On Fri, May 05, 2017 at 10:14 AM, Mark Foley wrote: > I have a question about the timeliness of signature updates. I am running a > clamav-milter to check email when received by the MDA -- this rarely finds > anything. I also have clamscan running multiple times a day checking all the > Maildir folders. > > Yesterday, the Maildir folder scan found Js.Downloader.Nemucod. But, this > message was recieved on April 26th -- 8 days before the malware was detected > by > clamscan. Doing a quick google search, I find that the JS.Nemucod trojan has > been around since at least December 2015.
In various forms, but obviously with a variety of signatures. > So, was the clamav signature for this malware just added to the list on May > 4th? Without the complete signature name, I can't give you a definitive answer, but signatures that start with Js.Downloader.Nemucod. were added on the following dates: Mar 29 Fourteen Js.Downloader.Nemucod-61720xx-x added Apr 3 Js.Downloader.Nemucod-6198135-0 Apr 5 Js.Downloader.Nemucod-6210215-0 Apr 7 Js.Downloader.Nemucod-6210215-1 dropped: Js.Downloader.Nemucod-6210215-0 Apr 26 Js.Downloader.Nemucod-6297599-0 May 3 Js.Downloader.Nemucod-6305809-0 > If so, why does it take so long to include a malware that's been around for > years? If it was added earlier, why did clamscan not find it for 8 days? > Mutation? Probably because nobody had submitted a sample of it to ClamAV for several days. -Al-
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
