This went out yesterday to address the latest variant:
Win.Ransomware.Agent-6331177-0
Additionally, there are over 70 signatures that contain the keyword "Petya"
in their name.
Alain
On Wed, Jun 28, 2017 at 2:51 AM, Dmitry Melekhov wrote:
> Hello!
>
> Looks like there is no signature for pe
Signature will be going out shortly.
On Wed, Jul 12, 2017 at 2:52 PM, Alex wrote:
> Hi, we've received a word virus that isn't currently being detected by
> any scanners. I've submitted the FN, but would like to see if we can
> get that pushed out as soon as possible.
>
> $ sha1sum Invoice_SKMBT
$ sigtool -fHtml.Exploit.CVE_2017_0266-6311814-0
[daily.ndb]
Html.Exploit.CVE_2017_0266-6311814-0:3:*:6e65776461746176696577286e657761727261796275657228*2e73657475696e7433322e63616c6c28{-50}2e73657475696e7433322e63616c6c28
On Thu, Jul 20, 2017 at 3:15 PM, Krishna Pandey
wrote:
> Hi All,
>
>
$ wget http://www.eicar.org/download/eicar.com.txt
--2017-08-30 14:35:48-- http://www.eicar.org/download/eicar.com.txt
Resolving www.eicar.org (www.eicar.org)... 213.211.198.62
Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.
HTTP request sent, awaiting response... 200
We are shipping sha256 signatures now. See contents of daily.hsb. We
are no longer shipping new hdb (md5) signatures.
-Alain
> On Sep 8, 2017, at 7:28 AM, Al Varnell wrote:
>
> I'm struggling to understand how that would improve the DB? It's not a
> security issue and it would seemingly involve
BC.Win.Exploit.CVE_2017_11244-6335828-0 has been dropped and will be
modified to avoid the FPs you've reported.
Thanks,
- Alain
On Wed, Sep 13, 2017 at 1:13 PM, Kees Theunissen
wrote:
> On Wed, 13 Sep 2017, Kees Theunissen wrote:
>
> >On Wed, 13 Sep 2017, lukn wrote:
> >
> >>Hello List
> >>
>
Dropped on Tuesday.
-Alain
> On Sep 15, 2017, at 1:45 AM, Al Varnell wrote:
>
> Haven't seen any notification that it's been dropped yet.
>
> -Al-
>
>> On Wed, Sep 13, 2017 at 11:52 AM, Alain Zidouemba wrote:
>> BC.Win.Exploit.CVE_2017_11244-6335828-0 has
A new bytecode CVD will be out shortly to address this.
Thanks,
- Alain
On Fri, Sep 15, 2017 at 8:18 AM, Leonardo Rodrigues <
leolis...@solutti.com.br> wrote:
>
> i have had ZERO matches on the CVE_2017_11241 signature on the last
> days. Had several hundreds (which i believe are all FPs) o
Routing appropriately.
-Alain
On Sun, Sep 24, 2017 at 8:11 AM Michael D. wrote:
> Hi,
>
> I twice tried to reach out to the ClamAV Developers regarding this
> error, but been ignored.
>
> Anyone?
>
> Best regards
>
> Michael
>
>
> Latest segfaults since rebooting 8 days ago:
>
> Sep 21 16:4
Should be fixed in the next few DB updates.
-Alain
On Oct 9, 2017, at 2:48 PM, Shaw Terwilliger <
sterwilli...@patternhealthtech.com> wrote:
Java.Malware.Agent-6297845-0:73 matches a file that's part of the
OWASP Dependency Check tool, dependency-check-core-1.4.5.jar.
bbeddbad91868290103ed3990
Thanks for reporting. Will be addressed in the next CVD update.
-Alain
On Fri, Jun 11, 2021 at 10:44 AM Douglas Stinnette wrote:
>
> It has been over a year since there was a wide false positive across
> ClamAV.
> "/Library/Application Support/Quest/KACE/bin/klog"
> "Unix.Malware.Macos-9867919-
The signature causing this FP alert has been dropped earlier today. This
should be reflected in the next signature definitions update.
Thanks for reporting the issue.
-Alain
On Fri, Sep 10, 2021 at 4:48 PM Andreas Rulle wrote:
> Hi,
>
> a detection of Pdf.Phishing.CWS4c384287-9890237-0 has be
Tom,
You can find the answer in the attached document.
On Feb 13, 2010 5:49 PM, "Tom Shaw" wrote:
How does one determine what TargetType ClamAV will assign to a file or
attachment? I have been all through the docs and wiki and can find no
specifics.
Any and all help is appreciated.
Tom
Tom:
Is this the answer you were looking for?
--
Alain S. Zidouemba
Research Engineer, Vulnerability Research Team
SOURCEfire
Tel: 1(410)423-4764
email: alain.zidoue...@sourcefire.com
2010/2/15 Alain Zidouemba
> Courtesy of Edwin:
>
> The file type is determined by signatures in
Andrea:
Main.cvd and daily.cvd are DAT/signatures files. Main.cvd is updated
less frequently that daily.cvd. Daily.cvd is updated several times a
day.
About the difference between .cvd and .cld: When you do freshclam you
will get .cvd files. They are compressed database files. Once one or
more in
Paolo:
The latest signatures are available here:
http://db.local.clamav.net/main.cvd
http://db.local.clamav.net/daily.cvd
-Alain
On Wed, Mar 24, 2010 at 10:08 AM, Del Monte Paolo wrote:
> Ok, sorry for language.
> For security reason I can't open the firewall port to download the latest
> vir
Paolo:
How about you just wget these two files?
http://db.local.clamav.net/main.cvd
http://db.local.clamav.net/daily.cvd
It doesn't matter whether you get them on your Windows box or your
HPUX box but those are the latest signature files.
-Alain
On Wed, Mar 24, 2010 at 11:10 AM, Del Monte Paol
Try: clamscan -V
On Tue, May 4, 2010 at 3:48 PM, Wagner Pereira wrote:
> Hi, everyone.
>
> How can I see my Clamav's version?
>
> The thing is: my freshclam.log is warning me "WARNING: Your ClamAV
> installation is OUTDATED!"
>
> I am reading the Clamav's official FAQ right now, but I just need t
ClamAV is not specifically designed to be a host-based AV although you
can use it as such. If you want a ClamAV solution specially designed
to run on end systems, check out ClamAV for Windows:
http://www.clamav.net/lang/en/about/win32/
-Alain
On Wed, May 12, 2010 at 9:16 AM, Henrik K wrote:
> On
Technically speaking, ClamAV is open-source. However, we do not
provide the code for ClamAV for Windows, therefore ClamAV for Windows
is close-source just like the other AV solutions you mentioned.
When it comes to whether ClamAV for Windows is going to fit your
needs, you will have to decide that
> ClamAV can only detect malware, it does not clean or even quarantine
> anything.
ClamAV does not just detect malware, it can can quarantine it.
> And it's geared toward e-mail, which means the focus of the AV DB will be
> threats that use e-mail as an attach vector. As such, you won't signatur
copy=DIRECTORY Copy infected files into DIRECTORY
On Wed, May 12, 2010 at 12:25 PM, Freddie Cash wrote:
> On Wed, May 12, 2010 at 9:01 AM, Alain Zidouemba
> wrote:
>
>> > ClamAV can only detect malware, it does not clean or even quarantine
>> &g
> 1. Unless I missed it, the UI only allows scanning stuff in RAM, not files
> on hard-disks. If this is correct, does it mean users are expected to also
> install ClamWin to scan hard-disks?
The current version of ClamAV for Windows offers on-access scanning.
On-demand scanning is coming with the
you are can and are encouraged to use ClamAV for Windows with other AV
solutions.
-Alain
On Wed, May 12, 2010 at 3:23 PM, Fred-145 wrote:
>
>
> Alain Zidouemba wrote:
>> The current version of ClamAV for Windows offers on-access scanning.
>> On-demand scanning is coming with
type the following at the command line: clamscan --help
It will show you some of the options you have for quarantining file:
clamscan --remove[=yes/no(*)] Remove infected files. Be careful!
clamscan --move=DIRECTORY Move infected files into DIRECTORY
clamscan -
If you can, please generate the MD5 checksum for that file and paste it here.
Thanks,
-Alain
On Fri, May 14, 2010 at 12:13 PM, Jean-Paul natola wrote:
>
> yes it is, see link
>
> http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_PALEVO.SMBF&VSect=Sn
>
>
>
> unfortunatl
Feature requests are always welcome. Please enter it/them here:
https://wwws.clamav.net/bugzilla/
Thanks,
-Alain
On Fri, May 14, 2010 at 1:01 PM, Nathan Gibbs wrote:
> * Eddie Ekwo wrote:
>> Hello Everyone.
>>
>> I am new to using ClamAV and I have searched through the mail archives for
>> help
Looking into it now. Will let you know.
-Alain
On Tue, Jun 29, 2010 at 9:15 AM, Trevor Cotton wrote:
> Today clamAV has started reporting BC.Exploit.CVE_2010_0815 found in a .ppt
> file we have had since March last year.
> Running ClamAV Engine 0.96.1 on RHEL with latest signatures.
> McAfee on
2010 at 10:20 AM, Alain Zidouemba
wrote:
> Looking into it now. Will let you know.
>
> -Alain
>
> On Tue, Jun 29, 2010 at 9:15 AM, Trevor Cotton
> wrote:
>> Today clamAV has started reporting BC.Exploit.CVE_2010_0815 found in a .ppt
>> file we have had since March
Rajesh:
Xerox_doc.exe (MD5:eadf133be4dc58050626a5fd194fc546) is now detected
as: Trojan.Agent-168303. Please update your signatures.
Thanks,
-Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/suppo
In signatures.pdf (http://www.clamav.net/doc/latest/signatures.pdf) on
page 16 you will find how to whitelist signatures.
Thanks,
-Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
You have ClamAV 0.96.1 installed. The latest version (released today)
is 0.96.3. Please update.
-Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
I get the following from running "make check":
Testing Time: 17.00s
Failing Tests (11):
LLVM :: CodeGen/Generic/2007-05-05-Personality.ll
LLVM :: CodeGen/Generic/2007-06-06-CriticalEdgeLandingPad.ll
LLVM :: CodeGen/Generic/GC/frame_size.ll
PUA.PDF.EmbeddedJS and PUA.PDF.EmbeddedJavaScript has been dropped and
has been replaced with the signatures below:
PUA.Script.PDF.EmbeddedJavaScript
PUA.Script.PDF.EmbeddedJS
Thanks,
-Alain
On Sun, Apr 24, 2011 at 8:30 AM, Steven Chamberlain wrote:
> On -10/01/37 20:59, Johannes Schulz wrote
PUA.PDF.OpenActionObject has been dropped and has been replaced with
the signatures below:
PUA.Script.PDF.OpenActionObjectwithJavascript
PUA.Script.PDF.OpenActionObjectwithJS
Thanks,
-Alain
On Sun, Apr 24, 2011 at 5:03 AM, Johannes Schulz wrote:
> "sigtool -fPUA.PDF.OpenActionObject|sigtool --
Alex,
Your (or any) submissions are not being ignored. We have have just
been facing a large volume of submissions and prioritization sometimes
makes it that it takes us longer than we'd want to to get to some
submission.
I will be contacting you shortly to see how we can handle these
submissions
Please submit your FP reports here: http://www.clamav.net/lang/en/sendvirus/
You can use sigtool (sigtool --help) to look into virus definitions files.
-Alain
On Tue, Nov 22, 2011 at 11:37 AM, Shobana Narayanaswamy
wrote:
> Hi
>
> I am a novice at this...is there a way to disable virus signatu
You can inflate the signature archives with sigtool, find the
signature you want to delete and remove it from the relevant file.
-Alain
On Tue, Nov 22, 2011 at 12:47 PM, Shobana Narayanaswamy
wrote:
> Is there a way to delete a signature that you are not interested in?
>
> __
Ralf,
We got your FP reports and will address them today.
Thanks,
-Alain
On Tue, Feb 7, 2012 at 8:08 AM, Ralf Hildebrandt <
ralf.hildebra...@charite.de> wrote:
> Hi!
>
> I'm trying to disable this signature, since it's giving my FPs for
> some XLS files (yes, I already submitted it as FP today
Michael,
I see 2 submissions in the past 30 days sent in using your email
address. I've written signatures for them that will be released in the
next few hours, pending QA.
Thanks,
-Alain
On Wed, Feb 22, 2012 at 8:26 AM, Michael Richards wrote:
> I've submitted a few virus samples now 8 days a
Frank,
This is a FP that has already been taken care of. Please update your
signatures and let us know if you run into any problems.
Thanks,
-Alain
On Apr 11, 2012, at 7:06 PM, Frank Chan wrote:
> I was doing scan of my hard drive of my MS Windows XP system and noticed the
> scan results tha
What is the file being detected as? What is the MD5 for the file being detected?
- Alain
On Wed, Apr 18, 2012 at 1:38 PM, Frank Chan wrote:
> On 12-04-2012 20:09, Frank Chan wrote:
>>
>> On 11-04-2012 17:33, Frank Chan wrote:
>>>
>>> On 11-04-2012 16:08, Alain
Arthur,
This is a FP that we are aware about and should be fixed momentarily.
Thanks,
- Alain
On Wed, Apr 18, 2012 at 5:27 PM, Arthur Douwes
wrote:
> Hi,
>
> After freshclam updated the virusdatabase last night (17th april) on our
> server the virusscanner reported the CVE_2012_0773-2 virus i
Just tried it, works for me.
-Alain
On Apr 19, 2012, at 9:11 AM, Ralf Hildebrandt
wrote:
>
>> I just tested and it worked fine for me.
>>
>> What's exactly the problem on your side?
>
> I keep getting:
>
> Under maintenance. Try again later.
>
> --
> Ralf Hildebrandt Charite U
You can do that with a bytecode signature. Documentation is here:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCoQFjAA&url=http%3A%2F%2Fgit.clamav.net%2Fgitweb%3Fp%3Dclamav-bytecode-compiler.git%3Ba%3Dblob_plain%3Bf%3Ddocs%2Fuser%2Fclambc-user.pdf&ei=d3yQT7ueJab26AG6362jBA&
Could be a whitespace character issue. Try to see if ClamAV normalizes
your php script:
clamscan --debug --leave-temps --tempdir=yourtempdir yourphpscript.php
Go to yourtempdir and see if there is a file(s) there. Look for any
differences between it and your original file. Base your signature on
Pepijn,
I will look into this issue tomorrow and keep you updated.
Thanks,
-Alain
On May 7, 2012, at 9:49 PM, Pepijn Schmitz wrote:
> Hi everyone,
>
> As I pointed out in another email, I tested an installer for a different
> version of my program, and it generated the same false positive as
s containing a
> trojan. Have you had a chance to look into it yet?
>
> Kind regards,
> Pepijn Schmitz
>
> On 08-05-12 04:31, Alain Zidouemba wrote:
>> Pepijn,
>>
>> I will look into this issue tomorrow and keep you updated.
>>
>> Thanks,
>>
>>
Thanks for the report Mark. Bytecode 174 and later fixes the problem.
Please update your signatures. If any of you can share the samples that
were falsely detected as BC.Exploit.CVE_2012_1865, please send them in at
http://www.clamav.net/lang/en/sendvirus/ .
Thanks!
- Alain
On Fri, May 11, 2012
I meant BC.Exploit.CVE_2012_0165 :-)
- Alain
On Fri, May 11, 2012 at 12:56 PM, Alain Zidouemba wrote:
> Thanks for the report Mark. Bytecode 174 and later fixes the problem.
> Please update your signatures. If any of you can share the samples that
> were falsely de
Teresa,
Would you mind submitting the files below to
http://www.clamav.net/lang/en/sendvirus/submit-fp/? This will help us fix
the problem you are experiencing.
C:\Users\tkfowler\AppData\Local\Google\Chrome\Application\18.0.1025.168\chro
me.dll
C:\Users\tkfowler\AppData\Local\Google\Chrome\Appli
James,
In terms of documentation, at this point you have:
- the source code
- Creating Signatures for ClamAV www.clamav.net/doc/latest/signatures.pdf
- ClamAV user manual www.clamav.net/doc/latest/clamdoc.pdf
- ClamAV bytecode compiler user manual
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&so
Matthias:
It's a different problem. The offending signature today is
"BC.Exploit.CVE_2012_1847-1". Removed in bytecode CVD 184.
- Alain
On Wed, May 23, 2012 at 11:18 AM, Matthias Egger wrote:
> Hello
>
> I have a Quarantained (amavisd-new) email with an Excel Attachment. clamav
> thinks it matc
Please update your signatures. This FP has been taken care of.
Thanks,
- Alain
On Mon, Jun 11, 2012 at 4:50 PM, bnichols wrote:
> /mnt/secondary/var/spool/squid3/00/0D/0DC9: Trojan.Patched-247 FOUND
> downloaded from..
>
> http://www.download.windowsupdate.com/msdownload/update/v3-19990518
Please report your FP(s) here:
http://www.clamav.net/lang/en/sendvirus/submit-fp/
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Jamen,
Can you send that sample to
http://www.clamav.net/lang/en/sendvirus/submit-malware/ ?
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
I'll provide an answer shortly on this.
Thanks,
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Look for the signature: WIN.Worm.Dorifel
Thanks,
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Mark,
Sorry for the longer than usual turn-around. I will look into your FP
submission and get back to you in the next few hours.
-Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
In the RF822 message that you sent in, found:
"An Excel Formula Macro Virus (XF.Classic))
Hydrocodone/APAP 10-650 For Your Computer
(C) The Narkotic Network 1998
**Simple Payload**
**Set Our Values and Paths**5
**Add New Workbook, Infect It, Save It As Book1.xls**
**Infect Workbook**".
Why do yo
Gaurav,
Please submit your sample here:
http://www.clamav.net/lang/en/sendvirus/submit-malware/
Then, please provide the MD5 of the file you submitted to this mailing
list and we will take a look to see what's going on.
- Alain
___
Help us build a com
Mark,
Worm.Bagle.F-zippwd-6 had been in our signature database for 7 years and
had been performing well. It is definitely preferable for us to receive an
FP report along with the file(s) that are causing the suspected
FP. Nevertheless, I have dropped Worm.Bagle.F-zippwd-6 as of now, and will
relea
Andre,
We are taking a look and will let you know as soon as possible.
Thanks,
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
The signature has been updated this morning to:
PHP.Exploit.CVE_2011_4153-2:0:*:3c3f{-512}646566696e6528{-20}7374725f72657065617428{-20}2461726776
Please update your signatures to Daily CVD 15471 or later.
Thanks,
- Alain
___
Help us build a comprehen
The signature has been updated this morning to:
PHP.Exploit.CVE_2011_4153-2:0:*:3c3f{-512}646566696e6528{-20}7374725f72657065617428{-20}2461726776
Please update your signatures to Daily CVD 15471 or later.
Thanks,
- Alain
___
Help us build a comprehen
The signature has been updated this morning to:
PHP.Exploit.CVE_2011_4153-2:0:*:3c3f{-512}646566696e6528{-20}7374725f72657065617428{-20}2461726776
Please update your signatures to Daily CVD 15471 or later.
Thanks,
- Alain
___
Help us build a comprehen
Gene,
Signatures for Potentially Unwanted Applications or "PUA" are turned
off by default and have to be explicitly turned on. You can safely
keep them turned off if they don't work for your environment and your
scanning needs.
You can also ignore any signature locally by just adding the signatur
Please submit a false positive report here:
http://www.clamav.net/lang/en/sendvirus/submit-fp/
We will analyze your sample and get back to you as soon as possible.
Thanks,
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav
.db file: deprecated
.hdb file: signatures based on md5 of file. Format: md5:file
size:signature name
.mdb : Signatures based on md5 of PE section. Format:PE section
size:md5:signature name
-Alain
___
Help us build a comprehensive ClamAV guide
Hdb signatures can be for types of files, not just PEs.
Mdb signatures are only for PEs
Db signatures, again, have been deprecated.
Ndb signatures can be for all types of files, not just PEs.
Similarly, ldb signatures can be for all types of files, not just PEs.
Please refer to: http://www.cla
The issue should have been fixed with bytecode.cvd version 202.
Please let us know if you still have some issues.
Thanks,
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Can you confirm that you have the following (or similar) when running
freshclam?
Downloading bytecode-202.cdiff [100%]
bytecode.cld updated (*version: 202*, sigs: 40, f-level: 63, builder: neo)
- Alain
___
Help us build a comprehensive ClamAV guide: vi
Dan,
Can you provide us with the MD5 of the sample? We'll make sure to
address your submission as soon as possible.
Thanks,
-Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
ClamAV is still getting and will continue to get official signatures via
freshclam.
--
--
Alain Zidouemba
Vulnerability Research Team
SOURCEfire
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support
How to contribute signatures to ClamAV:
http://blog.clamav.net/2012/11/contribute-signatures-to-clamav.html
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Matthias,
What architecture are you running ClamAV on? x86/64, PowerPC, SPARC, etc..?
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Al,
Thanks for the heads up. We received a few FP reports and are addressing
them.
Thanks,
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Massimo,
Actually, I'd recommend you send it in here:
http://www.clamav.net/lang/en/sendvirus/
That way we can review your file that was detected
as BC.Exploit.CVE_2012_0165 and tell you if you are dealing with a true
positive of a false positive. In the case of a false positive, your sample
will
The alerts on:
- 72ec8d19415def8377c497d5190e57**b9 and
- 61d315af9cbc0eaba8c0addeeaa1d1e7
we false positives. Thank you for sending the files in as they help
us tweak our signature. We will release the updated signature shortly.
Thanks,
- Alain
___
H
Resolved.
Thanks for the notification.
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
A false positive.
Thanks,
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Confirming that it was in fact a false positive alert. The signature has
been pulled.
Thanks,
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Yes, please. If you set up yourself to be notified when an update is
posted to the bug, you will receive and email when that happens. All
incoming bug reports are looked at within a reasonable amount of time.
Thanks,
- Alain
___
Help us build a comprehe
The signature is more complex than that. What you are seeing and
decoding are just the triggering conditions to start evaluating HTML
files for the vulnerability CVE-2013-0019.
In any case, we received a few FP reports for that signature and have
made some tweaks that we are currently testing prior
On Wed, Feb 13, 2013 at 9:32 PM, Kaushik Vaidyanathan <
kvaid...@andrew.cmu.edu> wrote:
> Hi
>
> Do the FileSize field in a HDB signature serve any purpose during pattern
> matching, or pattern matching relies only on the MD5 checksum?
>
>
File size serves the purpose of making sure we are looking
Look for "Zbot" signatures as well.
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Paul,
That alert is to indicate that the file it alerted on is a likely an MS
Office document that has a PDF embedded within it. You may want to take a
closer look to it as we have observed malicious payloads being distributed
this way in the past.
As for what PUA category it comes under, I suppo
We will push to clear most/all FP reports from the queue tomorrow. Expect a
quick note here to let you know when that's done.
-Alain
On Monday, April 15, 2013, James wrote:
> I have the same problem with 2 files from Adobe Acrobat installer which
> are triggering false positives.
>
> On Mon, 15
The following seems to work for me:
X:\.scotiarewards\.com:\.scotiabank\.com
It will be released shortly to whitelist the redirection from
scotiarewards.com to scotiabank.com
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.c
You are missing some ".+"
X:.+\.scotiarewards\.com:.+\.scotiabank\.com
As I mentioned earlier, a signature update will go out momentarily.
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/suppor
As Joel Esler mentioned before, there are signatures for UNIX malware in
the official ClamAV DB.
- Alain
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Updated signatures with the coverage you are looking for will be released
shortly.
Thanks,
- Alain
On Thu, Jul 25, 2013 at 2:50 AM, A K Varnell wrote:
> A definition was added today (Wednesday) for Win.Trojan.Janicab which I
> assume is based on the malware described by F-Secure on Tuesday <
Thanks for the MD5. This should be addressed in the next few hours.
Additionally, we will see what we can do to speed up the processing of
FP reports.
Thanks,
-Alain
On Aug 23, 2013, at 4:57 AM, Hugo Deprez wrote:
> A good thing would a least to have an acknowledgement when it has been
> subm
Deprez wrote:
> >
> > > Hello,
> > >
> > > thank you for the information.
> > >
> > > In my own opinion, the issue is not the speed of processing FP reports,
> > but
> > > just the acknowledgement of the process.
> > > There i
http://www.clamav.net/lang/en/sendvirus/submit-fp/ is the correct URL to
use to send in FP reports.
The FP report you submitted has been handled and this will be reflected in
an upcoming signatures DB release.
Thanks,
- Alain
___
Help us build a compre
They were replaced with:
Osx.Malware.Proton-6377366-1
- Alain
On Fri, Nov 24, 2017 at 7:08 AM, Al Varnell wrote:
> > Begin forwarded message:
> >
> > From: nore...@sourcefire.com
> > Subject: [clamav-virusdb] Signatures Published daily - 24065
> > Date: November 22, 2017 at 5:10:11 PM PST
> >
Not sure that this is a FP.
- Alain
On Tue, Dec 5, 2017 at 2:05 AM, Al Varnell wrote:
> That said, here is some info on the signature itself.
>
> It was added to the ClamAV database on Oct 3 of this year. It appears to
> be malformed in the first subsig where the Offset and Sigmod are missing
>
Thanks for reporting this FP Maarten. We are in the process of fixing this
and will replace this signature.
- Alain
On Wed, Dec 6, 2017 at 11:54 AM, Maarten Broekman <
maarten.broek...@gmail.com> wrote:
> VIRUS NAME: Html.Trojan.Iframe-6390207-0
> TDB: Engine:51-255,FileSize:16384-65536,Target:3
And...Pdf, Rtf, Doc, Xls, Ppt, Html etc... and I could go on. There are
some vulnerabilities that affect applications across platforms. Something
to keep in mind.
Might be better to exclude "Win.", rather than chose what to include.
- Alain
On Wed, Dec 20, 2017 at 9:53 AM, Joel Esler (jesler)
w
The alert with the signature Doc.Dropper.Agent-6447876-0 is not a false
positive. The signature alerted on a Microsoft Word document. The hash for
that document is
f614c9664f566becb3bdf5a52027088407a3a73d5de8f2a5ec1da2b47438d156.
The Word document has a macro that launches powershell, downloads an
101 - 200 of 218 matches
Mail list logo
