Here's the VirusTotal page on this file <https://www.virustotal.com/#/file/e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09/detection <https://www.virustotal.com/#/file/e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09/detection>> and it does show that ClamAV detects it as Win.Trojan.Agent-6641267-0 which was just added yesterday by daily - 24829 and is a MD5 hash: [daily.hsb] 704d491c155aad996f16377a35732cb4:126976:Win.Trojan.Agent-6641267-0:73
so yes, ClamAV should catch it already. -Al- On Sat, Aug 11, 2018 at 04:04 AM, Alessandro Vesely wrote: > Well, in this case ClamAV supports YARA enough to get: > > ~/tmp$ clamscan -d keymarble.yara keymarble-dummy > keymarble-dummy: YARA.rsa_modulus.UNOFFICIAL FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 1 > Engine version: 0.100.0 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Data read: 0.00 MB (ratio 0.00:1) > Time: 0.006 sec (0 m 0 s) > > > The question is whether one should copy keymarble.yara to /var/lib/clamav/, > on a production server where ClamAV is used to scan email. It is useless if > ClamAV catches keymarble already. It is also useless/harmful if $n is a > bogus string. > > More basic question: Is ClamAV staff monitoring US-CERT's alerts, and > updating ClamAV database on good rules? > > I'd also appreciate generic opinions about US-CERT. I'm not a careful > analyst, so maybe I'm wrong, but it seems to me they are getting weaker and > weaker, since about 2013, when they changed alert message format (introducing > html and dropping pgp). For example, last year's TA17-293A[*] would have > blocked any file containing the string "icon.png"... > > Best > Ale
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
