[clamav-users] Mirror 217.173.238.34 outdated signatures

Hello, We have detected that ClamAV mirror 217.173.238.34 has outdated signatures (version 15577). Cheers, Jake ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

Re: [clamav-users] Mirror 217.173.238.34 outdated signatures

On 12/12/12 1:14 AM, "Jake Bowl" wrote: > We have detected that ClamAV mirror 217.173.238.34 has outdated signatures > (version 15577). > I suspect they already know from the status of ClamAV® Database mirrors page . It would appear that clamav.lie-comtel.li

[clamav-users] help writing a sig

Good afternoon list. we have been getting bombareded by spam with a single link to random .ru websites I have tried creating a signature to match http://hostname.domainname.ru like /http://odnocw4.pisem.ru/ e.g 687474703a2f2f*2e*2e7275 <<< http://{WILDCARD_ANY_STRING}.{WILDCARD_ANY_STRING

Re: [clamav-users] help writing a sig

Tom Kinghorn skrev den 12-12-2012 13:54: However, it returns malformed database. might be to much wildcard try make signature match *.pisem.ru and hope it solves it ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http:

Re: [clamav-users] help writing a sig

On 12/12/2012 15:10, Benny Pedersen wrote: might be to much wildcard try make signature match *.pisem.ru and hope it solves it ___ Thanks for the response. The hostname.domainname part is randomized, so it would need to be a wildcard. 1 constan

Re: [clamav-users] help writing a sig: SOLVED

On 12/12/2012 15:19, Tom Kinghorn wrote: _ Thanks for the response. The hostname.domainname part is randomized, so it would need to be a wildcard. 1 constant is that the domain part (in this case pisem) always seems to be 5 letters. the .tld also changes

Re: [clamav-users] help writing a sig

Tom Kinghorn skrev den 12-12-2012 14:19: the .tld also changes between .ru & .su make it a logical signature where it match all domains that you see spamming, that will be one sigture for this spammer :) echo "pisem.ru" | sigtool --hex-dump >hex.1 echo "example.org" | sigtoo --hex-dump >hex

Re: [clamav-users] help writing a sig

On 12/12/2012 15:38, Benny Pedersen wrote: echo "pisem.ru" | sigtool --hex-dump >hex.1 echo "example.org" | sigtoo --hex-dump >hex.2 join hex.1 and hex.2 into a logical or signature so it is just one signature, then if there is more toplevel spam domain, add this as one more hex.x to the logic

Re: [clamav-users] Mirror 217.173.238.34 outdated signatures

On Wed, Dec 12, 2012 at 4:48 AM, Al Varnell wrote: > On 12/12/12 1:14 AM, "Jake Bowl" wrote: > > > We have detected that ClamAV mirror 217.173.238.34 has outdated > signatures > > (version 15577). > > > I suspect they already know from the status of ClamAV® Database mirrors > page >

Re: [clamav-users] False Positive for BC.Exploit.CVE_2012_1885-1

Hi David On 10.12.2012 17:03, David Raynor wrote: So let's try the easiest one first: how big is the file? If you have raised it past the filescan max size, then default installations will skip it and report OK. Any suggestion what i could do about that? Best regards Matthias -- Matthias Egge

Re: [clamav-users] False Positive for BC.Exploit.CVE_2012_1885-1

Matthias, What architecture are you running ClamAV on? x86/64, PowerPC, SPARC, etc..? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

[clamav-users] BC detections this week

Just wanted to make an observation that we've had several reports by ClamXav users (OS X platform) this week of possible false positives in the Bytecode area since update 203 on Friday. On Monday: BC.Exploit.CVE_2012_2543 and BC.Heuristic.Trojan.Su

Re: [clamav-users] BC detections this week

Al, Thanks for the heads up. We received a few FP reports and are addressing them. Thanks, - Alain ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

Re: [clamav-users] False Positive for BC.Exploit.CVE_2012_1885-1

Hello Alain Am 12.12.2012 18:38, schrieb Alain Zidouemba: Matthias, What architecture are you running ClamAV on? x86/64, PowerPC, SPARC, etc..? SPARC (SunOS 5.10) Best regards Matthias -- Matthias Egger IT Support Gruppe D-ITET (ISG.EE) ETH Zürich, ETL F 24.1 Physikstrasse 3 8092 Zürich +41

[clamav-users] Trojan.SMSSend.3666 (Dr. Web)

Looks like Dr. Web finally got around to uploading "Trojan.SMSSend.3666" to VirusTotal here . Dr. Web's write-up is here . Apple has updated their sys