Yes. We strip attachments. However, are there samples that are not being caught by the ClamAV ruleset?
-- Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com> On May 17, 2017, at 6:30 PM, Al Varnell <alvarn...@mac.com<mailto:alvarn...@mac.com>> wrote: I'm pretty certain that attachments are remove to prevent malware samples from being distributed here. Need a link to a server of some sort, such as PasteBin. Sent from Janet's iPad -Al- -- Al Varnell Mountain View, CA On May 17, 2017, at 2:45 PM, Mark Foley wrote: Perhaps I'm missing it, but I didn't see any attachment. --Mark On 5/17/2017 1:46 PM, João Gouveia wrote: Those rules are know for FP'ing a lot. Here's a different set you might want to check, courtesy of ReversingLabs ( attached ). On Wed, May 17, 2017 at 6:10 AM, Mark Foley wrote: I added the yara script published by Homeland security to the clamav database directory. I believe I am getting a substantial number of false positives on this including messages containing PDF and JPG attachments, the latter known to be OK. $ clamscan "/home/HPRS/mpress/Maildir/.Sent Items/cur/1486141726. M192155P10931.mail,S=188385,W=191025:2,S" /home/HPRS/mpress/Maildir/.Sent Items/cur/1486141726. M192155P10931.mail,S=188385,W=191025:2,S: YARA.Wanna_Cry_Ransomware_Generic.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6284977 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.95 MB Data read: 0.18 MB (ratio 5.42:1) Time: 7.567 sec (0 m 7 s) Is anyone else using this rule seeing this? --Mark _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
