[clamav-users] Malware/ransomware and Yara signatures with clamav

Joel Esler (jesler) jesler at cisco.com
Sun May 14 18:42:09 UTC 2017 

ClamAV isn't only used for mail.  Clamwin and Immunet client will catch this.  

--
Sent from my iPhone

> On May 14, 2017, at 12:42, G.W. Haywood <clamav at jubileegroup.co.uk> wrote:
> 
> Hi there,
> 
>> On Sun, 14 May 2017, Alex wrote:
>> 
>> Are clamav users protected from this ransomware?
> 
> To be clear about this, the current excitement is caused by a 'worm'.
> That means if vulnerable, network-connected systems are not protected
> from each other, for example by a firewall, the worm can propagate
> itself between the systems with no user action whatever.  All that is
> required is that the systems be running and connected to the network.
> This is why it has managed to affect over 200,000 systems in over 100
> countries in just a few hours.
> 
> It has nothing to do with mail.  Clamav is irrelevant because there is
> nothing for ClamAV to scan, at least until it is too late.  So ClamAV
> scanning mail cannot protect against this threat, and was not designed
> to do so.
> 
>> Are there possible variants not yet detected?
> 
> Yes.  And they'll keep coming.
> 
>> Is there anything further we need to do to protect ourselves, as it
>> relates to scanning mail at the gateway?
> 
> To repeat, this has nothing to do with mail.  The issue is a buffer
> overflow caused by faulty coding present in Microsoft Windows products
> for almost as long as anyone can remember.  All you can do is fix the
> vulnerable machines, or firewall them, or perhaps stop using them on a
> network.  Windows 7, 10 and later boxes with automatic updates enabled
> should have picked up a fix in mid-March.  As of yesterday a patch is
> available for other OS versions which are otherwise unsupported by
> Microsoft.  I've just spent most of the weekend patching customers'
> 2003 Server and XP machines.  Search the Microsoft Update Catalog for
> KB4012598.  The download page has 13 assorted files for various
> flavours of XP, Vista, 8, Server 2003 and Server 2008 - or at least it
> did yesterday.  When I grabbed the files the download servers were
> showing signs of stress, as you might expect, but they were at least
> holding up.
> 
>> They're talking about more attacks coming on Monday?
> 
> Forget Monday, they're here already.
> 
> Comments on a postcard, please, to the NSA.  For example you might
> like to remind them what the 'S' in those initials stands for, as they
> surely seem to have forgotten.  And I think Donald fired the head of
> the wrong agency.  Oh, hang on, that's a bit political for this list. :)
> 
> -- 
> 
> 73,
> Ged.
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list