Re: [clamav-users] Filename Regex
> On Feb 19, 2016, at 1:30 AM, Noel Jones wrote: > You may have more luck with the POSIX character class [[:space:]] > rather than shorthand \s. Character classes generate "ERROR: Malformed database" errors. > On Feb 19, 2016, at 1:29 AM, Steven Morgan wrote: > So, I can't say for sure what is the POSIX support without additional > research. Best bet is to follow Steve Basford's sanesecurity example to get > you going. I don't see any .cdb in the official ClamAV virus database. > On Feb 18, 2016, at 11:07 PM, Steve basford > wrote: > If you look at foxhole databases it should give you an idea, if you want to > block macro malware try badmacro.ndb Yes, those examples gave me the information I needed to proceed. Thank you all. -- Mehmet Avcioglu meh...@activecom.net ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] A number of threats discovered by ClamAV on Windows apps, from Ubuntu Linux
Hi there. I run AVG and MalwareBytes on my Windows machine, MalwareBytes manually but fairly regularly. Running ClamTK, I found around 60 different threats, attached are the names of those threats. freshclam says: ClamAV update process started at Sun Feb 7 10:37:20 2016 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.98.7 Recommended version: 0.99 DON'T PANIC! Read http://www.clamav.net/support/faq main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cvd is up to date (version: 21344, sigs: 1827647, f-level: 63, builder: neo) bytecode.cld is up to date (version: 271, sigs: 47, f-level: 63, builder: anvilleg) Are these all false-positives or did I have a problem? Regards, Morten -- Videos at https://www.youtube.com/user/TheBlogologue Twittering at http://twitter.com/blogologue Blogging at http://blogologue.com Playing music at https://soundcloud.com/morten-w-petersen Also playing music and podcasting here: http://www.mixcloud.com/morten-w-petersen/ On Google+ here https://plus.google.com/107781930037068750156 On Instagram at https://instagram.com/morphexx/ ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Submission Status
Not sure if I'm allowed to upload stuff here, but to follow up on this, I've attached a zip containing the original decoded infection php code, the infection in its natural state (doubly base64 encoded), definitions that match it, and other nfo like a simple script that can clean the infection without damaging php files its been injected into (with sed + regex). On Sat, Feb 6, 2016 at 7:19 PM, Jesse Nicholson wrote: > @ant indeed, this is what I'm doing. Original server is gone, new server > was built from the ground up but the xferred required user files (web root) > is quarantined while I go through it and lean up. There's a really nasty > php injection that appears to intercept, proxy requests to various IPs that > come from control server(s), attempts to download new viruses and such to > your configured temp upload directory and then inject them into responses > and such. I've made a definition that works very well, and have uncovered > nearly 300 infected files using that sig. Other root shells were also > present, but existing definitions cleaned them up. > > Was curious because I'd like to submit the definition in case it helps, so > far I've only submitted one sample of the infection as found in the wild > and a second file (both zipped) of the decoded main function group. > > @Al Yep I subscribed to the db list. MD5 is 92 3b 61 7b a7 9a da 3b 04 e7 > ba d7 a4 d7 04 74 > > The infection has many things in common with the one posted here: > http://stackoverflow.com/q/22647441 > > On Sat, Feb 6, 2016 at 7:05 PM, Crap wrote: > >> > I'm cleaning a server >> > that got badly infected, >> >> I know this doesn't answer the OP, but destroy the server and treat all >> data as compromised. >> Rebuild for a fresh trusted base and attempt to clean the data away from >> the original server.. >> >> -- ant >> >> > On 6 Feb 2016, at 23:41, Jesse Nicholson >> wrote: >> > >> > Where/how can I check on the status of a submission? I'm cleaning a >> server >> > that got badly infected, and while doing so discovered what I believe >> to be >> > a PHP exploit that maldet and clamav don't have definitions for. >> Virustotal >> > also has 0 hits on it. However, I'm sure it's malicious because the main >> > function block is double base 64 encoded, everything else that interacts >> > with it is salted and random. Decoding the main function block, there >> > appears to functions to compress local files and xfer them to unknown >> > locations. >> > >> > Anyway I've successfully created a definition for it, have nearly 300 >> hits >> > and am curious about following up after I've submitted one sample via >> the >> > website. Never done anything like this before, so looking for >> > guidance/advice. >> > >> > -- >> > Jesse Nicholson >> > ___ >> > Help us build a comprehensive ClamAV guide: >> > https://github.com/vrtadmin/clamav-faq >> > >> > http://www.clamav.net/contact.html#ml >> ___ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > > > -- > Jesse Nicholson > -- Jesse Nicholson ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] A number of threats discovered by ClamAV on Windows apps, from Ubuntu Linux
Your attachment didn't make it through. Please send in your FPs here: http://www.clamav.net/reports/fp , or paste the contents of your attachment in your email message body. Thanks, - Alain On Sun, Feb 7, 2016 at 4:39 AM, Morten W. Petersen wrote: > Hi there. > > I run AVG and MalwareBytes on my Windows machine, MalwareBytes manually but > fairly regularly. > > Running ClamTK, I found around 60 different threats, attached are the names > of those threats. > > freshclam says: > > ClamAV update process started at Sun Feb 7 10:37:20 2016 > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Local version: 0.98.7 Recommended version: 0.99 > DON'T PANIC! Read http://www.clamav.net/support/faq > main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: > neo) > daily.cvd is up to date (version: 21344, sigs: 1827647, f-level: 63, > builder: neo) > bytecode.cld is up to date (version: 271, sigs: 47, f-level: 63, builder: > anvilleg) > > Are these all false-positives or did I have a problem? > > Regards, > > Morten > > -- > Videos at https://www.youtube.com/user/TheBlogologue > Twittering at http://twitter.com/blogologue > Blogging at http://blogologue.com > Playing music at https://soundcloud.com/morten-w-petersen > Also playing music and podcasting here: > http://www.mixcloud.com/morten-w-petersen/ > On Google+ here https://plus.google.com/107781930037068750156 > On Instagram at https://instagram.com/morphexx/ > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Another submission of the JavaScript virus
Hi, I haven't heard anything back yet from my submission and as I'm new to ClamAV I don't fully understand the procedure yet. I have just submitted another file with the JavaScript virus my website is struggling. 17:38 Pacific time 58d94feebb1e71d8404956c6b0a3207e8e6cb0a425f2a5cc6942eb4bb25292cb JSMalware.js ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
