Does anyone that's chimed in work on the signatures team? -J
On Thu, Mar 17, 2016 at 10:31 AM, Al Varnell <alvarn...@mac.com> wrote: > There have not been any additional updates released yet, so nothing could > have changed. > > -Al- > > On Thu, Mar 17, 2016 at 10:25 AM, Jason Williams wrote: > > > > Is anyone still seeing this or have they fixed it? > > > > -J > > > > Sent via iPhone > > > >> On Mar 17, 2016, at 02:44, Mark Allan <markjal...@gmail.com> wrote: > >> > >> Just to confirm, I'm also seeing everything being flagged as > Win.Trojan.Trojan-476 with the new main/daily.cvd files. > >> > >> Mark > >> > >>> On 17 Mar 2016, at 6:49 am, Al Varnell <alvarn...@mac.com> wrote: > >>> > >>> I just ran a scan against the ClamAV test files contained in the > 0.99.1 source file and I’m getting all Win.Trojan.Trojan-476: > >>> > >>> File Name Infection Name Status > >>> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip > Win.Trojan.Trojan-476 > >>> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64 > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe > Win.Trojan.Trojan-476 > >>> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe > Win.Trojan.Trojan-476 > >>> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe > Win.Trojan.Trojan-476 > >>> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe > Win.Trojan.Trojan-476 > >>> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.7z > Win.Trojan.Trojan-476 > >>> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_cache_emax.tgz > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.iso > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clamjol.iso > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v2.rar > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v3.rar > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.bz2 > Win.Trojan.Trojan-476 > >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bz2.zip > Win.Trojan.Trojan-476 > >>> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_int.exeaa > Win.Trojan.Trojan-476 > >>> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam.isoaa > Win.Trojan.Trojan-476 > >>> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_ext.exeaa > Win.Trojan.Trojan-476 > >>> > /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clamjol.isoaa > Win.Trojan.Trojan-476 > >>> > >>> -Al- > >>> > >>>> On Wed, Mar 16, 2016 at 10:46 PM, Jason Williams wrote: > >>>> > >>>> Hey Al, > >>>> > >>>> I submitted a FP report with one attached. Just put the EICAR string > into a txt file and that'll trigger it. > >>>> > >>>> -J > >>>> > >>>> Sent via iPhone > >>>> > >>>>> On Mar 16, 2016, at 22:16, Al Varnell <alvarn...@mac.com> wrote: > >>>>> > >>>>> I don’t know why sanesecurity-porcupine.ndb is causing this, but I > can now see that the signatures for Win.Test.EICAR_LDB-1 and > Win.Trojan.Trojan-605 are identical, so this is an FP situation which would > be reported. > >>>>> < > http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Test.EICAR_LDB-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display > > > >>>>> > >>>>> However, I’m not sure where to find a copy of a Win.Test.EICAR_LDB-1 > file to submit. > >>>>> > >>>>> -Al- > >>>>> > >>>>> > >>>>>> On Wed, Mar 16, 2016 at 09:44 PM, Jason J. W. Williams wrote: > >>>>>> > >>>>>> Culprit seems to be sanesecurity-porcupine.ndb ( > >>>>>> http://sanesecurity.com/usage/signatures/). Moving it out causes > >>>>>> Win.Test.EICAR_NDB-1 > >>>>>> FOUND to be found, moving it back in triggers the > Win.Trojan.Trojan-605 FP. > >>>>>> Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why > that is. > >>>>>> > >>>>>> -J > >>>>>> > >>>>>>> On Wed, Mar 16, 2016 at 9:38 PM, Al Varnell <alvarn...@mac.com> > wrote: > >>>>>>> > >>>>>>> Disregard, I found it here after they got the new main.cvd: > >>>>>>> < > >>>>>>> > http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display > >>>>>>> > >>>>>>> I’ll see what I get once my main.cvd finishes. > >>>>>>> > >>>>>>> -Al- > >>>>>>> > >>>>>>>> On Wed, Mar 16, 2016 at 09:32 PM, Al Varnell wrote: > >>>>>>>> > >>>>>>>> I’m still looking, but so far I can’t find any Win.Trojan.Trojan > >>>>>>> signatures in the ClamAV Official database or listed in > clamav-virusdb > >>>>>>> e-mail list. > >>>>>>>> > >>>>>>>> Nor can I confirm your results using my own EICAR. > >>>>>>>> > >>>>>>>> Are you using any Unofficial signatures from a different source? > >>>>>>>> > >>>>>>>> -Al- > >>>>>>>> > >>>>>>>>> On Wed, Mar 16, 2016 at 09:06 PM, Jason J. W. Williams wrote: > >>>>>>>>> > >>>>>>>>> Pulled down 21466 (and force restarted clamd) but it's still > classifying > >>>>>>>>> EICAR as Win.Trojan.Trojan: > >>>>>>>>> > >>>>>>>>> https://gist.github.com/williamsjj/b8104402e80f44475df5 > >>>>>>>>> > >>>>>>>>> Databases are up to date now: > >>>>>>>>> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, > >>>>>>> builder: > >>>>>>>>> amishhammer) > >>>>>>>>> Empty script daily-21465.cdiff, need to download entire database > >>>>>>>>> Downloading daily.cvd [100%] > >>>>>>>>> daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, > builder: > >>>>>>>>> amishhammer) > >>>>>>>>> Empty script bytecode-275.cdiff, need to download entire database > >>>>>>>>> Downloading bytecode.cvd [100%] > >>>>>>>>> bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, > builder: > >>>>>>>>> amishhammer) > >>>>>>>>> Database updated (4302724 signatures) from db.local.clamav.net > (IP: > >>>>>>>>> 193.1.193.64) > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> On Wed, Mar 16, 2016 at 9:00 PM, Al Varnell <alvarn...@mac.com> > wrote: > >>>>>>>>>> > >>>>>>>>>> Those are normal messages for an update of this kind. The > 21465.cdiff > >>>>>>> was > >>>>>>>>>> purposely blank in order to force you to download the entire > daily.cvd. > >>>>>>>>>> Give it plenty of time as the main.cvd is 109MB. > >>>>>>>>>> > >>>>>>>>>> Technical details: < > >>>>>>> > http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html > >>>>>>>>>> > >>>>>>>>>> -Al- > >>>>>>>>>> > >>>>>>>>>>> On Wed, Mar 16, 2016 at 08:56 PM, Jason J. W. Williams wrote: > >>>>>>>>>>> > >>>>>>>>>>> Thanks. Hopefully it'll sync up soon. I'm getting weird > download > >>>>>>> errors > >>>>>>>>>> out > >>>>>>>>>>> of freshclam: > >>>>>>>>>>> > >>>>>>>>>>> WARNING: getfile: Error while reading database from > >>>>>>> db.local.clamav.net > >>>>>>>>>>> (IP: 200.236.31.1): Operation now in progress > >>>>>>>>>>> WARNING: getpatch: Can't download daily-21465.cdiff from > >>>>>>>>>> db.local.clamav.net > >>>>>>>>>>> nonblock_recv: recv timing out (30 secs) > >>>>>>>>>>> WARNING: getfile: Error while reading database from > >>>>>>> db.local.clamav.net > >>>>>>>>>>> (IP: 194.186.47.19): Operation now in progress > >>>>>>>>>>> WARNING: getpatch: Can't download daily-21465.cdiff from > >>>>>>>>>> db.local.clamav.net > >>>>>>>>>>> Empty script daily-21465.cdiff, need to download entire > database > >>>>>>>>>>> > >>>>>>>>>>> On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com > > > >>>>>>> wrote: > >>>>>>>>>>> > >>>>>>>>>>>> The new database was just made available, so I recommend you > hold off > >>>>>>>>>>>> until you have the new mail.cvd v57 and daily.cvd v21466 > before > >>>>>>> getting > >>>>>>>>>> too > >>>>>>>>>>>> excited about this. > >>>>>>>>>>>> > >>>>>>>>>>>> -Al- > >>>>>>>>>>>> > >>>>>>>>>>>>> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote: > >>>>>>>>>>>>> > >>>>>>>>>>>>> As of the latest daily update, running ClamAV against the > EICAR test > >>>>>>>>>>>> string > >>>>>>>>>>>>> reports Win.Trojan.Trojan-605 instead of > Eicar-Test-Signature. > >>>>>>>>>>>>> > >>>>>>>>>>>>> -J > >>>>>>> > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> Help us build a comprehensive ClamAV guide: > >>>>>>> https://github.com/vrtadmin/clamav-faq > >>>>>>> > >>>>>>> http://www.clamav.net/contact.html#ml > >>>>>> _______________________________________________ > >>>>>> Help us build a comprehensive ClamAV guide: > >>>>>> https://github.com/vrtadmin/clamav-faq > >>>>>> > >>>>>> http://www.clamav.net/contact.html#ml > >>>>> > >>>>> -Al- > >>>>> -- > >>>>> Al Varnell > >>>>> Mountain View, CA > >>>> _______________________________________________ > >>>> Help us build a comprehensive ClamAV guide: > >>>> https://github.com/vrtadmin/clamav-faq > >>>> > >>>> http://www.clamav.net/contact.html#ml > >>> > >>> -Al- > >>> -- > >>> Al Varnell > >>> Mountain View, CA > >>> > >>> > >>> > >>> > >>> _______________________________________________ > >>> Help us build a comprehensive ClamAV guide: > >>> https://github.com/vrtadmin/clamav-faq > >>> > >>> http://www.clamav.net/contact.html#ml > >> > >> _______________________________________________ > >> Help us build a comprehensive ClamAV guide: > >> https://github.com/vrtadmin/clamav-faq > >> > >> http://www.clamav.net/contact.html#ml > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > -Al- > -- > Al Varnell > Mountain View, CA > > > > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
