[clamav-users] WannaCry Homeland Security yara script. False positives?
Mark Foley
mfoley at novatec-inc.com
Wed May 17 21:45:03 UTC 2017
Perhaps I'm missing it, but I didn't see any attachment.
--Mark
On 5/17/2017 1:46 PM, João Gouveia wrote:
> Those rules are know for FP'ing a lot.
> Here's a different set you might want to check, courtesy of ReversingLabs (
> attached ).
>
> On Wed, May 17, 2017 at 6:10 AM, Mark Foley <mfoley at novatec-inc.com> wrote:
>
>> I added the yara script published by Homeland security to the clamav
>> database
>> directory. I believe I am getting a substantial number of false positives
>> on
>> this including messages containing PDF and JPG attachments, the latter
>> known to
>> be OK.
>>
>> $ clamscan "/home/HPRS/mpress/Maildir/.Sent Items/cur/1486141726.
>> M192155P10931.mail,S=188385,W=191025:2,S"
>> /home/HPRS/mpress/Maildir/.Sent Items/cur/1486141726.
>> M192155P10931.mail,S=188385,W=191025:2,S:
>> YARA.Wanna_Cry_Ransomware_Generic.UNOFFICIAL FOUND
>>
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 6284977
>> Engine version: 0.99.2
>> Scanned directories: 0
>> Scanned files: 1
>> Infected files: 1
>> Data scanned: 0.95 MB
>> Data read: 0.18 MB (ratio 5.42:1)
>> Time: 7.567 sec (0 m 7 s)
>>
>> Is anyone else using this rule seeing this?
>>
>> --Mark
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
More information about the clamav-users
mailing list