Re: [clamav-users] WannaCry Homeland Security yara script. False positives?

2017-05-17 Thread Joel Esler (jesler)
Yes. We strip attachments. However, are there samples that are not being caught by the ClamAV ruleset? -- Joel Esler | Talos: Manager | jes...@cisco.com On May 17, 2017, at 6:30 PM, Al Varnell mailto:alvarn...@mac.com>> wrote: I'm pretty certain that attachments

Re: [clamav-users] WannaCry Homeland Security yara script. False positives?

2017-05-17 Thread Al Varnell
I'm pretty certain that attachments are remove to prevent malware samples from being distributed here. Need a link to a server of some sort, such as PasteBin. Sent from Janet's iPad -Al- -- Al Varnell Mountain View, CA On May 17, 2017, at 2:45 PM, Mark Foley wrote: > Perhaps I'm missing it, b

Re: [clamav-users] WannaCry Homeland Security yara script. False positives?

2017-05-17 Thread Mark Foley
Perhaps I'm missing it, but I didn't see any attachment. --Mark On 5/17/2017 1:46 PM, João Gouveia wrote: Those rules are know for FP'ing a lot. Here's a different set you might want to check, courtesy of ReversingLabs ( attached ). On Wed, May 17, 2017 at 6:10 AM, Mark Foley wrote: I added

Re: [clamav-users] New Main.cvd coming

2017-05-17 Thread Benny Pedersen
Joel Esler (jesler) skrev den 2017-05-17 20:59: main.cvd will receive a cdiff. So, the size will be considerably smaller than a full “main” push. super, now we have a non compressed signed main, with on its own means faster loading but i like to see sigtool support compress uncompressed of

Re: [clamav-users] New Main.cvd coming

2017-05-17 Thread Joel Esler (jesler)
main.cvd will receive a cdiff. So, the size will be considerably smaller than a full “main” push. -- Joel Esler | Talos: Manager | jes...@cisco.com On May 17, 2017, at 10:48 AM, Joel Esler (jesler) mailto:jes...@cisco.com>> wrote: I will talk to the team interna

Re: [clamav-users] WannaCry Homeland Security yara script. False positives?

2017-05-17 Thread João Gouveia
Those rules are know for FP'ing a lot. Here's a different set you might want to check, courtesy of ReversingLabs ( attached ). On Wed, May 17, 2017 at 6:10 AM, Mark Foley wrote: > I added the yara script published by Homeland security to the clamav > database > directory. I believe I am getting

Re: [clamav-users] DNS Caching Problem AGAIN with current.cvd.clamav.net?

2017-05-17 Thread Andy Schmidt
Hi Al, >> I am not understanding your point here. Where are you seeing an indication that the database had been updated at the time you wrote? The first indication of an update was an email announcing daily 23390 at 8:30am PDT << Good point. I may have incorrectly assumed that no updates for >24h

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

2017-05-17 Thread Reindl Harald
Am 17.05.2017 um 17:40 schrieb Kishore Pawar: Hi Reindl Harald I am not sure what is wrong with this upgrade/installation. But, here's the configuration I was using previously and is being used currently impressing that you talk to me but quote some other stuff i responded to "where I see t

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

2017-05-17 Thread Kishore Pawar
Hi Reindl Harald I am not sure what is wrong with this upgrade/installation. But, here's the configuration I was using previously and is being used currently. $ date Wed May 17 10:14:47 CDT 2017 $ cat /usr/local/etc/clamd.conf | grep -v "#" LogFile /var/log/clamav/clamd.log LogTime yes LogSyslog

[clamav-users] ClamAV® blog: ClamAV will be publishing a new Main.cvd on Wednesday, June 7th, 2017

2017-05-17 Thread Joel Esler (jesler)
http://blog.clamav.net/2017/05/clamav-will-be-publishing-new-maincvd.html We are currently planning on cutting a new Main.cvd on Wednesday, June 7th, 2017. After the new Main.cvd is published the "daily" load on the mirrors and your networks should be much lighter. As always, this will resul

Re: [clamav-users] New Main.cvd coming

2017-05-17 Thread Joel Esler (jesler)
I will talk to the team internally. I was going to to push the blog post out to the mirrors list and the users list, but I had people in and out of my office yesterday and didn’t get to it. -- Joel Esler | Talos: Manager | jes...@cisco.com On May 17, 2017, at 5:45

Re: [clamav-users] New Main.cvd coming

2017-05-17 Thread Joel Esler (jesler)
I am sure I would get violent push back if I did that. -- Joel Esler | Talos: Manager | jes...@cisco.com On May 17, 2017, at 7:04 AM, Andreas Schulze mailto:andreas.schu...@datev.de>> wrote: Am 17.05.2017 um 11:45 schrieb Mark Allan: I spotted this yesterday on the

Re: [clamav-users] New Main.cvd coming

2017-05-17 Thread Andreas Schulze
Am 17.05.2017 um 11:45 schrieb Mark Allan: > I spotted this yesterday on the ClamAV blog and was waiting for Joel (or > someone else) to mention it here, but that may or may not happen, so... > > http://blog.clamav.net/2017/05/clamav-will-be-publishing-new-maincvd.html Mark, thanks for the

[clamav-users] New Main.cvd coming

2017-05-17 Thread Mark Allan
Hi all, I spotted this yesterday on the ClamAV blog and was waiting for Joel (or someone else) to mention it here, but that may or may not happen, so... http://blog.clamav.net/2017/05/clamav-will-be-publishing-new-maincvd.html The gist is that a new main.cvd will be getting pushed out n

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

2017-05-17 Thread Reindl Harald
Am 17.05.2017 um 05:07 schrieb Kishore Pawar: Thanks Carlos I see what you saying. I checked my previous sessions and I found the below one from the 'Oct 2016' session where I see that the clam-miller.socket is owned by clamav:clamav, where as my latest one is owned by clamav:root. Is it causi