Hallo,
Am 22.03.2017 um 15:12 schrieb Kees Theunissen:
On Wed, 22 Mar 2017, Hajo Locke wrote:
thank you steve. i could find the lines and removed them. How could you decode
this signature?
~$ sigtool --find-sigs Html.Phishing.Auction-214 | sigtool --decode-sigs
VIRUS NAME: Html.Phishing.Auction-214
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
sein, weil sie [... snipped ...] aktualisiert wurde
thanks, this is working.
especially interesting is that virus was found in complete sql-file but not in
splitted subfiles. May be target type is ignored at filesize x?
complete sql file is 4.6mb
I guess that the string that was looked for spanned a subfile boundary
and was split over two subfiles.
text is found in one line of the sql-file, it is an insert instruction
in a sql dump.
even when extracting this single line into a separate sql file the virus
is not found. when creating a small html-file with this content so
clamscan finds successfully the infection.
this is explainable by Target Type: HTML of Sourcefile.
If virus is found in a larger sql-file only the size is the difference.
so it was my assumption, that target type is ignored at larger files.
dont find any other explanation.
Groeten,
Kees.
Thanks,
Hajo
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
