Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Virus not detected by clamav

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


hamilton at i2

Dec 19, 2005, 7:34 AM

Post #1 of 22 (2690 views)
Permalink
Virus not detected by clamav

Hi list,

Since November, I noticed that clamav 87.1 does not recognize the
following virus.

www.i2.com.br/~hamilton/reg_pass.zip

So I posted it in http://cgi.clamav.net/sendvirus.cgi, but I got no answer

NOD32 detects it as Win32/Sober.Y worm, I'd like to know if it is an
isolated case.

Thanks in advance


Hamilton Vera


_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


dennispe at inetnw

Dec 19, 2005, 7:48 AM

Post #2 of 22 (2616 views)
Permalink
Re: Virus not detected by clamav [In reply to]

Hamilton Vera said:
> Hi list,
>
> Since November, I noticed that clamav 87.1 does not recognize the
> following virus.
>
> www.i2.com.br/~hamilton/reg_pass.zip
>
> So I posted it in http://cgi.clamav.net/sendvirus.cgi, but I got no answer
>
> NOD32 detects it as Win32/Sober.Y worm, I'd like to know if it is an
> isolated case.
>

$ clamdscan reg_pass.zip
/tmp/reg_pass.zip: Worm.Sober.U FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.044 sec (0 m 0 s)

dp

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


clam at fiddaman

Dec 19, 2005, 7:49 AM

Post #3 of 22 (2630 views)
Permalink
Re: Virus not detected by clamav [In reply to]

On Mon, 19 Dec 2005, Hamilton Vera wrote:
; Since November, I noticed that clamav 87.1 does not recognize the following
; virus.
;
; www.i2.com.br/~hamilton/reg_pass.zip
;
; So I posted it in http://cgi.clamav.net/sendvirus.cgi, but I got no answer
;
; NOD32 detects it as Win32/Sober.Y worm, I'd like to know if it is an isolated
; case.

Works fine here with CVS, haven't got 87.1 to hand but I can't see why it
would have problems; that signature has been in the database for a while.

% clamscan reg_pass.zip
reg_pass.zip: Worm.Sober.U FOUND

A.
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


hamilton at i2

Dec 19, 2005, 7:56 AM

Post #4 of 22 (2644 views)
Permalink
Re: Virus not detected by clamav [In reply to]

Hi Denis, thanks for answering.

What version are you using? I am using and updated 87.1, and I think
that this version is not working.


clamd -V
ClamAV 0.87.1

Received signal: wake up
ClamAV update process started at Mon Dec 19 13:51:22 2005
main.cvd is up to date (version: 34, sigs: 39625, f-level: 5, builder: tkojm)
daily.cvd is up to date (version: 1213, sigs: 1844, f-level: 6, builder: diego)

clamdscan reg_pass.zip

/tmp/reg_pass.zip: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.294 sec (0 m 0 s)



Thnaks !




On Mon, 19 Dec 2005, Dennis Peterson wrote:

> Hamilton Vera said:
>> Hi list,
>>
>> Since November, I noticed that clamav 87.1 does not recognize the
>> following virus.
>>
>> www.i2.com.br/~hamilton/reg_pass.zip
>>
>> So I posted it in http://cgi.clamav.net/sendvirus.cgi, but I got no answer
>>
>> NOD32 detects it as Win32/Sober.Y worm, I'd like to know if it is an
>> isolated case.
>>
>
> $ clamdscan reg_pass.zip
> /tmp/reg_pass.zip: Worm.Sober.U FOUND
>
> ----------- SCAN SUMMARY -----------
> Infected files: 1
> Time: 0.044 sec (0 m 0 s)
>
> dp
>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-users.html
>
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


christian.laubscher at tiscalinet

Dec 19, 2005, 8:15 AM

Post #5 of 22 (2625 views)
Permalink
Re: Virus not detected by clamav [In reply to]

> What version are you using? I am using and updated 87.1, and I think
> that this version is not working.

my clamscan (87.1/1213) definitely finds it here (Worm.Sober.U).

--
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


dennispe at inetnw

Dec 19, 2005, 8:24 AM

Post #6 of 22 (2625 views)
Permalink
Re: Virus not detected by clamav [In reply to]

Hamilton Vera said:
> Hi Denis, thanks for answering.
>
> What version are you using? I am using and updated 87.1, and I think
> that this version is not working.
>
>
>

I'm running v 87.1. Examine your clamd.conf and freshclam.conf files and
ensure they agree on where the cvd files are being placed. It often
happens they don't. While you're in there, ensure your binaries are
looking at the conf files you think they are. It also happens often that a
new installation expects to see binaries in a location different from the
previous version and this results in conf files in more than one location.

dp ... and resist the urge to top post.
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


njh at bandsman

Dec 19, 2005, 8:28 AM

Post #7 of 22 (2626 views)
Permalink
Re: Virus not detected by clamav [In reply to]

Hamilton Vera wrote:

> Hi list,
>
> Since November, I noticed that clamav 87.1 does not recognize the
> following virus.
>
> www.i2.com.br/~hamilton/reg_pass.zip


Try the development version:

[njh [at] bandsma ~]$ clamscan reg_pass.zip
reg_pass.zip: Worm.Sober.U FOUND

----------- SCAN SUMMARY -----------
Known viruses: 41468
Engine version: devel-20051211
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.18 MB
Time: 1.803 sec (0 m 1 s)

[njh [at] bandsma ~]$ clamscan -V
ClamAV devel-20051211/1212/Sun Dec 18 11:09:50 2005
[njh [at] bandsma ~]$

> Thanks in advance
>
>
> Hamilton Vera


--
Nigel Horne. Arranger, Adjudicator, Band Trainer, Composer, Typesetter.
NJH Music, Barnsley, UK. ICQ#20252325
njh [at] bandsman http://www.bandsman.co.uk


bdm at fenrir

Dec 19, 2005, 8:35 AM

Post #8 of 22 (2627 views)
Permalink
Re: Virus not detected by clamav [In reply to]

On Mon, 19 Dec 2005 13:34:00 -0200 (BRDT) in
Pine.LNX.4.63.0512191321000.6823 [at] lima Hamilton Vera
<hamilton [at] i2> wrote:

> NOD32 detects it as Win32/Sober.Y worm, I'd like to know if it is an
> isolated case.

Don't assume that NOD32 has identified it correctly, other packages
have false positives you know.

--

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


bdm at fenrir

Dec 19, 2005, 8:36 AM

Post #9 of 22 (2625 views)
Permalink
Re: Virus not detected by clamav [In reply to]

On Mon, 19 Dec 2005 16:28:47 +0000 in 43A6DFBF.9010101 [at] bandsman
Nigel Horne <njh [at] bandsman> wrote:

> > www.i2.com.br/~hamilton/reg_pass.zip
>
>
> Try the development version:
>
> [njh [at] bandsma ~]$ clamscan reg_pass.zip
> reg_pass.zip: Worm.Sober.U FOUND

So does that mean a new release is imminent Nigel?

--

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


dennispe at inetnw

Dec 19, 2005, 8:39 AM

Post #10 of 22 (2640 views)
Permalink
Re: Virus not detected by clamav [In reply to]

Nigel Horne said:
> Hamilton Vera wrote:
>
>> Hi list,
>>
>> Since November, I noticed that clamav 87.1 does not recognize the
>> following virus.
>>
>> www.i2.com.br/~hamilton/reg_pass.zip
>
>
> Try the development version:
>

It would be very nice if future releases of clamd and freshclam printed
out the compiled-in path to the config file, say in the -V option, as a
way to help debug installation problems.

In fact it would be nice to have a command line switch that generates a
listing of what is seen and understood by the applications after reading
the clamd.conf and freshclam.conf files, as well as where they were found.

dp
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


njh at bandsman

Dec 19, 2005, 8:39 AM

Post #11 of 22 (2625 views)
Permalink
Re: Virus not detected by clamav [In reply to]

Brian Morrison wrote:

>On Mon, 19 Dec 2005 16:28:47 +0000 in 43A6DFBF.9010101 [at] bandsman
>Nigel Horne <njh [at] bandsman> wrote:
>
>
>
>>> www.i2.com.br/~hamilton/reg_pass.zip
>>>
>>>
>>Try the development version:
>>
>>[njh [at] bandsma ~]$ clamscan reg_pass.zip
>>reg_pass.zip: Worm.Sober.U FOUND
>>
>>
>
>So does that mean a new release is imminent Nigel?
>
>
That is out of my hands.

--
Nigel Horne. Arranger, Adjudicator, Band Trainer, Composer, Typesetter.
NJH Music, Barnsley, UK. ICQ#20252325
njh [at] bandsman http://www.bandsman.co.uk


James at superbug

Dec 19, 2005, 8:43 AM

Post #12 of 22 (2635 views)
Permalink
Re: Virus not detected by clamav [In reply to]

Brian Morrison wrote:
> On Mon, 19 Dec 2005 16:28:47 +0000 in 43A6DFBF.9010101 [at] bandsman
> Nigel Horne <njh [at] bandsman> wrote:
>
>
>>> www.i2.com.br/~hamilton/reg_pass.zip
>>
>>
>>Try the development version:
>>
>>[njh [at] bandsma ~]$ clamscan reg_pass.zip
>>reg_pass.zip: Worm.Sober.U FOUND
>
>
> So does that mean a new release is imminent Nigel?
>

Standard
$clamscan
/u/virus/example/reg_pass.zip: Worm.Sober.U FOUND

release:
$clamscan --version
ClamAV 0.87.1/1213/Mon Dec 19 14:48:34 200

This is bog standard gentoo release.

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


James at superbug

Dec 19, 2005, 8:51 AM

Post #13 of 22 (2614 views)
Permalink
Re: Virus not detected by clamav [In reply to]

Hamilton Vera wrote:
> Hi list,
>
> Since November, I noticed that clamav 87.1 does not recognize the
> following virus.
>
> www.i2.com.br/~hamilton/reg_pass.zip
>
> So I posted it in http://cgi.clamav.net/sendvirus.cgi, but I got no answer
>
> NOD32 detects it as Win32/Sober.Y worm, I'd like to know if it is an
> isolated case.
>
> Thanks in advance
>
>
> Hamilton Vera
>

I think it takes time for clamav to recognise viruses.
I posted once "winldra.exe" some time ago, but clamav does not detect it
yet.
McAfee Virus scan detects it as "W32/Dumaru.bv"

I submitted it to the web site again today.

James

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


bdm at fenrir

Dec 19, 2005, 9:31 AM

Post #14 of 22 (2635 views)
Permalink
Re: Virus not detected by clamav [In reply to]

On Mon, 19 Dec 2005 16:39:17 +0000 in 43A6E235.8030408 [at] bandsman
Nigel Horne <njh [at] bandsman> wrote:

> Brian Morrison wrote:
>
> >On Mon, 19 Dec 2005 16:28:47 +0000 in 43A6DFBF.9010101 [at] bandsman
> >Nigel Horne <njh [at] bandsman> wrote:
> >
> >
> >
> >>> www.i2.com.br/~hamilton/reg_pass.zip
> >>>
> >>>
> >>Try the development version:
> >>
> >>[njh [at] bandsma ~]$ clamscan reg_pass.zip
> >>reg_pass.zip: Worm.Sober.U FOUND
> >>
> >>
> >
> >So does that mean a new release is imminent Nigel?
> >
> >
> That is out of my hands.
>

I'll rephrase my question then, does the improvement in
detection of current malware by the latest development version
make a new ClamAV release necessary, or beneficial?

--

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


robc at adelie

Dec 19, 2005, 7:36 PM

Post #15 of 22 (2632 views)
Permalink
Re: Virus not detected by clamav [In reply to]

On Mon, Dec 19, 2005 at 08:39:10AM -0800, Dennis Peterson wrote:
>
> In fact it would be nice to have a command line switch that generates a
> listing of what is seen and understood by the applications after reading
> the clamd.conf and freshclam.conf files, as well as where they were found.

<delurk>
Postfix's postconf(1) is an excellent model for this:

postconf [no args]: print the entire running config
postconf <var-name>: print just that variable. -h to omit the 'name=' part.
postconf -d: print the default values of known config variables
postconf -n: print only non-default or explicitly set variables
postconf -e: edit a config variable

There are other options to list supported map types and locking methods
that wouldn't be as relevant to a theoretical clamconf(1). It's
scripting-friendly, and gives a standard set of installation info to post
to the ML for help

There are plenty of apps I have to deal with that I wish had an equivalent
of postconf.

cheers
rob
</delurk>

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


dennispe at inetnw

Dec 19, 2005, 7:54 PM

Post #16 of 22 (2633 views)
Permalink
Re: Virus not detected by clamav [In reply to]

Rob Chanter said:
> On Mon, Dec 19, 2005 at 08:39:10AM -0800, Dennis Peterson wrote:
>>
>> In fact it would be nice to have a command line switch that generates a
>> listing of what is seen and understood by the applications after reading
>> the clamd.conf and freshclam.conf files, as well as where they were
>> found.
>
> <delurk>
> Postfix's postconf(1) is an excellent model for this:

Yessir - and so too is Jose-Marcio's J-Chkmail helpful in this regard (and
is an excellent milter for spam and integrates ClamAV, too). It will even
create a new config file from scratch or use elements of your existing
config file to create one appropriate for the current version. It even
flags obsolete configuration elements.

dp
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


luismiguelro at gmail

Dec 20, 2005, 1:40 AM

Post #17 of 22 (2631 views)
Permalink
Re: Virus not detected by clamav [In reply to]

Not detected here too, oldest clamav versions detect it well.

Linux cubo 2.4.27-2-686 #1 Mon May 16 17:03:22 JST 2005 i686 GNU/Linux

ClamAV 0.87.1/1213/Mon Dec 19 15:48:34 2005
(root [at] cub:~)# clamscan attreg.zip
attreg.zip: OK

(root [at] cub:~)# f-prot -ver
Program version: 4.6.3
Engine version: 3.16.10
(root [at] cub:~)# f-prot attreg.zip
/root/attreg.zip->File-packed_dataInfo.exe Infection: W32/Sober





_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


dale at daleenterprise

Dec 20, 2005, 2:07 AM

Post #18 of 22 (2641 views)
Permalink
Re: Virus not detected by clamav [In reply to]

On Dec 20, 2005, at 04:40 , Luis Miguel R. wrote:

> Not detected here too, oldest clamav versions detect it well.

Detection of viruses in a buffer scan isn't working well either, it
doesn't recognize most viruses including the ClamAV test viruses that
the older versions (pre 0.87) recognize.

SEE:
http://www.daleenterprise.com/test.php

> Linux cubo 2.4.27-2-686 #1 Mon May 16 17:03:22 JST 2005 i686 GNU/Linux
>
> ClamAV 0.87.1/1213/Mon Dec 19 15:48:34 2005
> (root [at] cub:~)# clamscan attreg.zip
> attreg.zip: OK
>
> (root [at] cub:~)# f-prot -ver
> Program version: 4.6.3
> Engine version: 3.16.10
> (root [at] cub:~)# f-prot attreg.zip
> /root/attreg.zip->File-packed_dataInfo.exe Infection: W32/Sober

Tomasz, I've resolved the crashing issue with libclamav and apache, I
have solid code for a PHP extension that has been tested on several
OS's without any issues.

Do you wish to add this to the contrib ???

SEE:
http://www.daleenterprise.com/clamav_info.php

-- Dale

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html


polloxx at gmail

Jun 29, 2011, 4:58 AM

Post #19 of 22 (1340 views)
Permalink
Re: Virus not detected by Clamav [In reply to]

On Wed, Jun 29, 2011 at 12:49 PM, Joel Esler <jesler [at] sourcefire> wrote:
> If you have a sample of the file, submitting it through ClamAV's submission interface makes it "bubble up" so the rule writers can get to it faster.
>
> (instead of waiting for it to come through Virustotal)
>

Joel,


I did that yesertday.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


tshaw at oitc

Jun 29, 2011, 5:04 AM

Post #20 of 22 (1341 views)
Permalink
Re: Virus not detected by Clamav [In reply to]

On Jun 29, 2011, at 7:58 AM, polloxx wrote:

> On Wed, Jun 29, 2011 at 12:49 PM, Joel Esler <jesler [at] sourcefire> wrote:
>> If you have a sample of the file, submitting it through ClamAV's submission interface makes it "bubble up" so the rule writers can get to it faster.
>>
>> (instead of waiting for it to come through Virustotal)
>>
>
> Joel,
>
>
> I did that yesertday.

If you are using winnow malware rules (part of sanesecurity's distrobution) you can also send a sample to virus_samples at oitc.com. We release temp sigs quickly until clamav folks provides a formal sig.


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


michael.scheidell at secnap

Jun 29, 2011, 5:05 AM

Post #21 of 22 (1348 views)
Permalink
Re: Virus not detected by Clamav [In reply to]

I think he should demand all his money back.

--
Michael Scheidell, CTO
SECNAP Network Security


-----Original message-----
From: Joel Esler <jesler [at] sourcefire>
To: ClamAV users ML <clamav-users [at] lists>
Sent: Wed, Jun 29, 2011 10:50:25 GMT+00:00
Subject: Re: [clamav-users] Virus not detected by Clamav

If you have a sample of the file, submitting it through ClamAV's submission interface makes it "bubble up" so the rule writers can get to it faster.

(instead of waiting for it to come through Virustotal)

J

On Jun 29, 2011, at 5:24 AM, polloxx wrote:

> Dear,
>
> One of our customers got a virus not detected by
> Clamav:dhl-express-prtcopy-Delivery-Failure-Notification-HXZsVlN[...].exe
> A fake DHL non-delivery report.
>
> Other engines do detect it:
> BitDefender 7.2 2011.06.27 Trojan.Zbot.1911
> F-Secure 9.0.16440.0 2011.06.27 Trojan.Zbot.1911
> Kaspersky 9.0.0.837 2011.06.27 Trojan-Spy.Win32.Zbot.bpsx
>
> Sent it to Totalvirus 2 days ago.
>
> Are there other user with the same problem? Any solution?
>
> Thx,
> P.
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


johnpc at xs4all

Jun 29, 2011, 5:37 AM

Post #22 of 22 (1341 views)
Permalink
Re: Virus not detected by Clamav [In reply to]

On 2011 Jun 29, at 12:49 , Joel Esler wrote:
> If you have a sample of the file, submitting it through ClamAV's submission interface makes it "bubble up" so the rule writers can get to it faster.

Or if you're lucky and it's the exact same file every time, you can trivially create your own signature using an md5 hash and use that instantly.

That's one of the things I particularly like about clamav (and used a couple of times in the past).

--
Jan-Pieter Cornet <johnpc [at] xs4all>
"People are continuously reinventing the flat tyre".
Attachments: PGP.sig (0.22 KB)

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.