false positive.
If it can't be fixed then ome clearer explanation of the OLE2 scanning would be
helpful as its misleading at present.
David Shrimpton
Information Technology Services | The University of Queensland
Help us build a c
from badmacro are detected
David Shrimpton
Information Technology Services | The University of Queensland
Help us build a comprehensive ClamAV guide:
or not.
I note the same md5sum:size in winnow_malware.hdb
Seems like some sort of weird bug exercised by the signature set
in my local databases when scan-ole2=yes .
I'll keep trying to narrow it down.
David Shrimpto
es however have a --heuristic-scan-precedence equivalent
to HeuristicScanPrecedence from clamd.conf which controls behaviour
of OLE2BlockMacros if file is detected by both Heuristic and real signatures.
Is there a way to turn on the OLE2BlockMacros behaviour with clamscan ?
David Shrimpton
ner or the contained file and also won't
know if the contained file itself was scanned or not.
David Shrimpton
Help us build a comprehensive ClamAV guide:
encrypted zip or ole2 with macros, differently to files that matched
a real sig. eg do logging only instead of discarding.
David Shrimpton
Help us build a comprehensive ClamAV guide:
a hit on Heuristics.OLE2.ContainsMacros.
David Shrimpton
Help us build a comprehensive ClamAV guide:
Using #match as a condition in a yara rule to
count the occurences of $match doesn't appear to
work where $match is a regex.
#match only appears to work if $match is a string literal
eg "abc123"
Is #match intended to work with a regex ?
ot sigtool.
clamav appears to still extract the macros and signatures
written against the macro code still work.
David Shrimpton
Help us build a comprehensive ClamAV guide:
The same problem occurs with .docx which are zip but not with .doc
which are 'CDF V2 Document' which are the OLE2 file itself.
David Shrimpton
Help us build a comprehensive ClamAV guide:
iscard if a 'real' virus
or just add a warning if only Heuristics.OLE2.ContainsMacros
was returned. Or you could treat unofficial hits with more caution
eg add warning only and official hits more aggressively eg discard.
But -z is broken with OLE2 ,so you must decide to use OLE2BlockMacros
David Shrimpton
Help us build a comprehensive ClamAV guide:
ening the same pdf.
David Shrimpton
Help us build a comprehensive ClamAV guide:
7 Deal.pdf
Is the original malware sample for which the signature was intended still
and does it have the above sha256sum ?
David Shrimpton
Help us build a comprehensive ClamAV guide:
uses the hit on Win.Trojan.Agent-1696554.
Might be something wrong with many more sigs from Version: 9 ?
Might be worth doing all the null byte files from 1 to X in size
and running clamscan against them.
David Shrimpton
Help us build a compr
On Wed, 28 Sep 2016, Joel Esler (jesler) wrote:
> These signatures were generated out of attachments to know bad spam files.
> We'll have a look.
clamscan -z on pdf shows:
> These signatures were generated out of attachments to know bad spam files.
> We'll have a look.
I generated the null byte files from sizes 1 to 1 and ran clamav against
and came up with 785 signatures that matched the null byte files and are
I'd speculate that
a newline (to mark the end of headers)
(Use qf instead of hf for a non quarantine queue file,
but also bear in mind that queue processing by the mail daemon
may be writing to a qf but not a hf file.)
Rescan and clamav should recognize as email file and extract
and scan any attachments
another file is not
reported as Encrypted.Zip when ArchiveBlockEncrypted is on in clamd.conf,
so it would still be possible to send a virus within an encrypted zip
by simply appending a few bytes to the start of the archive.
David Shrimpton
Systems Programmer ITS
University of Queensland
Thanks for replies,
Submitted new bug report:
Bug #1660
David Shrimpton
Systems Programmer ITS
University of Queensland
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
(Note the virus naming has changed from
Encrypted.Zip to Heuristic.Encrypted.Zip
in versions >= 0.96rc1)
Has anyone else observed the same problem
since upgrading to 0.96 ?
David Shrimpton
Systems Programmer ITS
University of Queensland
ExtendedDetectionInfo no
in clamd.conf and restarting clamd seems
to have no influence over this.
Is there a way of turning off the hash and file size in
the virus name returned in response to a SCAN
command , (rather than writing a regex to parse
the result )?
David Shrimpton
Systems Programmer
> file formats may use this compression.
I am seeing a similar error message "CL_EFORMAT: Bad format or broken data
on some .xls .doc and .pdf files since upgrade to 0.87.5.
David Shrimpton
Systems Programmer
University of Queensland
Worm.Bagle.Gen-zippwd-8 remains.
Can anyone please explain why these signatures have disappeared ?
This has also happened with other virus signatures in the past
and viruses previously detected are no longer detected.
David Shrimpton Systems Programmer
Software Infrastructure
ed (arec == %u).\n",
*ctx->virname = "Archive.ExceededRecursionLimit";
return CL_VIRUS;
return CL_CLEAN;
In 0.93 the if(BLOCKMAX) part is deleted.
I think that CL_EMAXREC
rsion of the
virus text)
The implication of the above is that clamav 0.93 would now
no longer detect many once prevalent viruses for which it
only has hexdump signatures.
David Shrimpton
Help us build a comprehensive ClamAV guide: vi
files scanned ?
If so, are these files only scanned against a subset of the
signatures and not the hexdump signatures ?
What has changed in 0.93 to cause WScr.Unsafe.D (and presumeably other viuses)
to no longer be detected and is there a fix for this ?
This quote from the bugzilla posts is quite amusing:
"As for the official clamav signatures, please stand assured that when the new
code will be in the stable release, all the broken signatures will be properly
David Shrimpton
On Fri, 2 May 2008, Steve Bas
base file by adding a name, type and offset
(use sigtool --list to make sure the name you choose doesn't clash
with an existing one. Also choose a name you think won't clash with
a future clamav signature name )
On Fri, 2 May 2008, David Shrimpton wrote:
> Thanks,
Sample Submitted.
> Please submit a sample at http://www.clamav.org/sendvirus/
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
rint pack("H*",$_),"\n"'
echo 536176654e6f726d616c50726f6d7074 | perl -ne 'chomp ;print
Surely this signature is incorrect .
Is there a way of disabling it ?
David Shrimpton
On Wed, 29 Oct 2008, Noel Jones wrote:
> Submit false positives to the clamav team for analysis.
> http://www.clamav.net/sendvirus/
Thanks, Was done earlier.
> It appears this has already been fixed - I can't find a
> signature named W97M.Static in the current clam database.
W97M.Static was
On Wed, 29 Oct 2008, Noel Jones wrote:
> David Shrimpton wrote:
> >
> > This suggests creating a local.ign file eg
> >
> > daily.ndb:319:W97M.Static
> > clamscan appear to indicate it was loading the file.
> Sounds as if you did it correctly, I have no
= "re" end if
exe /c start
David Shrimpton
From: clamav-users on behalf of Carlos
García Gómez
Sent: Saturday, January
are now CL_TYPE_SWF so
some sigs for flash using CL_TYPE_ZIP may no longer work.
David Shrimpton
clamav-users mailing list
Help us build a comprehensive Cl
r AU mirror clamav.island.net.au
responds with "daily.cvd was not found"
A workaround for this is to comment out
DatabaseMirror db.au.clamav.net
DatabaseMirror database.clamav.net
in freshclam.conf and add a DatabaseMirror line pointing
to a mirror host that has an uptodate daily.cvd
in freshclam.conf.
Oct 11 07:51:29 pow1 freshclam[29134]: ERROR: Clamd was NOT notified: Both
socket types (TCP and local) declared in /usr/local/etc/clamd.conf
David Shrimpton Systems Programmer
Software Infrastructure, Information Technology Services
University o
and allowed directly.
David Shrimpton Systems Programmer
Software Infrastructure, Information Technology Services
University of Qld 4072
Brisbane Australia
shows sensible output for the above signature, so I am not sure this is the
exact one causing the sigtool error.
The problem started from database version 25410 upgrade , so it appears one (or
more) sigs are Malformed in 25410
ClamAV 0.100.2/25410/Fri
are obfuscated
and likely will vary with each sample. A regex signature to get any variable
name would be better.
David Shrimpton
From: clamav-users on behalf of Arnaud
Sent: Saturday, April 6, 2019 12:27 AM
To: clamav-users@lists.clamav.
freshclam --datadir
I think any settings other than database location from freshclam.conf would
apply. So if you were just trying to
get an example main.cvd you might see side effects you don't want like
freshclam writing to a configu
Is the failing machine running out of memory running engine = cl_engine_new()
David Shrimpton
clamav-users mailing list
Help us build a comprehensive
42 matches
Mail list logo