On Thu, Jul 30, 2015 at 3:39 PM, P K <pkopen...@gmail.com> wrote:
> thanks Shaun. I seen its pushed in latest update.
>
> Hope to learn more from you guys.
>
> On Wed, Jul 29, 2015 at 7:32 PM, Shaun Hurley <shahu...@sourcefire.com>
> wrote:
>
>> PK,
>>
>> Thank you for bringing this to our attention.
>>
>> I have created another signature that doesn't rely upon PUA being enabled.
>> As soon as the signature is done being tested for false positives we will
>> publish it.
>>
>> Thanks again,
>> Shaun Hurley
>> ClamAV Malware Team
>>
>> On Tue, Jul 28, 2015 at 10:54 AM, P K <pkopen...@gmail.com> wrote:
>>
>> > worked properly after enabling PUA.
>> >
>> > Cheers,
>> > --PK
>> >
>> > On Tue, Jul 28, 2015 at 8:14 PM, Steve Basford <
>> > steveb_cla...@sanesecurity.com> wrote:
>> >
>> > >
>> > > On Tue, July 28, 2015 3:41 pm, P K wrote:
>> > > > So how to detect same in my clamAv?
>> > > >
>> > >
>> > > Until a proper sig is added, you could try
>> > >
>> > > clamscan --detect-pua=yes
>> > >
>> > > Cheers,
>> > >
>> > > Steve
>> > > Web : sanesecurity.com
>> > > Blog: sanesecurity.blogspot.com
>> > >
>> > > _______________________________________________
>> > > Help us build a comprehensive ClamAV guide:
>> > > https://github.com/vrtadmin/clamav-faq
>> > >
>> > > http://www.clamav.net/contact.html#ml
>> > >
>> > _______________________________________________
>> > Help us build a comprehensive ClamAV guide:
>> > https://github.com/vrtadmin/clamav-faq
>> >
>> > http://www.clamav.net/contact.html#ml
>> >
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
