Re: [clamav-users] USB key scan on access

2016-06-30 Thread Vladislav Kurz
On 06/30/16 07:45, maiki wrote: > Thank you for your answer. But in that case, I'll have to scan the > entire key. As it could take some time, I prefer the on access approach. > In addition this does not detect when a virus is copied to the key after > the initial scan. In that case I would recomm

Re: [clamav-users] Frequent PUA.Win.Trojan.EmbeddedPDF-1 false positives

2016-06-30 Thread Al Varnell
The preferred, documented way to deal with a suspected False Positive here is to upload it to , although in past years PUA submissions were not allowed, so I can’t predict how successful you will be. ClamAV will always stop scanning after it finds the first infe

[clamav-users] YARA: filesize condition

2016-06-30 Thread Axb
When trying to use filesize conidtion in a Yara sig rule FileSize_200KB { condition: filesize < 200KB } I get LibClamAV Warning: load_oneyara: yara rule contains no supported strings, skipping YARA.FileSizeExample Am I missing something or if indeed not supported, could it please

Re: [clamav-users] YARA: filesize condition

2016-06-30 Thread Steven Morgan
On Thu, Jun 30, 2016 at 10:06 AM, Axb wrote: > > When trying to use filesize conidtion in a Yara sig > > rule FileSize_200KB > { > condition: >filesize < 200KB > } > > Hi, That is correct. ClamAV uses matching of yara strings to drive the yara condition. filesize will work in a yara

[clamav-users] sinowal trojan

2016-06-30 Thread c chupela
running clam av under centos 6.x, clamav version .99-3, daily.cld version 21810, bytecode.cld version 283 recently had security software flag one of my systems for the sinowal trojan - a scan with clamav is not finding evidence of this.  Should clamav be finding this if it is present? The referen

Re: [clamav-users] YARA: filesize condition

2016-06-30 Thread Paul Kosinski
On Thu, 30 Jun 2016 11:26:07 -0400 Steven Morgan wrote: > On Thu, Jun 30, 2016 at 10:06 AM, Axb wrote: > > > > > When trying to use filesize conidtion in a Yara sig > > > > rule FileSize_200KB > > { > > condition: > >filesize < 200KB > > } > > > > > Hi, > > That is correct. ClamAV

Re: [clamav-users] YARA: filesize condition

2016-06-30 Thread Steven Morgan
On Thu, Jun 30, 2016 at 2:27 PM, Paul Kosinski ize < 200KB > > Shouldn't exactly one 'and' be an 'or' in: > > "($abc and not $abc) and filesize < 200KB" > Yes, the first 'and' must be an 'or'. Thank you! Steve ___ Help us build a comprehensive ClamAV g

Re: [clamav-users] sinowal trojan

2016-06-30 Thread Joel Esler (jesler)
Have you submitted the file that is being detected up to ClamAV.net? On the contact page? -- Joel Esler iPhone On Jun 30, 2016, at 1:22 PM, c chupela mailto:cnctem...@yahoo.com>> wrote: running clam av under centos 6.x, clamav version .99-3, daily.cld version 21810, byteco