Re: [clamav-users] False positive reporting

6u16-windows-i586.exe.zip cbb80060fbbecb3eac71b7fd66abd087 > > Can you have a look ? > > Regards > > > On 28 August 2013 17:16, Alain Zidouemba > wrote: > > > Thanks for letting us know Hugo. We are looking into it. > > > > - Alain > > > > > > On Wed, Aug 28,

Re: [clamav-users] False Positive not being corrected

Thanks Andrew. - Alain On Thu, Dec 12, 2013 at 6:01 PM, Andrew Carter wrote: > Hi Douglas, > > I have tested the file now and it is testing as clean. Thank you for > resolving this. > > Kind regards, > > Andrew > > > On 13/12/13 11:40, Douglas Goddard wrote: > >> It was an oversight on our end.

Re: [clamav-users] how to make a high efficiency cvd

On Thu, Dec 19, 2013 at 7:35 AM, 黄海涛 wrote: > 1. Do you have a commonly-used（popular） virus list? > > Yes, here: http://www.clamav.net/lang/en/download/cvd/malware-stats/ > > 2. Can we get the added time(the time of inserting into the virus > database) of every virus, or get the time order(inser

Re: [clamav-users] Updates seem to be stalled.

rect dial and fax) > "I like to listen. I have learned a great deal from listening carefully. > Most people never listen." > -- Ernest Hemingway > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com

Re: [clamav-users] False positives

Tagore, Thanks for your FP report. The process for submitting suspected false positives is to go through the webpage http://www.clamav.net/lang/en/sendvirus/submit-fp/ . We monitor submission that come in through that feed and address them as soon as possible. For a high priority FP, please email

Re: [clamav-users] speed of signature updates

Max, Thank you for your submission. Coverage for the sample you submitted should be reflected in a signature database update later today. Thanks, - Alain On Thu, Jan 16, 2014 at 7:35 AM, max wrote: > hi, > > being part of the recent phishing-wave about faked german telekom / > vodafone invoi

Re: [clamav-users] TheMask aka Careto

Also refer to: Careto: Covering unavailable samples http://blog.clamav.net/2014/02/careto-covering-unavailable-samples.html - Alain On Mon, Feb 17, 2014 at 4:21 PM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > In case this is useful for system scanning for TheMask aka Careto... > >

Re: [clamav-users] No more updates since march 1st

We are aware of and investigating the issue. We'll let you know know when it's fixed. Thanks, - Alain On Mon, Mar 3, 2014 at 2:19 AM, Mischa Coenen wrote: > I have noticed that the last update of the ClamAV database was at 01 Mar > 2014 16-54 -0500, after that I didn't see any new updates. Ar

Re: [clamav-users] infection alerts from files in bitcoin chainstate [2]

Can't say for sure given the information you provided. However, the signatures that fired have been in our signature set for quite a while (over 6 years) and have proven to be fairly reliable over time. - Alain On Fri, Apr 4, 2014 at 6:15 AM, ellanios82 wrote: > Hello List > > - in case of i

Re: [clamav-users] false postive Email.Trojan-393

Upon review, the signature was dropped. Thanks for reporting this FP. - Alain 2014-04-09 13:14 GMT-04:00 Robert Schetterer : > Hi, some users reported a false postive with Email.Trojan-393 > is this wide known ? > > Best Regards > MfG Robert Schetterer > > -- > [*] sys4 AG > > http://sys4.de, +

Re: [clamav-users] rkhunter : hopefully a false-positive

Thank you for reporting the FP. Our signatures will be adjusted accordingly. - Alain On Wed, Apr 9, 2014 at 1:36 PM, ellanios82 wrote: > On 04/09/2014 07:24 PM, Al Varnell wrote: > >> On Wed, Apr 09, 2014 at 03:29 AM, ellanios82 wrote: >> >>> >>> - thanks all : have uploaded rkhunter suspect f

Re: [clamav-users] rkhunter : hopefully a false-positive

t; -- > Al Varnell > Mountain View, CA > > On Wed, Apr 09, 2014 at 10:49 AM, Alain Zidouemba wrote: > > > > Thank you for reporting the FP. Our signatures will be adjusted > accordingly. > > > > - Alain > > > > On Wed, Apr 9, 2014 at 1:36 PM, ellanios82

Re: [clamav-users] Silly question - clamav - linux viruses?

ClamAV "does scan for linux viruses". If you install ClamAV, you can use the sigtool command to find signatures for unix-specific malware. Eg: > sigtool --list-sigs /usr/local/share/clamav/daily.cld | grep -i 'unix' . . . Exploit.Shellcode.Unix-Gen-1 Trojan.Plunix-1 UNIX.Worm.Sorso UNIX.Exploit.C

Re: [clamav-users] Manual cdiff update

No need to repack daily.cvd. You can if you want to but you don't have to. - Alain On Mon, Apr 28, 2014 at 3:14 PM, Arthur Snyder wrote: > Thank you. That helps. Do I need to repack the daily.cvd after applying > the cdiff before placing it in /var/lib/clamav? If so, will it still work > si

Re: [clamav-users] clamav stops boot

The ClamAV engine won't update itself automatically. You will have to manually perform that operation. The latest version of ClamAV (version 0.98.1) can be downloaded here: http://www.clamav.net/lang/en/download/sources/ - Alain On Fri, May 2, 2014 at 11:18 AM, Greg Mueller wrote: > I just got

Re: [clamav-users] Unable to submit false positive for bug54682.phpt PHP.Exploit.CVE_2011_4153-3

We are looking into it and will get back to you shortly. - Alain On Fri, May 9, 2014 at 9:06 AM, Bill Bennert wrote: > The clamav false positive submission system will not accept my entry and > says that it is not detected by ClamAV. This is not a virus, not > malware, this is a PHP test file

Re: [clamav-users] Unable to submit false positive for bug54682.phpt PHP.Exploit.CVE_2011_4153-3

Bill, The ClamAV alert for the test file you provided is not a false positive. It is actually a true positive. - Alain On Fri, May 9, 2014 at 9:25 AM, Alain Zidouemba wrote: > We are looking into it and will get back to you shortly. > > - Alain > > > On Fri, May 9, 201

Re: [clamav-users] Osx.Trojan.FkCodec-1 False Positives

Thanks for sending this in. We are addressing your reported FP. - Alain On Sat, May 10, 2014 at 12:24 AM, Al Varnell wrote: > Here’s the VirusTotal analysis (1/52) for Rapport-5.dmg which apparently > has an MD5 = efddf96af90be02bcc9e37cbc21c34a6 > < > https://www.virustotal.com/en/file/c3707d

Re: [clamav-users] No database updates for 48 hours?

An update should be out in the next few minutes. Thanks, - Alain On Mon, May 19, 2014 at 8:51 AM, Julius Plenz wrote: > Hi, > > Judging from the "clamav-virusdb" list and our log files, there > usually are a couple of database updates every day. There haven't been > any new "daily.cvd" updates

Re: [clamav-users] No database updates for 48 hours?

k that process. > > On Mon, 2014-05-19 at 08:53 -0400, Alain Zidouemba wrote: > > An update should be out in the next few minutes. > > > > Thanks, > > > > - Alain > > > > > > On Mon, May 19, 2014 at 8:51 AM, Julius Plenz >wrote: > > > >

Re: [clamav-users] Unix.Trojan.ElkKnot FOUND

The signature "Unix.Trojan.ElkKnot" has been dropped from our signature set a few releases ago. - Alain On Wed, May 21, 2014 at 5:46 AM, DUCARROZ Birgit wrote: > Sorry, I forgot to note my question: > > Does somebody know what this might be? > When I am scanning now the same files, this message

Re: [clamav-users] Unix.Trojan.ElkKnot FOUND

ped? Should I believe now that I have this trojan or > not? > > > On 21. 05. 14 14:31 , Alain Zidouemba wrote: > >> The signature "Unix.Trojan.ElkKnot" has been dropped from our signature >> set >> a few releases ago. >> >> - Alain >>

Re: [clamav-users] Unix.Trojan.ElkKnot FOUND

> but this message disappeared also one or two days later. > Since the most of the "infected" files are old, I wonder if they might > have been infected afterwards... > > - Birgit > > > On 21. 05. 14 22:09 , Alain Zidouemba wrote: > >> It was dropped for pe

Re: [clamav-users] Unix.Trojan.ElkKnot FOUND

> but this message disappeared also one or two days later. > Since the most of the "infected" files are old, I wonder if they might > have been infected afterwards... > > - Birgit > > > On 21. 05. 14 22:09 , Alain Zidouemba wrote: > >> It was dropped for pe

Re: [clamav-users] Unix.Trojan.ElkKnot FOUND

a8ece6de9fc > f3d3f36c34b9bba73c367f8604c47bbf > 00d634aac185696d25f4abce6f7f4441 > 194aab685f474136724e8ddbf4a03f9b > cc96618e63165bc031f9321229a94084 > 9a776ee1eaa1e164d109647970cd3585 > 9a7e37b646cfc9f8ca43d101d9d1f580 > 6568839e37176ff69e82bca37913c7f4 > 8917f23ea6169

Re: [clamav-users] Unix.Trojan.ElkKnot FOUND

gt; > > On 23. 05. 14 15:28 , Alain Zidouemba wrote: > >> Thanks Birgit. >> >> - Alain >> >> >> On Fri, May 23, 2014 at 5:38 AM, DUCARROZ Birgit >> wrote: >> >> oki. Here are the md5s of the most of the

Re: [clamav-users] Again: No database updates for 48 hours?

I am looking into it now and will post an update as soon as I have one. - Alain On Mon, Jun 2, 2014 at 8:01 AM, Mischa Coenen wrote: > Hi Julius, > > We have also monitoring which checks the age of the signature files, and > we also have seen multiple outages of signature file updates. Last ti

Re: [clamav-users] Unix.Trojan.ElkKnot FOUND

ething? > > -Al- > > On Wed, May 21, 2014 at 04:01 PM, Alain Zidouemba wrote: > > > > The new signature will be out in the next few releases. > > > > If you could, please provide the md5s or sha256s of the samples that > > alerted. > > > >

Re: [clamav-users] clamav does not recognize virus?!

Thanks for reporting this, ungifted. We'll release a signature shortly. - Alain On Tue, Jun 10, 2014 at 4:29 AM, ungifted wrote: > On Tue, 10 Jun 2014 09:41:34 +0300 > Henri Salo wrote: > > > On Tue, Jun 10, 2014 at 08:22:39AM +0200, Frank Rust wrote: > > > why does clamav not recognize any v

Re: [clamav-users] Bitcoin : Chainstate : clamav today detects 6 infected files with names like : 512719.sst

les as being infected > > .... > > Dear Alain Zidouemba : may i upload all 6 or do you prefer just two ?? > > . > > thanks > Ellan > ___ > Help us build a comprehensive ClamAV guide: &g

Re: [clamav-users] clamav does not recognize virus?!

We are looking into it. Thanks, - Alain On Tue, Jun 10, 2014 at 10:07 AM, ungifted wrote: > On Tue, 10 Jun 2014 09:28:58 -0400 > Alain Zidouemba wrote: > > > Thanks for reporting this, ungifted. We'll release a signature shortly. > > Thanks. > > Why submissi

Re: [clamav-users] Bad detection rate

Walter, We received your sample for the first time today and will be analyzing it for coverage in the ClamAV signature set. Thanks for your submission. If you are planning to submit a large number of samples on a regular basis, please contact me off-list. - Alain On Mon, Jun 23, 2014 at 11:47

Re: [clamav-users] Win.Trojan.Zwangi-432 / Osx.Exploit.CVE_2006_0848 / PHP.Shell-29

Birgit, Let us know when you've uploaded those files. Thanks, - Alain On Mon, Jul 7, 2014 at 6:13 AM, DUCARROZ Birgit wrote: > No, since I did not know this form. I will do it ... > - Birgit > > > On 07. 07. 14 12:11 , Al Varnell wrote: > >> Have you already uploaded the files to

Re: [clamav-users] Win.Worm.Chir-553 False Positive

Al, Thank you for reporting these. The FPs have been handled. - Alain On Tue, Jul 15, 2014 at 8:27 PM, Al Varnell wrote: > I’ve now discovered another FP, this time for Win.Worm.Chir-551 and I’ve > uploaded it to you. Again, it’s from the same OS X provided Python > framework. I get similar

Re: [clamav-users] Win.Trojan.Wpbrutebot-2 false positive

Max, We addressed the signature causing the false positive this morning. Please update your signatures and let us know if you run into any other issues. Thanks, - Alain On Thu, Aug 21, 2014 at 9:24 AM, max wrote: > hi, > > can someone check daily.cvd Version: 19296 (20 Aug 2014 10-42 -0400)

Re: [clamav-users] Again: No database updates for 48 hours?

Thanks for reporting; we are aware of this. Some issues on our end that we are in process of resolving. Should be back up momentarily. - Alain On Thursday, August 28, 2014, Julius Plenz wrote: > Hi, > > Previously when there was no daily.cvd update for 48 hours this turned > out to be an error.

Re: [clamav-users] Again: No database updates for 48 hours?

A signature update just went out and will propagate shortly. Thanks, - Alain On Thu, Aug 28, 2014 at 11:12 AM, Alain Zidouemba wrote: > Thanks for reporting; we are aware of this. Some issues on our end that > we are in process of resolving. Should be back up momentarily. >

Re: [clamav-users] Hint for creating signatures

Hajo, Would you be interested in sharing the signatures you create with the ClamAV community? If so, please check out the process here: http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html As for signatures for obfuscated PHP, it really does depend on the code you are looki

Re: [clamav-users] Where can I download the daily.cvd and main.cvd files

By using the tool "freshclam" that comes with ClamAV. - Alain On Tue, Sep 9, 2014 at 8:08 AM, McCarthy, John D. < john.d.mccar...@leidos.com> wrote: > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http

Re: [clamav-users] Whitelist Zip.Suspect.MiscDoubleExtension

https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf "To whitelist a specific signature from the database you just add its name into a local file called local.ign2 stored inside the database directory." - Alain On Thu, Sep 25, 2014 at 11:31 AM, Tim Edwards wrote: > The rece

Re: [clamav-users] Html.Exploit.CVE_2012_2546

Thank you, the signature has been revised. - Alain On Fri, Sep 26, 2014 at 5:09 AM, Nathan Howard wrote: > > > > I seem to be getting lots of hits on my browser cache when accessing some > > several popular sites, including the Apple Support Community Forum. Looks > > like it was just added ear

Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?

> If you think it needs to be quicker, then maybe you could volunteer your > time to help with the analysis (I'm not sure how you'd go about this) http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html - Alain ___ Help us build a c

Re: [clamav-users] No virusdb updates since 19772

We had a network related issue over the weekend that affected outbound emails. It should not have affected CVD releases though. Email updates have resumed. If you encounter any other problems, please let us know. Thanks, - Alain On Mon, Dec 15, 2014 at 1:17 PM, Al Varnell wrote: > > Something

Re: [clamav-users] basic malware missed???

Coverage under the name "Php.Trojan.PCT4" will be released shortly. Thanks, - Alain On Tue, Mar 24, 2015 at 5:40 PM, Steve Holdoway wrote: > Hi folks, > > I'm in the process of cleaning up an infected wordpress website and am > finding a number of files that contain > > $sF="PCT4BA6ODSE_"; >

Re: [clamav-users] Clamscan infection that is not infected

Can you provide a checksum for your sample? Thanks, - Alain On Wed, Apr 15, 2015 at 9:50 AM, sanes wrote: > Why does clamscan show this file infection, but a scan with VirusTotal.com > shows file is safe? Which source should I trust? > > c:\Windows\System32\mobsync.exe: Win.Trojan.Agent-86393

Re: [clamav-users] Submission status

Fred, Signatures covering your samples will be released shortly. Thanks, - Alain On Fri, May 22, 2015 at 10:16 AM, Fred Wittekind wrote: > Have recently run in to a large number of emails getting past my employers > email filtering, all zip files, with executables inside, and all > malicious.

Re: [clamav-users] Submission vor *.ace file rejected

On Tue, May 26, 2015 at 7:12 AM, Helmut Hullen wrote: > Hallo, clamav-users, > > I've tried today and also last week to submit a file which contains a > virus; it's named "t-online.ace". > Before this try I had submitted many other "virulent" files without any > problem. > > With the above mentio

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99b Meets YARA!

This has been supported since the introduction of logical signatures (ldb) in ClamAV 0.94. - Alain On Thu, Jun 11, 2015 at 11:00 AM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Thu, June 11, 2015 3:51 pm, Steven Morgan wrote: > > > > We've borrowed the yacc/lex code from yara p

Re: [clamav-users] - False Positive

If one of the documents doesn't contain sensitive information, can you submit here? http://www.clamav.net/report/report-fp.html Thanks, - Alain On Tuesday, July 7, 2015, Andrew Carter wrote: > > > On 08/07/15 11:02, Andrew Carter wrote: > >> Hi , >> >> I am seeing Word documents coming up with

Re: [clamav-users] - False Positive

Can you provide the detection name that ClamAV displayed? Thanks, - Alain On Thu, Jul 9, 2015 at 7:43 AM, Ingo Bente wrote: > I am seeing the same finding. Since yesterday's daily update. > > I cross checked the respective file with Gmail, Avast, Avira and > Windows Defender. None of them repo

Re: [clamav-users] Banload not detected

Not sure I understand the problem you are facing. If you are asking if ClamAV with official signatures would detect the zip file whose SHA256 is eb495bcdfb517743ced48d1b165b046739fb621cc693cb09fed8c879684851f3, then the answer is yes. The detection name you would see is Win.Trojan.Banload-6198. I

Re: [clamav-users] Unable to detect pdf virus

Yes, please do so. Submit your sample here: http://www.clamav.net/report/report-malware.html and provide the MD5 or SHA256 of the sample you submitted as a reply to this email. Thanks, - Alain On Tue, Jul 28, 2015 at 11:01 AM, Al Varnell wrote: > It does not match the signature for Exploit.PDF

Re: [clamav-users] Unable to detect pdf virus

be helpful in order to determine that. Thanks, - Alain On Tue, Jul 28, 2015 at 11:32 AM, P K wrote: > Sure. I will submit but as per clamav Database this signature is already in > database. > > Why we should submit sample again? > > > > On Tue, Jul 28, 2015 at 4:

Re: [clamav-users] virus samples

What are the MD5s or SHA256s of the 37 files you submitted? Also, make sure you are using official ClamAV signatures in your set up. Thanks, - Alain On Sat, Aug 8, 2015 at 8:00 AM, sebast...@debianfan.de < sebast...@debianfan.de> wrote: > You've got me wrong. > > I have early April 2015 transmi

Re: [clamav-users] Swf.Exploit.CVE_2015_3102 FP

Thank you for reporting the FP and providing information. The signature needs to be reworked as it is causing FPs. The current version of the signature will be dropped shortly. Thanks, - Alain On Fri, Aug 21, 2015 at 1:56 PM, Ángel González wrote: > Al Varnell wrote: > > I’ve had three users r

Re: [clamav-users] Urgent: Php.Exploit.CVE_2015_2331-3 FP

Al, I will be pulling the signature shortly. Could you please submit a few of the file that are alerting here: http://www.clamav.net/report/report-fp.html ? Thanks, - Alain On Wed, Aug 26, 2015 at 11:21 PM, Al Varnell wrote: > Two Mac users so far are reporting a flood of files identified as

Re: [clamav-users] Urgent: Php.Exploit.CVE_2015_2331-3 FP

Thanks Mark. - Alain On Thu, Aug 27, 2015 at 6:24 AM, Mark Allan wrote: > Hi Alain, > > I've just submitted a small selection of the files being tagged as > infected. > > Regards > Mark > > > On 27 Aug 2015, at 11:09 am, Alain Zidouemba > wrote: >

Re: [clamav-users] Problems with daily db?

Can you paste here the output of running "sigtool -i" against your daily.cvd? Thanks, - Alain On Thu, Oct 15, 2015 at 1:30 PM, Rafael Ferreira wrote: > 0.98.7 > > > On Oct 15, 2015, at 8:46 AM, Steven Morgan > wrote: > > > > Rafael, > > > > I don't see this. Which version of ClamAV are you us

Re: [clamav-users] Identifying jar virus file

Send the sample here: http://www.clamav.net/reports/malware Provide the MD5 or SHA256 of the sample on this mailing list. Thanks, - Alain On Mon, Oct 19, 2015 at 7:28 PM, Alex wrote: > Hi, > I have a jar file that is apparently identified as a virus by > Microsoft as "Trojan.Java.Adwind.af" b

Re: [clamav-users] ClamAV not detecting malware

Matter: Coverage will be released later today. -Alain > On Oct 28, 2015, at 7:57 AM, Matthias Hank wrote: > > Hi, > > almost a week ago i uploaded a malware sample via ClamAV Website which was > not detected by ClamAV. > > In the meantime, most of the scanners on Jottis Website are detecting >

Re: [clamav-users] negate part of signature

Check out https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf, section 3.2.4. You should be able to write something like: !(not)badfunction( FYI, PCRE support is coming in ClamAV 0.99. There is a release candidate here if you want to try it: http://www.clamav.net/downloads

Re: [clamav-users] Difficult malwarefiles - signature too short

I believe the issue is around 5d2e{-11}*6973 <6973736574> Remove the * and try again. -Alain On Nov 2, 2015, at 5:24 AM, Hajo Locke wrote: 5d2e{-11}*6973 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://

Re: [clamav-users] Still getting this:

The offending signature has been pulled as of daily: 21070, published on Nov 18. - Alain On Thu, Nov 19, 2015 at 2:57 AM, Al Varnell wrote: > I certainly agree with that. > > As I said in the original thread on this issue, I rarely come to the list > with FP issues unless they appear to be impa

Re: [clamav-users] Clamav cannot detect a malware using a signature based on html comment

Arnaud: Did you normalize your file? I.e. Clamscan--leave-temps? - Alain -Alain > On Jan 26, 2016, at 6:55 AM, Arnaud Jacques / SecuriteInfo.com > wrote: > > Hello Steve, > >> I've seen the same sometimes I've had to end up using type 0, instead >> of 3/4/7 which isn't ideal. > > Even wit

Re: [clamav-users] False positives submitted but still viewed as viruses

Were the files submitted through this form? http://www.clamav.net/reports/fp Thanks, - Alain On Mon, Feb 8, 2016 at 9:33 AM, Klaas TJEBBES wrote: > Thanks for your answer. > > Here are the md5sums : > acad82626e83064ce8792bb17f568726 > 21c85b53fccf0712aadad1127115f4ff > 39cf4db0bba92ae1c188691

Re: [clamav-users] BlackEnergy malware detection

Here are some I could quickly identify: Win.Trojan.DropBear Win.Trojan.BlackEnergy2Driver Win.Trojan.BlackEnergy3 - Alain On Thu, Feb 18, 2016 at 7:37 AM, Volcy, Georges wrote: > Good Morning, > > Does ClamAV detect the Blackenergy malware and is there any way for me to > verify it. > Thanks,

Re: [clamav-users] A number of threats discovered by ClamAV on Windows apps, from Ubuntu Linux

Your attachment didn't make it through. Please send in your FPs here: http://www.clamav.net/reports/fp , or paste the contents of your attachment in your email message body. Thanks, - Alain On Sun, Feb 7, 2016 at 4:39 AM, Morten W. Petersen wrote: > Hi there. > > I run AVG and MalwareBytes on

Re: [clamav-users] clamav email error after submission of a virus sample

Kristen: Are you sending in your samples using: http://www.clamav.net/reports/malware ? FYI, I couldn't find the submission you made a few days ago for SHA256(invoice_SCAN_fGYbuu.zip)= ba41513235b21783b9741b59ceb191 cc6e65f15cd15ba58ab1d9c648513419c0. It seems like you are experiencing a similar

Re: [clamav-users] Email.Phishing.DblDom-60 -- issue

$ sigtool -fEmail.Phishing.DblDom-60 | awk -F' ' '{print $2}' | sigtool --decode-sigs VIRUS NAME: Email.Phishing.DblDom-60 TARGET TYPE: MAIL OFFSET: * DECODED SIGNATURE: /.www.my.if.com/ If you think you have a false positive, please submit it here: http://www.clamav.net/reports/fp - Alain O

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

Paul: Thanks for reporting this FP. This will be fixed momentarily. - Alain On Wed, Mar 30, 2016 at 2:18 PM, Paul Kosinski wrote: > I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org, and, > after downloading via HTTPS, ClamAV (0.99.1/21479) reports that the gz > file contains Wi

Re: [clamav-users] Email.Phishing.DblDom-60 -- issue

Andrew: Are you up to date with your signatures? Email.Phishing.DblDom-60 was removed on 4/1/2016. FYI: $ echo -n 'Email.Phishing.DblDom-60:4:*:2f2e70617970616c2e636f6d' | sigtool --decode-sigs VIRUS NAME: Email.Phishing.DblDom-60 TARGET TYPE: MAIL OFFSET: * DECODED SIGNATURE: /[dot]paypal[dot]c

Re: [clamav-users] FP Win.Trojan.Agent-1395367

Confirming the FP on MD5: 585005690e530e8047374cf14e479281. The signature Win.Trojan.Agent-1395367 has been removed. - Alain On Wed, Apr 20, 2016 at 3:02 AM, Hajo Locke wrote: > Hello, > > there seems to be a new FP within a Wordpress Plugin. > Download ist here: > https://jetpack.com/install/?

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Jason: Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was dropped several weeks ago, but would only be reflected in your installation if you have both main.cvd and daily.cvd. Please confirm. Thanks, - Alain On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams < jasonjwwil

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba < > azidoue...@sourcefire.com> > wrote: > > > Jason: > > > > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was > > dropped several weeks ago, but would only be reflected in your >

Re: [clamav-users] ClamAV(R) blog: CRDF Joins the ClamAV Signature Partner Program!

We usually acknowledge every community signature submission, and even work with submitters to tweak the signature if needed. I see that you submitted a few signatures in the past few hours, which we will acknowledge and review in a few hours. If there are signatures that you've submitted in the pa

Re: [clamav-users] CVE_2013_3860-1

Xml.Exploit.CVE_2013_3860-1 has been dropped. Thanks, - Alain On Sun, Jul 24, 2016 at 11:51 AM, Al Varnell wrote: > There was a previous Xml.Exploit.CVE_2013_3860-1 signature added by daily: > 20352 on Apr 20, 2015 which was found to be producing FP’s and was removed > by daily: 20358. > > The

Re: [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?

The offending signature has been dropped from the signature set. This should be reflected shortly in an upcoming signature update. - Alain On Wed, Aug 10, 2016 at 6:10 AM, Al Varnell wrote: > The only way to be notified is if you submit a sample to the ClamAV False > Positive site that I refere

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

The signature "Html.Exploit.CVE_2016_3326-3" has been removed and will be update to take into account the false positives reported. Thanks, - Alain On Thu, Aug 11, 2016 at 6:36 AM, ancien compte wrote: > and http://www.kaspersky.fr/internet-security etc is accessible now > :) > > 2016-08-

Re: [clamav-users] Html.Exploit.CVE_2016_3386-1 False Positives

Thanks for the FP report. The offending signature has been pulled. - Alain On Fri, Oct 21, 2016 at 4:16 AM, Al Varnell wrote: > Html.Exploit.CVE_2016_3386-1 added today by daily - 22400 is identifying > the following Main.js files as infected. They are all WebKit components > included with mult

Re: [clamav-users] Html.Exploit.CVE_2016_7190-1 WordPress False Positives

Thanks Al. The signature has been removed. - Alain On Sun, Oct 23, 2016 at 2:00 AM, Al Varnell wrote: > Have received a couple of reports of multiple WordPress site infected with > Html.Exploit.CVE_2016_7190-1 over the past two days, which was added by > daily - 22400 on 10/20/2016. > > Also f

Re: [clamav-users] FP

The FPs handled by Swf.Exploit.CVE_2016_7865-1 have been resolved and this should be reflected in a CVD update later today. -Alain > On Nov 12, 2016, at 11:20 AM, Al Varnell wrote: > > Me? I'm a user like you and have no ability to solve your issues. > > There is really no need to post every FP

Re: [clamav-users] support

I've identified a few clean samples that this signature FP on. I'm dropping BC.Legacy.Exploit.CVE_2012_4148-1. We'll rework it. - Alain On Mon, Dec 5, 2016 at 9:10 AM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > Hi, > > Just had a twitter user contact me regarding an fp that he repo

Re: [clamav-users] Custom CVD

There's no need to create a CVD if all you want is to use official clamav signatures and non-official signatures. Use "sigtool -u" with a clamav cvd to unpack it and choose the signatures you want. You can then point clamscan or clamdscan to the directory that contains your signatures, official

Re: [clamav-users] More fp's.

We are seeing the FPs and are in the process of addressing them. Please keep reporting them. - Alain On Mon, Dec 26, 2016 at 8:11 AM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Mon, December 26, 2016 12:39 pm, Sierk Bornemann wrote: > > Just run freshclam... > > fp\Aston Villa

Re: [clamav-users] Submitting False Negatives

Unix.Malware.Agent-1847425 is not a heuristics detection. - Alain On Wed, Jan 11, 2017 at 12:28 PM, Tim Tepatti wrote: > Sounds good to me, I'll submit them in an archive then. > > Also, another question: If a virus is picked up as a generic > "Unix.Malware.Agent-1847425", does that mean that t

Re: [clamav-users] Osx.Malware.Agent-5505694-0

It's been replaced by a different signature. -Alain On Wed, Jan 11, 2017 at 6:42 PM, Al Varnell wrote: > Subject signature was added by daily - 22865 and then removed by daily - > 22869. > > [daily.hsb] 52960200bf989064d77f0a158180e4ac:1101744:Osx.Malware.Agent- > 5505694-0:73 > > VirusTotal in

Re: [clamav-users] Potentially False Positive, but I lost the file!

Antonio, Unfortunately, I can't find any record of us having ever published Win.Trojan.Agent-18112140. Could the name of the signature that caused the FP be slightly different? Alain On Sat, Jan 21, 2017 at 9:07 AM, Antonio Piccolomini d'Aragona < antpiccda...@gmail.com> wrote: > Hi, > I'm writ

Re: [clamav-users] Potentially False Positive, but I lost the file!

38 AM, Antonio Piccolomini d'Aragona < antpiccda...@gmail.com> wrote: > Actually, there is a 1 less. It is Win.Trojan.Agent-1812140 (I looked in my > Mac Cronology...where I looked for some ways to fix) > > 2017-01-21 17:16 GMT+01:00 Alain Zidouemba : > > > Antonio

Re: [clamav-users] FP with Java.Exploit.CVE_2012_1723-8

Thanks Mark. We're taking a look at this now. - Alain On Tue, Jan 24, 2017 at 5:53 AM, Mark Allan wrote: > Hi, > > I've received a few reports of FPs with the signature > Java.Exploit.CVE_2012_1723-8. I can't upload a sample because, of all > places, it's being detected in the scan log which co

Re: [clamav-users] Probable False Positive: Unix.Trojan.Mirai-5607459-1

The signature Unix.Trojan.Mirai-5607459-1 has been marked to be dropped earlier tonight. Expect this to be reflected in the CVD shortly. - Alain On Thu, Jan 26, 2017 at 11:15 PM, Mark Edwards wrote: > So far 150 of 300 CentOS 7 servers reporting: > > /usr/bin/systemd-nspawn: Unix.Trojan.Mirai-5

Re: [clamav-users] Win.Trojan.DarkKomet-5711346-0 false positive?

That alert caused by Win.Trojan.DarkKomet-5711346-0 is an FP. The signature is being dropped. Thanks for reporting, - Alain On Thu, Feb 16, 2017 at 3:17 PM, Mark Foley wrote: > I am running a scheduled clamscan on the IMAP mail folders. The command is: > > /usr/local/bin/clamscan -a --detect-p

Re: [clamav-users] Daily 23161 broke Clam

We're pulling the signature causing the issue now, while we investigate the cause. - Alain On Fri, Mar 3, 2017 at 12:38 PM, Aaron C. Bolch wrote: > Greetings, > > After Daily Update 23161 was applied, the following error happened: > > Database initialization error: can’t compile engine: Malform

Re: [clamav-users] Daily 23161 broke Clam

:34 PM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Fri, March 3, 2017 7:20 pm, Alain Zidouemba wrote: > > We're pulling the signature causing the issue now, while we investigate > > the cause. > > > > - Alain > Hi Alain, > > I th

Re: [clamav-users] Sporadic signature frequency

They come out every 6h. -Alain > On Apr 13, 2017, at 9:57 PM, Rafael Ferreira wrote: > > Hey folks, I've noticed that new sig databases are coming out at a fairly > inconsistent frequency lately, is this accidental or for a particular reason? > > Rafael > __

Re: [clamav-users] Another possible FP?

Thanks for reporting, we'll tweak the signature. - Alain On Sat, Apr 22, 2017 at 2:44 AM, Al Varnell wrote: > Confirming that I am getting similar results after a quick update. I > uploaded one message to the FP site which just happens to be a Security > Update notice from Apple: > 7ed54ef4cff5

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

Yara rules have been supported by ClamAV since 2015: http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html - Alain On Sat, May 13, 2017 at 1:16 PM, Alex wrote: > Hi, > > So you've probably heard of the latest ransomware dubbed WannaCry. I'm > wondering if anyone has figured out a way to in

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

For "WannaCry", look for ClamAV signatures: Win.Ransomware.WannaCry-* Alain On Sat, May 13, 2017 at 1:24 PM, Alain Zidouemba wrote: > Yara rules have been supported by ClamAV since 2015: > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html > > - Alain > >

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

, 2017 at 1:24 PM, Alain Zidouemba > wrote: > > Yara rules have been supported by ClamAV since 2015: > > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html > > Yes, I saw that, but maybe I'm misunderstanding the benefit of yara. > > Are the signatures not

Re: [clamav-users] file name extension cvd cld clamtmp cud hdb etc., mime types

A few quick answers: - CVD: ClamAV Virus Database, signed - CLD: ClamAV Virus Database, to which a diff update has been applied - CUD: ClamAV Virus Database, unsigned Use "sigtool -u" to decompress. Alain On Sat, May 13, 2017 at 2:52 PM, Jörg Jenderek wrote: > Hello, > i found several file n

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

nsomware: http://blog.talosintelligence.com/2017/05/wannacry.html Alain On Sun, May 14, 2017 at 11:09 AM, Alex wrote: > Hi, > > On Sat, May 13, 2017 at 1:32 PM, Alain Zidouemba > wrote: > > For "WannaCry", look for ClamAV signatures: > > Win.Ransomware.WannaCry-* > >

  1   2   3   >