On Monday 04 Apr 2016 17:49:13 Konstantin wrote: > Hello, > > I've tried to find an answer from clamav-users but still no reply in > that mail list. > > I'm forwarding my message to this list and hope some one help me to > find that is the problem. > > ---------- Forwarded message ---------- > From: Konstantin > Date: Thu, Mar 24, 2016 at 11:29 PM > Subject: Unexpected behaviour > To: clamav-us...@lists.clamav.net > > > Hello > > I have 2 Gentoo based SMTP servers. Both hosts have the same packages > installed with the same USE flags. > I'm using clamav-0.98.7 with amavisd. Output from clamconf attached to > this message. Clamav settings and signature files are equal.
When you say equal, do you mean same versions and exactly same signatures? > I have a custom signature > e350ca9b3b6ddbdabd3845a66f755f22122b8eb5ed79b9d19bd87e34e4aa5008:340992:Troj > an.DNC4 for this doc file > https://malwr.com/analysis/ZTdiYjRiMDZlNzEyNDUwZmI3OTdiYjg4NTYxMDMyNmM/ > > Both hosts found malware in this file with clamscan command. No > problem in this case. > > Here is the problem i have. > When a message scanned with clamd then only host1 detect trojan with > custom signature. > host1: > echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat - > "UNIX-CONNECT:/var/run/clamav/clamd.sock" > /tmp/feb_invoice_1426277.doc: Trojan_Generic.DNC4.UNOFFICIAL FOUND > > host2 detect it as Heuristics.OLE2.ContainsMacros: > echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat - > "UNIX-CONNECT:/var/run/clamav/clamd.sock" > /tmp/feb_invoice_1426277.doc: Heuristics.OLE2.ContainsMacros FOUND > > Another interesting thing is that host1 detect that trojan not by > signature with size 340992(original doc file). > I suppose that there was detected a PE32 file inside that .doc file > with this signature: > c3DNC406e57af90685a7002f7ea63340a1e7d3a1ed3805e7ec8b0909865b57bd6c:126976:Tr > ojan_Generic.DNC4 > > Can you guys please explain how this happened and what can be a > difference between these 2 hosts? I am guessing that one of the hosts had its signatures updated with a more recent version than the other. If they are identical then I'm out of ideas. > I expect that if a signature found then Heuristics results not appear. > > Thank you. > -- > This message was delivered using 100% recycled electrons. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
