| 1 |
Hello, |
| 2 |
|
| 3 |
I've tried to find an answer from clamav-users but still no reply in |
| 4 |
that mail list. |
| 5 |
|
| 6 |
I'm forwarding my message to this list and hope some one help me to |
| 7 |
find that is the problem. |
| 8 |
|
| 9 |
---------- Forwarded message ---------- |
| 10 |
From: Konstantin |
| 11 |
Date: Thu, Mar 24, 2016 at 11:29 PM |
| 12 |
Subject: Unexpected behaviour |
| 13 |
To: clamav-users@××××××××××××.net |
| 14 |
|
| 15 |
|
| 16 |
Hello |
| 17 |
|
| 18 |
I have 2 Gentoo based SMTP servers. Both hosts have the same packages |
| 19 |
installed with the same USE flags. |
| 20 |
I'm using clamav-0.98.7 with amavisd. Output from clamconf attached to |
| 21 |
this message. Clamav settings and signature files are equal. |
| 22 |
|
| 23 |
I have a custom signature |
| 24 |
e350ca9b3b6ddbdabd3845a66f755f22122b8eb5ed79b9d19bd87e34e4aa5008:340992:Trojan.DNC4 |
| 25 |
for this doc file |
| 26 |
https://malwr.com/analysis/ZTdiYjRiMDZlNzEyNDUwZmI3OTdiYjg4NTYxMDMyNmM/ |
| 27 |
|
| 28 |
Both hosts found malware in this file with clamscan command. No |
| 29 |
problem in this case. |
| 30 |
|
| 31 |
Here is the problem i have. |
| 32 |
When a message scanned with clamd then only host1 detect trojan with |
| 33 |
custom signature. |
| 34 |
host1: |
| 35 |
echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat - |
| 36 |
"UNIX-CONNECT:/var/run/clamav/clamd.sock" |
| 37 |
/tmp/feb_invoice_1426277.doc: Trojan_Generic.DNC4.UNOFFICIAL FOUND |
| 38 |
|
| 39 |
host2 detect it as Heuristics.OLE2.ContainsMacros: |
| 40 |
echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat - |
| 41 |
"UNIX-CONNECT:/var/run/clamav/clamd.sock" |
| 42 |
/tmp/feb_invoice_1426277.doc: Heuristics.OLE2.ContainsMacros FOUND |
| 43 |
|
| 44 |
Another interesting thing is that host1 detect that trojan not by |
| 45 |
signature with size 340992(original doc file). |
| 46 |
I suppose that there was detected a PE32 file inside that .doc file |
| 47 |
with this signature: |
| 48 |
c3DNC406e57af90685a7002f7ea63340a1e7d3a1ed3805e7ec8b0909865b57bd6c:126976:Trojan_Generic.DNC4 |
| 49 |
|
| 50 |
Can you guys please explain how this happened and what can be a |
| 51 |
difference between these 2 hosts? |
| 52 |
I expect that if a signature found then Heuristics results not appear. |
| 53 |
|
| 54 |
Thank you. |
| 55 |
-- |
| 56 |
This message was delivered using 100% recycled electrons. |
| 57 |
|
| 58 |
|
| 59 |
-- |
| 60 |
This message was delivered using 100% recycled electrons. |
Archives