From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 226A259CAF for ; Mon, 4 Apr 2016 18:29:38 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 01C8B21C035; Mon, 4 Apr 2016 18:29:18 +0000 (UTC) Received: from mail-lb0-f180.google.com (mail-lb0-f180.google.com [209.85.217.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9305E21C006 for ; Mon, 4 Apr 2016 18:29:16 +0000 (UTC) Received: by mail-lb0-f180.google.com with SMTP id bc4so172367066lbc.2 for ; Mon, 04 Apr 2016 11:29:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:reply-to:subject:date:message-id:user-agent:in-reply-to :references:mime-version; bh=wXqPf3LnsYPIqk5PXrVusygbYL1Uam6uUDOTz6m466M=; b=tHGY5PwyIOX/otwHwcnqxSzu817Pwn6A7YTg8YGMdfEL0mYUgwcvN908/SIFpjF6pj Jhkfv3+BtfYNCs6DIF/x/M4OGR8KOt2aO/voiuQmy1y+SP6MkfgSNcCQSPHDCkhNfjWL n2DIPxOYYiwWkdfy0k2gPuecoBezIqoXZ026h6HbhmOCY5eCNSrBLvYweoWs8ZlpI9et jS+PcnaQ3lA3VhViXOIQXsE4740Vnf7o8fXHRuQDjH9iFGuDbcYu22DsjpT59FSKRx+P MPTdJwiF+XJM/AB/+BIpfKwgGaDT8kitfpuBoKAm4VZ3Epg6gGplk6Vo6mNL6eon8+/W Jpiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:reply-to:subject:date:message-id :user-agent:in-reply-to:references:mime-version; bh=wXqPf3LnsYPIqk5PXrVusygbYL1Uam6uUDOTz6m466M=; b=WAUWjPj9kNfGylvrpelBbLswBVoDb6flHmibXsILeZU2UExkm8bC3X/y4cAkkxYnf1 SX9Ngqh1NJWnjdK+BruSpn9hc+yabyrWGhkaiezEiCjiKfcaWoAWXMcrdDpqQR5gpHxS LDLwZo2O3B7KyFRnm746Elw8v+qhPqhBBUfpKobFI4U+cSTftdG8YyG+vEPplCqXBvF9 gyDb+EQ7EJZ3PAmqa07dkUgWS3dE8daWNuDTh7vqmkGYz+GWQnNawT54134LJaziH1aK myKQh6dkK+QKveajQoQN0K3K9vWMaA+yqZAVYOdglnmZq0nfwRbey5OO9MR33K5wSrux AiVQ== X-Gm-Message-State: AD7BkJJhyj5FnUKGE641LLxVnTVEvX0OCRvgrTGT8uZRj4GzXWaRG4pGJQ0G0wKrgO/i0Q== X-Received: by 10.28.172.194 with SMTP id v185mr13448068wme.21.1459794554828; Mon, 04 Apr 2016 11:29:14 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by smtp.gmail.com with ESMTPSA id ei9sm30480173wjd.40.2016.04.04.11.29.13 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 04 Apr 2016 11:29:13 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Fwd: Unexpected behaviour Date: Mon, 04 Apr 2016 19:29:01 +0100 Message-ID: <3406560.hlqcBu3Fb5@dell_xps> User-Agent: KMail/4.14.10 (Linux/4.1.15-gentoo-r1; KDE/4.14.16; x86_64; ; ) In-Reply-To: References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1507168.02sPO8PIPc"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-Archives-Salt: 939cc3c6-5f6a-4d50-b318-b8ff1628c1bf X-Archives-Hash: 12dc9d08f9a05436658404a2e3673a41 --nextPart1507168.02sPO8PIPc Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" On Monday 04 Apr 2016 17:49:13 Konstantin wrote: > Hello, >=20 > I've tried to find an answer from clamav-users but still no reply in > that mail list. >=20 > I'm forwarding my message to this list and hope some one help me to > find that is the problem. >=20 > ---------- Forwarded message ---------- > From: Konstantin > Date: Thu, Mar 24, 2016 at 11:29 PM > Subject: Unexpected behaviour > To: clamav-users@lists.clamav.net >=20 >=20 > Hello >=20 > I have 2 Gentoo based SMTP servers. Both hosts have the same packages= > installed with the same USE flags. > I'm using clamav-0.98.7 with amavisd. Output from clamconf attached t= o > this message. Clamav settings and signature files are equal. When you say equal, do you mean same versions and exactly same signatur= es? > I have a custom signature > e350ca9b3b6ddbdabd3845a66f755f22122b8eb5ed79b9d19bd87e34e4aa5008:3409= 92:Troj > an.DNC4 for this doc file > https://malwr.com/analysis/ZTdiYjRiMDZlNzEyNDUwZmI3OTdiYjg4NTYxMDMyNm= M/ >=20 > Both hosts found malware in this file with clamscan command. No > problem in this case. >=20 > Here is the problem i have. > When a message scanned with clamd then only host1 detect trojan with > custom signature. > host1: > echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat - > "UNIX-CONNECT:/var/run/clamav/clamd.sock" > /tmp/feb_invoice_1426277.doc: Trojan_Generic.DNC4.UNOFFICIAL FOUND >=20 > host2 detect it as Heuristics.OLE2.ContainsMacros: > echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat - > "UNIX-CONNECT:/var/run/clamav/clamd.sock" > /tmp/feb_invoice_1426277.doc: Heuristics.OLE2.ContainsMacros FOUND >=20 > Another interesting thing is that host1 detect that trojan not by > signature with size 340992(original doc file). > I suppose that there was detected a PE32 file inside that .doc file > with this signature: > c3DNC406e57af90685a7002f7ea63340a1e7d3a1ed3805e7ec8b0909865b57bd6c:12= 6976:Tr > ojan_Generic.DNC4 >=20 > Can you guys please explain how this happened and what can be a > difference between these 2 hosts? I am guessing that one of the hosts had its signatures updated with a m= ore=20 recent version than the other. If they are identical then I'm out of ideas. > I expect that if a signature found then Heuristics results not appear= . >=20 > Thank you. > -- > This message was delivered using 100% recycled electrons. =2D-=20 Regards, Mick --nextPart1507168.02sPO8PIPc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABCAAGBQJXArJ9AAoJELAdA+zwE4YeZVcH/RXyOFp5TQ5zTbUxx31ZLmUE BkA31/XduQz60rl3LafHNobrIMVhoB932FPX5NlIT1iwvs8DWn/LC7h1Lvth/NBt JHKISVVmpVh+YQCWbYzmJy7i/NIbcmso7Q0Yi8iUod8/Ns/70en8C+L6/AWHlnVL Xs/uxYu06LL5Ct1m4zgmkTKb/kU9NALQBnezxLhKBoAufWoSy4l2ORVEDb5PZhHM Z2VUWhi1gI0VWAlmYTFTROZiRG6qUF9uksnygi1AODQ1nUYWzU+s2MtJy5MgwEDk t6/GBqdAK5toaS+tJm1nayCNrkVm47Ln8+6UABOJlMK0XHNv+Xu1JNZN57uQvtg= =dbdV -----END PGP SIGNATURE----- --nextPart1507168.02sPO8PIPc--