Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Fwd: Unexpected behaviour
Date: Mon, 04 Apr 2016 18:29:38
Message-Id: 3406560.hlqcBu3Fb5@dell_xps
In Reply to: [gentoo-user] Fwd: Unexpected behaviour by Konstantin
1 On Monday 04 Apr 2016 17:49:13 Konstantin wrote:
2 > Hello,
3 >
4 > I've tried to find an answer from clamav-users but still no reply in
5 > that mail list.
6 >
7 > I'm forwarding my message to this list and hope some one help me to
8 > find that is the problem.
9 >
10 > ---------- Forwarded message ----------
11 > From: Konstantin
12 > Date: Thu, Mar 24, 2016 at 11:29 PM
13 > Subject: Unexpected behaviour
14 > To: clamav-users@××××××××××××.net
15 >
16 >
17 > Hello
18 >
19 > I have 2 Gentoo based SMTP servers. Both hosts have the same packages
20 > installed with the same USE flags.
21 > I'm using clamav-0.98.7 with amavisd. Output from clamconf attached to
22 > this message. Clamav settings and signature files are equal.
23
24 When you say equal, do you mean same versions and exactly same signatures?
25
26
27 > I have a custom signature
28 > e350ca9b3b6ddbdabd3845a66f755f22122b8eb5ed79b9d19bd87e34e4aa5008:340992:Troj
29 > an.DNC4 for this doc file
30 > https://malwr.com/analysis/ZTdiYjRiMDZlNzEyNDUwZmI3OTdiYjg4NTYxMDMyNmM/
31 >
32 > Both hosts found malware in this file with clamscan command. No
33 > problem in this case.
34 >
35 > Here is the problem i have.
36 > When a message scanned with clamd then only host1 detect trojan with
37 > custom signature.
38 > host1:
39 > echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat -
40 > "UNIX-CONNECT:/var/run/clamav/clamd.sock"
41 > /tmp/feb_invoice_1426277.doc: Trojan_Generic.DNC4.UNOFFICIAL FOUND
42 >
43 > host2 detect it as Heuristics.OLE2.ContainsMacros:
44 > echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat -
45 > "UNIX-CONNECT:/var/run/clamav/clamd.sock"
46 > /tmp/feb_invoice_1426277.doc: Heuristics.OLE2.ContainsMacros FOUND
47 >
48 > Another interesting thing is that host1 detect that trojan not by
49 > signature with size 340992(original doc file).
50 > I suppose that there was detected a PE32 file inside that .doc file
51 > with this signature:
52 > c3DNC406e57af90685a7002f7ea63340a1e7d3a1ed3805e7ec8b0909865b57bd6c:126976:Tr
53 > ojan_Generic.DNC4
54 >
55 > Can you guys please explain how this happened and what can be a
56 > difference between these 2 hosts?
57
58 I am guessing that one of the hosts had its signatures updated with a more
59 recent version than the other.
60
61 If they are identical then I'm out of ideas.
62
63 > I expect that if a signature found then Heuristics results not appear.
64 >
65 > Thank you.
66 > --
67 > This message was delivered using 100% recycled electrons.
68
69 --
70 Regards,
71 Mick

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-user] Fwd: Unexpected behaviour R0b0t1 <r030t1@×××××.com>