1 |
On Monday 04 Apr 2016 17:49:13 Konstantin wrote: |
2 |
> Hello, |
3 |
> |
4 |
> I've tried to find an answer from clamav-users but still no reply in |
5 |
> that mail list. |
6 |
> |
7 |
> I'm forwarding my message to this list and hope some one help me to |
8 |
> find that is the problem. |
9 |
> |
10 |
> ---------- Forwarded message ---------- |
11 |
> From: Konstantin |
12 |
> Date: Thu, Mar 24, 2016 at 11:29 PM |
13 |
> Subject: Unexpected behaviour |
14 |
> To: clamav-users@××××××××××××.net |
15 |
> |
16 |
> |
17 |
> Hello |
18 |
> |
19 |
> I have 2 Gentoo based SMTP servers. Both hosts have the same packages |
20 |
> installed with the same USE flags. |
21 |
> I'm using clamav-0.98.7 with amavisd. Output from clamconf attached to |
22 |
> this message. Clamav settings and signature files are equal. |
23 |
|
24 |
When you say equal, do you mean same versions and exactly same signatures? |
25 |
|
26 |
|
27 |
> I have a custom signature |
28 |
> e350ca9b3b6ddbdabd3845a66f755f22122b8eb5ed79b9d19bd87e34e4aa5008:340992:Troj |
29 |
> an.DNC4 for this doc file |
30 |
> https://malwr.com/analysis/ZTdiYjRiMDZlNzEyNDUwZmI3OTdiYjg4NTYxMDMyNmM/ |
31 |
> |
32 |
> Both hosts found malware in this file with clamscan command. No |
33 |
> problem in this case. |
34 |
> |
35 |
> Here is the problem i have. |
36 |
> When a message scanned with clamd then only host1 detect trojan with |
37 |
> custom signature. |
38 |
> host1: |
39 |
> echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat - |
40 |
> "UNIX-CONNECT:/var/run/clamav/clamd.sock" |
41 |
> /tmp/feb_invoice_1426277.doc: Trojan_Generic.DNC4.UNOFFICIAL FOUND |
42 |
> |
43 |
> host2 detect it as Heuristics.OLE2.ContainsMacros: |
44 |
> echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat - |
45 |
> "UNIX-CONNECT:/var/run/clamav/clamd.sock" |
46 |
> /tmp/feb_invoice_1426277.doc: Heuristics.OLE2.ContainsMacros FOUND |
47 |
> |
48 |
> Another interesting thing is that host1 detect that trojan not by |
49 |
> signature with size 340992(original doc file). |
50 |
> I suppose that there was detected a PE32 file inside that .doc file |
51 |
> with this signature: |
52 |
> c3DNC406e57af90685a7002f7ea63340a1e7d3a1ed3805e7ec8b0909865b57bd6c:126976:Tr |
53 |
> ojan_Generic.DNC4 |
54 |
> |
55 |
> Can you guys please explain how this happened and what can be a |
56 |
> difference between these 2 hosts? |
57 |
|
58 |
I am guessing that one of the hosts had its signatures updated with a more |
59 |
recent version than the other. |
60 |
|
61 |
If they are identical then I'm out of ideas. |
62 |
|
63 |
> I expect that if a signature found then Heuristics results not appear. |
64 |
> |
65 |
> Thank you. |
66 |
> -- |
67 |
> This message was delivered using 100% recycled electrons. |
68 |
|
69 |
-- |
70 |
Regards, |
71 |
Mick |