Re: [clamav-users] Error while compiling ClamAV

2016-10-19 Thread crazy thinker 
Can you Please Specify which linux derivative are you  using?

On 19 October 2016 at 10:07, ANANT S ATHAVALE  wrote:

> Hi,
>
> I tried compiling Clamav 0.99.2 with OpenSSL 1.1.0 and was getting error
> OpenSSL installation is misconfigured or missing.
>
> After googling found that, patch is available for the same.  Hence,
> downloaded the source from github clamav-devel-master.zip.
>
> Tried compiling with following configure option.
>
> ./configure --disable-clamav --prefix=/usr/local/clamav --disable-shared
> --with-pcre=/opt/freeware --with-xml=/opt/freeware
> --with-openssl=/opt/freeware
>
> with this, there were no errors for configure.
>
> But, when I ran make, getting the following error on AIX 6.1
>
> make
> make  all-recursive
> Making all in libltdl
> make  all-am
> Target "all-am" is up to date.
> Making all in libclamav
> make  all-recursive
> Making all in libmspack-0.5alpha
> make  all-am
> Target "all-am" is up to date.
>   GEN  version.h
> Target "all-am" is up to date.
> Making all in clamscan
>   CCLD clamscan
> ld: 0711-317 ERROR: Undefined symbol: .mspack_sys_selftest_internal
> ld: 0711-317 ERROR: Undefined symbol: .mspack_create_cab_decompressor
> ld: 0711-317 ERROR: Undefined symbol: .mspack_destroy_cab_decompressor
> ld: 0711-317 ERROR: Undefined symbol: .mspack_create_chm_decompressor
> ld: 0711-317 ERROR: Undefined symbol: .mspack_destroy_chm_decompressor
> ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more
> information.
> collect2: error: ld returned 8 exit status
> make: 1254-004 The error code from the last command is 1.
>
> Stop.
> make: 1254-004 The error code from the last command is 1.
>
> Stop.
> make: 1254-004 The error code from the last command is 2.
>
> Stop.
>
> Please suggest how to progress further.
>   सादर धन्यवाद/ Thanks &
> Regards
>   अनंत / Anant
>
> 
> --
> Confidentiality Notice: This e-mail message, including any attachments, is
> for
> the sole use of the intended recipient(s) and may contain confidential and
> privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the original
> message.
> 
> --
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-19 Thread Heino Backhaus 
Hello List,

we've received totay early in the morning mails with a word document
containing a malicius macro,
which was not detected by clamav. It is now detected as
Doc.Dropper.Agent-177659.
I've set up clamd with the OLE2BlockMacros yes option which normaly
works fine, but not with this file.
Even though i've reported this as a bug, i just whanted to ask if
somebody knows more about this.

-- 
Mit freundlichen Gruessen

H. Backhaus 

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backh...@fink-computer.de
Web: www.fink-computer.de
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gießen
GF: Fredi Fink

"In retrospect it becomes clear that hindsight is definitely overrated!"
  
  -Alfred E. Neumann

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Encrypted Word doc/phishing attack

2016-10-19 Thread Heino Backhaus 
Hallo,

i would like to make a featurerequest out of this. We've allso received
mails with password protected office documents.

It would be a nice feature to filter them with an option like the
"OLE2BlockMacros yes" option. Lets call it OLE2BlockEncryption yes|no.

:)


Mit freundlichen Gruessen

H. Backhaus 

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backh...@fink-computer.de
Web: www.fink-computer.de
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gießen
GF: Fredi Fink

"In retrospect it becomes clear that hindsight is definitely overrated!"
  
  -Alfred E. Neumann

Am 12.10.2016 um 16:03 schrieb Joel Esler (jesler):
> Alex,
>
> I’ll follow up off list to verify what email you submitted them under.
>
>
> Joel Esler
> jes...@cisco.com
>
>
>
> On Oct 12, 2016, at 8:21 AM, Alex 
> mailto:mysqlstud...@gmail.com>> wrote:
>
> Hi Joel,
>
> On Wed, Oct 5, 2016 at 2:38 PM, Joel Esler (jesler) 
> mailto:jes...@cisco.com>> wrote:
>
> On Oct 5, 2016, at 1:54 PM, Alex 
> mailto:mysqlstud...@gmail.com>> wrote:
>
> Hi,
>
> Are you submitting these files to ClamAV?
>
> http://www.clamav.net/reports/malware
>
> Not always, primarily because the response time has been too long.
> I'll try to more attentively submit them.
>
> It shouldn’t be anymore.  This issue has largely been fixed through some 
> awesome automation.
>
> I submitted a sample about a week ago, and another a few minutes ago,
> and never received any type of confirmation, or follow-up that the
> file was actually added to the database. Is this the expected
> behavior?
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Encrypted Word doc/phishing attack

2016-10-19 Thread Joel Esler (jesler) 
Seems logical.  bugzilla.clamav.net would be a good 
place to submit the feature request.

--
Joel Esler | Talos: Manager| jes...@cisco.com





On Oct 19, 2016, at 9:57 AM, Heino Backhaus 
mailto:heino.backh...@fink-computer.de>> wrote:

Hallo,

i would like to make a featurerequest out of this. We've allso received
mails with password protected office documents.

It would be a nice feature to filter them with an option like the
"OLE2BlockMacros yes" option. Lets call it OLE2BlockEncryption yes|no.

:)


Mit freundlichen Gruessen

H. Backhaus

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backh...@fink-computer.de
Web: www.fink-computer.de
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gießen
GF: Fredi Fink

"In retrospect it becomes clear that hindsight is definitely overrated!"

 -Alfred E. Neumann

Am 12.10.2016 um 16:03 schrieb Joel Esler (jesler):
Alex,

I’ll follow up off list to verify what email you submitted them under.


Joel Esler
jes...@cisco.com



On Oct 12, 2016, at 8:21 AM, Alex 
mailto:mysqlstud...@gmail.com>>
 wrote:

Hi Joel,

On Wed, Oct 5, 2016 at 2:38 PM, Joel Esler (jesler) 
mailto:jes...@cisco.com>> wrote:

On Oct 5, 2016, at 1:54 PM, Alex 
mailto:mysqlstud...@gmail.com>>
 wrote:

Hi,

Are you submitting these files to ClamAV?

http://www.clamav.net/reports/malware

Not always, primarily because the response time has been too long.
I'll try to more attentively submit them.

It shouldn’t be anymore.  This issue has largely been fixed through some 
awesome automation.

I submitted a sample about a week ago, and another a few minutes ago,
and never received any type of confirmation, or follow-up that the
file was actually added to the database. Is this the expected
behavior?
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-19 Thread Steve Basford 

On Wed, October 19, 2016 3:05 pm, Joel Esler (jesler) wrote:
> So to be clear, it is not detected or it is detected?

I think here's saying...

* It *should* have been blocked with OLE2BlockMacros yes option but *wasn't*
* It is now detected as Doc.Dropper.Agent-177659

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-19 Thread Joel Esler (jesler) 
Heino,

Can you clarify which sig caught it?

Doc.Dropper.Agent-177659 is not an actual sig number.


--
Joel Esler | Talos: Manager| jes...@cisco.com





On Oct 19, 2016, at 10:08 AM, Steve Basford 
mailto:steveb_cla...@sanesecurity.com>> wrote:


On Wed, October 19, 2016 3:05 pm, Joel Esler (jesler) wrote:
So to be clear, it is not detected or it is detected?

I think here's saying...

* It *should* have been blocked with OLE2BlockMacros yes option but *wasn't*
* It is now detected as Doc.Dropper.Agent-177659

--
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-19 Thread Joel Esler (jesler) 
So to be clear, it is not detected or it is detected?


--
Joel Esler | Talos: Manager| jes...@cisco.com





On Oct 19, 2016, at 9:50 AM, Heino Backhaus 
mailto:heino.backh...@fink-computer.de>> wrote:

Hello List,

we've received totay early in the morning mails with a word document
containing a malicius macro,
which was not detected by clamav. It is now detected as
Doc.Dropper.Agent-177659.
I've set up clamd with the OLE2BlockMacros yes option which normaly
works fine, but not with this file.
Even though i've reported this as a bug, i just whanted to ask if
somebody knows more about this.

--
Mit freundlichen Gruessen

H. Backhaus

Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backh...@fink-computer.de
Web: www.fink-computer.de
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gießen
GF: Fredi Fink

"In retrospect it becomes clear that hindsight is definitely overrated!"

 -Alfred E. Neumann

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-19 Thread Steve Basford 

On Wed, October 19, 2016 3:12 pm, Joel Esler (jesler) wrote:
> Heino,
>
>
> Can you clarify which sig caught it?
>
>
> Doc.Dropper.Agent-177659 is not an actual sig number.

Damn cut and paste... it's: Doc.Dropper.Agent-1776597
(a hash)

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error while compiling ClamAV

2016-10-19 Thread ANANT SHRIPADRAO ATHAVALE 
Hi,

I am compiling on AIX 6.1.

regards,
anant.

>Can you Please Specify which linux derivative are you  using?
>
>On 19 October 2016 at 10:07, ANANT S ATHAVALE >a...@isac.gov.in> wrote:
>
>> Hi,
>>
>> I tried compiling Clamav 0.99.2 with OpenSSL 1.1.0 and was getting error
>> OpenSSL installation is misconfigured or missing.
>>
>> After googling found that, patch is available for the same.  Hence,
>> downloaded the source from github clamav-devel-master.zip.
>>
>> Tried compiling with following configure option.
>>
>> ./configure --disable-clamav --prefix=/usr/local/clamav --disable-shared
>> --with-pcre=/opt/freeware --with-xml=/opt/freeware
>> --with-openssl=/opt/freeware
>>
>> with this, there were no errors for configure.
>>
>> But, when I ran make, getting the following error on AIX 6.1
>>
>> make
>> make  all-recursive
>> Making all in libltdl
>> make  all-am
>> Target "all-am" is up to date.
>> Making all in libclamav
>> make  all-recursive
>> Making all in libmspack-0.5alpha
>> make  all-am
>> Target "all-am" is up to date.
>>   GEN  version.h
>> Target "all-am" is up to date.
>> Making all in clamscan
>>   CCLD clamscan
>> ld: 0711-317 ERROR: Undefined symbol: .mspack_sys_selftest_internal
>> ld: 0711-317 ERROR: Undefined symbol: .mspack_create_cab_decompressor
>> ld: 0711-317 ERROR: Undefined symbol: .mspack_destroy_cab_decompressor
>> ld: 0711-317 ERROR: Undefined symbol: .mspack_create_chm_decompressor
>> ld: 0711-317 ERROR: Undefined symbol: .mspack_destroy_chm_decompressor
>> ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more
>> information.
>> collect2: error: ld returned 8 exit status
>> make: 1254-004 The error code from the last command is 1.
>>
>> Stop.
>> make: 1254-004 The error code from the last command is 1.
>>
>> Stop.
>> make: 1254-004 The error code from the last command is 2.
>>
>> Stop.
>>
>> Please suggest how to progress further.
>>   सादर धन्यवाद/ Thanks &
>> Regards
>>   अनंत / Anant
>>
>> 
>> --
>> Confidentiality Notice: This e-mail message, including any attachments, is
>> for
>> the sole use of the intended recipient(s) and may contain confidential and
>> privileged information. Any unauthorized review, use, disclosure or
>> distribution is prohibited. If you are not the intended recipient, please
>> contact the sender by reply e-mail and destroy all copies of the original
>> message.
>> 
>> --
>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>___
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
>
>http://www.clamav.net/contact.html#ml
>

--
Confidentiality Notice: This e-mail message (sent from Internet), including any 
attachments,
is for the sole use of the intended recipient(s) and may contain confidential 
and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
--
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error while compiling ClamAV

2016-10-19 Thread Reindl Harald 



Am 19.10.2016 um 15:45 schrieb crazy thinker:

Can you Please Specify which linux derivative are you  using?

On 19 October 2016 at 10:07, ANANT S ATHAVALE  wrote:


Hi,

I tried compiling Clamav 0.99.2 with OpenSSL 1.1.0 and was getting error
OpenSSL installation is misconfigured or missing


most software needs to be changed for build against OpenSSL 1.1 and even 
if it compiles it's nod said it would work as expected

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

2016-10-19 Thread Joel Esler (jesler) 
Yup, that’s one of mine.  Glad to see my system is working ;)

As far as why it didn’t work, I’ll have to defer this to Steve on the dev team.

--
Joel Esler | Talos: Manager| jes...@cisco.com





On Oct 19, 2016, at 10:16 AM, Steve Basford 
mailto:steveb_cla...@sanesecurity.com>> wrote:


On Wed, October 19, 2016 3:12 pm, Joel Esler (jesler) wrote:
Heino,


Can you clarify which sig caught it?


Doc.Dropper.Agent-177659 is not an actual sig number.

Damn cut and paste... it's: Doc.Dropper.Agent-1776597
(a hash)

--
Cheers,

Steve
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error while compiling ClamAV

2016-10-19 Thread ANANT S ATHAVALE 

Hi,

But, the error which I am getting is not w.r.t openssl right now (with  
github source download).


I am currently getting error for libmspack.  Please see my original post.

regards,
anant.

- Message from Reindl Harald  -
Date: Wed, 19 Oct 2016 16:49:21 +0200
From: Reindl Harald 
Reply-To: ClamAV users ML 
 Subject: Re: [clamav-users] Error while compiling ClamAV
  To: clamav-users@lists.clamav.net



Am 19.10.2016 um 15:45 schrieb crazy thinker:

Can you Please Specify which linux derivative are you  using?

On 19 October 2016 at 10:07, ANANT S ATHAVALE  wrote:


Hi,

I tried compiling Clamav 0.99.2 with OpenSSL 1.1.0 and was getting error
OpenSSL installation is misconfigured or missing


most software needs to be changed for build against OpenSSL 1.1 and  
even if it compiles it's nod said it would work as expected

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



- End message from Reindl Harald  -



--
 सादर धन्यवाद/ Thanks & Regards
  अनंत / Anant
--
Confidentiality Notice: This e-mail message, including any attachments, is for
the sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
--

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml