Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

(no subject)

  

 
First page Previous page 1 2 3 4 5 6 7 8 Next page Last page  View All ClamAV users RSS feed   Index | Next | Previous | View Threaded


edwin+ml-clamav at etorok

Mar 3, 2012, 7:16 AM

Post #176 of 181 (484 views)
Permalink
Re: (no subject) [In reply to]
On 03/03/2012 04:44 PM, Jayson Brush wrote:
> Hello
>
> I currently have ClamSMTP and ClamAV 0.97.3 installed on CentOS with
> postfix and dovecot. The setup works and ClamAV properly scans all emails
> and detects viruses. However, I have enabled the DLP module in Clamd to
> detect CC numbers and SSNs and lowered the threshold to 1 for each. When I
> send and SSN number Clam properly logs that there was a SSN attempted to be
> sent. When I send any formatted Credit Card number, ClamAV does not
> recognize that there is a credit card number contained in the body of the
> text or as an attachment.
>
> Does anyone have any knowledge about this? Am I missing something?

By default you need to have at least 3 Credit Card numbers to trigger a detection:

# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5

Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


jayzon915 at gmail

Mar 3, 2012, 7:28 AM

Post #177 of 181 (484 views)
Permalink
Re: (no subject) [In reply to]
Correct. I lowered the StructuredMinCreditCardCount from 3 to 1 and sent
five CC#s at a time with no detection. It does detect SSNs fine.

Thanks, any other suggestions?

2012/3/3 Török Edwin <edwin+ml-clamav [at] etorok>

> On 03/03/2012 04:44 PM, Jayson Brush wrote:
> > Hello
> >
> > I currently have ClamSMTP and ClamAV 0.97.3 installed on CentOS with
> > postfix and dovecot. The setup works and ClamAV properly scans all emails
> > and detects viruses. However, I have enabled the DLP module in Clamd to
> > detect CC numbers and SSNs and lowered the threshold to 1 for each. When
> I
> > send and SSN number Clam properly logs that there was a SSN attempted to
> be
> > sent. When I send any formatted Credit Card number, ClamAV does not
> > recognize that there is a credit card number contained in the body of the
> > text or as an attachment.
> >
> > Does anyone have any knowledge about this? Am I missing something?
>
> By default you need to have at least 3 Credit Card numbers to trigger a
> detection:
>
> # This option sets the lowest number of Social Security Numbers found
> # in a file to generate a detect.
> # Default: 3
> #StructuredMinSSNCount 5
>
> Best regards,
> --Edwin
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>



--
jayson
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


jesler at sourcefire

May 11, 2012, 10:40 AM

Post #178 of 181 (438 views)
Permalink
Re: (no subject) [In reply to]
Please run freshclam, an update has been pushed.

Joel

On May 11, 2012, at 11:40 AM, Andrew Thompson wrote:

>
> Hello
> We were seeing a number of files being quarantined earlier with the reference
> BC.Exploit.CVE_2012_1847 FOUND and BC.Exploit.CVE_2012_0184 FOUND. The CVE
> numbers point to vulnerabilities found in Microsoft's Excel and Office
> suites. However, the files were not only excel spreadsheets but also some
> .msi files and word .doc files. Our other AV scanners (Sophos and Avira) see
> the files as clean, so is this a false positive ? I'm assuming yes. Also,
> interestingly, a copy of one of the files put back on the affected server has
> not been quarantined again. The various definitions have been updated by
> freshclam, so we are all up to date currently on that score. If someone could
> confirm if this was a signature that was wrong and causing the quarantine,
> that would be great.
>
> Version info below:
> clamscan -V
> ClamAV 0.97.3/14913/Fri May 11 16:03:22 2012
>
> running on a Centos 5.7 box.
>
> Thanks in advance.
>
> Andrew
>
>
>
> --
>
> Andrew Thompson
>
> andrew [at] x-2
> _________________________________________________________
> This mail sent using V-webmail - http://www.v-webmail.org
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


alvarnell at mac

Oct 17, 2012, 12:28 AM

Post #179 of 181 (281 views)
Permalink
Re: (no subject) [In reply to]
I sent a note out on this yesterday with reference to most Mac OS X users
who have /usr/php/install-pear-nozlib.phar on their hard drives, having
already submitted the file as an FP. Since then there have been a couple of
other Unix users report similar results and a promise to get back to us, but
nothing yet.

Check the list archive for details.

Whether it's of any consequence or not depends on what version of PHP you
have. The CVE was reported back in January and concerned PHP 5.3.8 which
was apparently patched with PHP 5.4.0, but that's all I can seem to find
out.


-Al-

--
Al Varnell
Mountain View, CA

On 10/17/12 12:11 AM, "Steffen Ewert" wrote:

> Hi,
>
> with the newest DB (updated 4hours ago) I get the following virus detection:
>
> /share/c-on/download/Netzwerk/WebTools/DokuWiki/dokuwiki-2011-05-25a.tgz:
> PHP.Exploit.CVE_2011_4153-2 FOUND
> /share/c-on/download/Netzwerk/WebTools/DokuWiki/dokuwiki-2009-12-25c.tgz:
> PHP.Exploit.CVE_2011_4153-2 FOUND
>
> I assume this must be a wrong detection because both files wasn't changed
> since I had downloaded it (my backup application calc's every night a checksum
> of each file and only if the checksum differs the file will be backup again
> and the last time of the backup of both files was the day I have downloaded
> and stored the files).
>
> May be there are also other DokuWiki tgz files with this virus detection. I
> have only stored this both dokuwiki tgz files on my disk.
>
> Any other there which can confirm this (hopefully) wrong virus detection with
> the newest DB?


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


StEwert at c-onServices

Oct 17, 2012, 5:28 AM

Post #180 of 181 (281 views)
Permalink
Re: (no subject) [In reply to]
Found your message. Thanks Al!

(and sorry for my forgotten subject ... :-( )

Steffen

> I sent a note out on this yesterday with reference to most Mac OS X users
> who have /usr/php/install-pear-nozlib.phar on their hard drives, having
> already submitted the file as an FP. Since then there have been a couple of
> other Unix users report similar results and a promise to get back to us, but
> nothing yet.
>
> Check the list archive for details.
>
> Whether it's of any consequence or not depends on what version of PHP you
> have. The CVE was reported back in January and concerned PHP 5.3.8 which
> was apparently patched with PHP 5.4.0, but that's all I can seem to find
> out.
>
>
> -Al-
>
> --
> Al Varnell
> Mountain View, CA
>
> On 10/17/12 12:11 AM, "Steffen Ewert" wrote:
>
> > Hi,
> >
> > with the newest DB (updated 4hours ago) I get the following virus detection:
> >
> > /share/c-on/download/Netzwerk/WebTools/DokuWiki/dokuwiki-2011-05-25a.tgz:
> > PHP.Exploit.CVE_2011_4153-2 FOUND
> > /share/c-on/download/Netzwerk/WebTools/DokuWiki/dokuwiki-2009-12-25c.tgz:
> > PHP.Exploit.CVE_2011_4153-2 FOUND
> >
> > I assume this must be a wrong detection because both files wasn't changed
> > since I had downloaded it (my backup application calc's every night a checksum
> > of each file and only if the checksum differs the file will be backup again
> > and the last time of the backup of both files was the day I have downloaded
> > and stored the files).
> >
> > May be there are also other DokuWiki tgz files with this virus detection. I
> > have only stored this both dokuwiki tgz files on my disk.
> >
> > Any other there which can confirm this (hopefully) wrong virus detection with
> > the newest DB?
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


azidouemba at sourcefire

Oct 17, 2012, 6:16 AM

Post #181 of 181 (282 views)
Permalink
Re: (no subject) [In reply to]
The signature has been updated this morning to:

PHP.Exploit.CVE_2011_4153-2:0:*:3c3f{-512}646566696e6528{-20}7374725f72657065617428{-20}2461726776

Please update your signatures to Daily CVD 15471 or later.

Thanks,

- Alain
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

First page Previous page 1 2 3 4 5 6 7 8 Next page Last page  View All ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.