Search found 16 matches
- 2017-03-22 14:28
- Forum: Off-topic discussions
- Topic: Virus check file sitting on remote site
- Replies: 5
- Views: 5876
Re: Virus check file sitting on remote site
Sorry for the delay. There *used* to be a feature in ClamAV that when if found a url in the body, did a wget on the link and then you could match against the downloaded file. The feature was removed, either to performance issues or risk of a DOS happening. Some known malware Dropbox links are blocke...
- 2016-05-26 16:03
- Forum: General discussions
- Topic: Block ZIP for everyone exept one...
- Replies: 19
- Views: 14897
Re: Block ZIP for everyone exept one...
foxhole_js.cdb will block .js in zip files.alleseitle wrote: Anyway: even with all Filenames included and other signatures the .js Files are NOT blocked in ZIP files - what can I do about that?
Cheers,
Steve
Sanesecurity.com
- 2016-05-26 12:05
- Forum: User-submitted tutorials
- Topic: HOW TO run Clamwin and have a ClamAV system SERVICE
- Replies: 257
- Views: 602066
Re: HOW TO run Clamwin and have a ClamAV system SERVICE
I set scheduled updates hourly. However official sigupdate.bat couldn't help. I googled for latest signatures and found one site where the signatures publicly hosted, tons of signatures: http://ftp.swin.edu.au/sanesecurity/ Firstly I'm aware of http://ftp.swin.edu.au/sanesecurity/ but it's an unoff...
- 2015-11-18 11:13
- Forum: General discussions
- Topic: Virus detection server message not shown
- Replies: 3
- Views: 2976
Re: Virus detection server message not shown
Just to explain why the tests need to check for "headers" and "body". The signatures need to see the full raw message , headers and body, in order to get the best detection. For example, if a Subject was "Invaice from bank" (ie. spelt incorrectly) and had a pdf attachment, you could create a signatu...
- 2015-11-11 22:00
- Forum: Feature requests
- Topic: block attachment in zip
- Replies: 65
- Views: 96133
Re: block attachment in zip
Thanks for the sample, sigs added to foxhole_filename.cdb, phish.ndb.katip wrote: BTW, this evil below is a zipped jar, and it's been 4 hours... clam didn't detect it (hourly sigupdate) 5 minutes ago
- 2015-11-10 17:46
- Forum: Feature requests
- Topic: block attachment in zip
- Replies: 65
- Views: 96133
Re: block attachment in zip
Steve, did you see my PM about the script (incompatibility with non-english systems, and also, Yes, updated my version but not put it live yet. All good points though, sigupdate doesnt incirporate th other 3rd party databases that you have included in Clamsup.)? ClamSup does support these SecuriteI...
- 2015-11-09 18:24
- Forum: Feature requests
- Topic: block attachment in zip
- Replies: 65
- Views: 96133
Re: block attachment in zip
Thanks for update. does this mean that we can switch back to usual clamsup update from sigupdate beta? sigupdate should really be used in most cases as it's easier to setup, plus it only hits the mirrors once for ALL files when downloading, whereas clamsup hits the mirrors for EACH file it tries to...
- 2015-11-09 17:29
- Forum: Feature requests
- Topic: block attachment in zip
- Replies: 65
- Views: 96133
Re: block attachment in zip
Good point....I've updated ClamSup.ini... and updated sigupdate download page... http://sanesecurity.com/usage/windows-scripts/tochi wrote:Again. I didn't know I have to add badmacro.ndb manually. I'll add badmacro.ndb to ClamSup.ini to include the protection.
- 2015-11-06 12:05
- Forum: Feature requests
- Topic: block attachment in zip
- Replies: 65
- Views: 96133
Re: block attachment in zip
Thanks to foxhole db, it blocks almost all the threats. Unfortunately, it doesn't block .doc files. it would be great if it blocks only files with macros. Blocking all files that could include macros is also acceptable though less preferred. Are these docs with macros containing malware... or are y...
- 2015-11-05 17:46
- Forum: Feature requests
- Topic: block attachment in zip
- Replies: 65
- Views: 96133
Re: block attachment in zip
Good idea... I'll add that next...mattg wrote:Can I set the log file directory?sanesecurity wrote:For these people that are interested in testing a beta...
Also the log gets overwritten each run, and it only logs time not date
Cheers,
Steve
Sanesecurity.com
- 2015-11-05 17:12
- Forum: Feature requests
- Topic: block attachment in zip
- Replies: 65
- Views: 96133
Re: block attachment in zip
still get the .DOC macro type zero-hour viruses in (or rather DID whilst using default Clam definitions) if you mean "STL Invoice. M-747196.DOC#399373931" type things, this is already killed by the other AV we're using. seen and blocked at noon today UTC +2. The above was already blocked by badmacr...
- 2015-11-05 15:14
- Forum: Feature requests
- Topic: block attachment in zip
- Replies: 65
- Views: 96133
Re: block attachment in zip
For these people that are interested in testing a beta... Sigupdate v0.3 beta [Bonfire night edition] http://www.stuartsclipart.co.uk/bonfire_night_clipart/bonfire_night_clipart_graphics/bonfire_night_fireworks_clipart_03.jpg https://www.dropbox.com/s/e1xrvp75z36dwus/sigupdate_v0.3.zip?dl=0 Thanks t...
- 2015-11-03 14:01
- Forum: Feature requests
- Topic: block attachment in zip
- Replies: 65
- Views: 96133
Re: block attachment in zip
It's like banning all Volkswagens with diesel engines as some of them is known for exessive polution... While that's correct, there are a lot of Main Stream AV's doing exactly that.. let's face it, if you have a rar file containing a file invoice.jpg.exe would you want a under running it? You choos...
- 2015-11-03 12:06
- Forum: Feature requests
- Topic: block attachment in zip
- Replies: 65
- Views: 96133
Re: block attachment in zip
Just a quick update. I'm working on a quick batch/rsync downloader to download the signatures you want to use with ClamWin In the mean time.. foxhole_all.cdb : is a high FP risk as it will block *ALL* executable files such as exe/com/scr etc. in Zip/Rar/7z/Cab archives. This will block the most malw...
- 2015-11-02 10:31
- Forum: Feature requests
- Topic: block attachment in zip
- Replies: 65
- Views: 96133
Re: block attachment in zip
Hi, Just to cover a few points here. I'm seeing malware (exe/scr/js) inside Zip/Rar/7z and even Ace archive formats. I'm seeing macro malware inside doc/xls/docm formats. (you can check my blog for more examples) Most of the above are getting zero or very low Virustotal (3-4 scanners out of 50-ish) ...
- 2011-11-02 17:32
- Forum: General discussions
- Topic: ClamAV - Server 2008
- Replies: 20
- Views: 22740
Re: ClamAV - Server 2008
Cool sckramer2, thanks. Hadn't looked at any Windows clam stuff in awhile & last I knew the official clamwin stuff was awful. Will have to look into it again. Thx Bill Hi Bill, Looks like the official port at sourceforge is the way forward now, as tBB/Nico hasn't released anything new for ages. It ...