Search found 16 matches

by sanesecurity
2017-03-22 14:28
Forum: Off-topic discussions
Topic: Virus check file sitting on remote site
Replies: 5
Views: 2099

Re: Virus check file sitting on remote site

Sorry for the delay. There *used* to be a feature in ClamAV that when if found a url in the body, did a wget on the link and then you could match against the downloaded file. The feature was removed, either to performance issues or risk of a DOS happening. Some known malware Dropbox links are blocke...
by sanesecurity
2016-05-26 16:03
Forum: General discussions
Topic: Block ZIP for everyone exept one...
Replies: 19
Views: 5947

Re: Block ZIP for everyone exept one...

alleseitle wrote: Anyway: even with all Filenames included and other signatures the .js Files are NOT blocked in ZIP files - what can I do about that?
foxhole_js.cdb will block .js in zip files.

Cheers,

Steve
Sanesecurity.com
by sanesecurity
2016-05-26 12:05
Forum: User-submitted tutorials
Topic: HOW TO run Clamwin and have a ClamAV system SERVICE
Replies: 185
Views: 117513

Re: HOW TO run Clamwin and have a ClamAV system SERVICE

I set scheduled updates hourly. However official sigupdate.bat couldn't help. I googled for latest signatures and found one site where the signatures publicly hosted, tons of signatures: http://ftp.swin.edu.au/sanesecurity/ Firstly I'm aware of http://ftp.swin.edu.au/sanesecurity/ but it's an unoff...
by sanesecurity
2015-11-18 11:13
Forum: General discussions
Topic: Virus detection server message not shown
Replies: 3
Views: 1117

Re: Virus detection server message not shown

Just to explain why the tests need to check for "headers" and "body". The signatures need to see the full raw message , headers and body, in order to get the best detection. For example, if a Subject was "Invaice from bank" (ie. spelt incorrectly) and had a pdf attachment, you could create a signatu...
by sanesecurity
2015-11-11 22:00
Forum: Feature requests
Topic: block attachment in zip
Replies: 65
Views: 18281

Re: block attachment in zip

katip wrote: BTW, this evil below is a zipped jar, and it's been 4 hours... clam didn't detect it (hourly sigupdate) 5 minutes ago
Thanks for the sample, sigs added to foxhole_filename.cdb, phish.ndb.
by sanesecurity
2015-11-10 17:46
Forum: Feature requests
Topic: block attachment in zip
Replies: 65
Views: 18281

Re: block attachment in zip

Steve, did you see my PM about the script (incompatibility with non-english systems, and also, Yes, updated my version but not put it live yet. All good points though, sigupdate doesnt incirporate th other 3rd party databases that you have included in Clamsup.)? ClamSup does support these SecuriteI...
by sanesecurity
2015-11-09 18:24
Forum: Feature requests
Topic: block attachment in zip
Replies: 65
Views: 18281

Re: block attachment in zip

Thanks for update. does this mean that we can switch back to usual clamsup update from sigupdate beta? sigupdate should really be used in most cases as it's easier to setup, plus it only hits the mirrors once for ALL files when downloading, whereas clamsup hits the mirrors for EACH file it tries to...
by sanesecurity
2015-11-09 17:29
Forum: Feature requests
Topic: block attachment in zip
Replies: 65
Views: 18281

Re: block attachment in zip

tochi wrote:Again. I didn't know I have to add badmacro.ndb manually. I'll add badmacro.ndb to ClamSup.ini to include the protection.
Good point....I've updated ClamSup.ini... and updated sigupdate download page... http://sanesecurity.com/usage/windows-scripts/
by sanesecurity
2015-11-06 12:05
Forum: Feature requests
Topic: block attachment in zip
Replies: 65
Views: 18281

Re: block attachment in zip

Thanks to foxhole db, it blocks almost all the threats. Unfortunately, it doesn't block .doc files. it would be great if it blocks only files with macros. Blocking all files that could include macros is also acceptable though less preferred. Are these docs with macros containing malware... or are y...
by sanesecurity
2015-11-05 17:46
Forum: Feature requests
Topic: block attachment in zip
Replies: 65
Views: 18281

Re: block attachment in zip

mattg wrote:
sanesecurity wrote:For these people that are interested in testing a beta...
Can I set the log file directory?
Also the log gets overwritten each run, and it only logs time not date
Good idea... I'll add that next...
Cheers,

Steve
Sanesecurity.com
by sanesecurity
2015-11-05 17:12
Forum: Feature requests
Topic: block attachment in zip
Replies: 65
Views: 18281

Re: block attachment in zip

still get the .DOC macro type zero-hour viruses in (or rather DID whilst using default Clam definitions) if you mean "STL Invoice. M-747196.DOC#399373931" type things, this is already killed by the other AV we're using. seen and blocked at noon today UTC +2. The above was already blocked by badmacr...
by sanesecurity
2015-11-05 15:14
Forum: Feature requests
Topic: block attachment in zip
Replies: 65
Views: 18281

Re: block attachment in zip

For these people that are interested in testing a beta... Sigupdate v0.3 beta [Bonfire night edition] http://www.stuartsclipart.co.uk/bonfire_night_clipart/bonfire_night_clipart_graphics/bonfire_night_fireworks_clipart_03.jpg https://www.dropbox.com/s/e1xrvp75z36dwus/sigupdate_v0.3.zip?dl=0 Thanks t...
by sanesecurity
2015-11-03 14:01
Forum: Feature requests
Topic: block attachment in zip
Replies: 65
Views: 18281

Re: block attachment in zip

It's like banning all Volkswagens with diesel engines as some of them is known for exessive polution... While that's correct, there are a lot of Main Stream AV's doing exactly that.. let's face it, if you have a rar file containing a file invoice.jpg.exe would you want a under running it? You choos...
by sanesecurity
2015-11-03 12:06
Forum: Feature requests
Topic: block attachment in zip
Replies: 65
Views: 18281

Re: block attachment in zip

Just a quick update. I'm working on a quick batch/rsync downloader to download the signatures you want to use with ClamWin In the mean time.. foxhole_all.cdb : is a high FP risk as it will block *ALL* executable files such as exe/com/scr etc. in Zip/Rar/7z/Cab archives. This will block the most malw...
by sanesecurity
2015-11-02 10:31
Forum: Feature requests
Topic: block attachment in zip
Replies: 65
Views: 18281

Re: block attachment in zip

Hi, Just to cover a few points here. I'm seeing malware (exe/scr/js) inside Zip/Rar/7z and even Ace archive formats. I'm seeing macro malware inside doc/xls/docm formats. (you can check my blog for more examples) Most of the above are getting zero or very low Virustotal (3-4 scanners out of 50-ish) ...
by sanesecurity
2011-11-02 17:32
Forum: General discussions
Topic: ClamAV - Server 2008
Replies: 20
Views: 9373

Re: ClamAV - Server 2008

Cool sckramer2, thanks. Hadn't looked at any Windows clam stuff in awhile & last I knew the official clamwin stuff was awful. Will have to look into it again. Thx Bill Hi Bill, Looks like the official port at sourceforge is the way forward now, as tBB/Nico hasn't released anything new for ages. It ...