[clamav-users] How to find string for a signature?
Eric Tykwinski
eric-list at truenet.com
Sat Oct 21 13:34:21 UTC 2017
Kristen,
>
> Thanks Al. I went ahead and injected this quarantined message for
> delivery as it is a big HTML email that can be difficult to read from a
> BASH shell. It appears they are showing samples of code from some
> Windows exploit, or something. I didn't review it that long. I bet the
> samples they put in this email triggered clamd.
>
Almost positive it is the yara rules, or sections of the malware analysis getting caught, but it’s strange when I directly scan my email from US-Cert I’m not seeing it get caught on my end.
> I will consider this discussion closed unless the list wishes to add to
> the discussion.
>
> Kristen
>
clamscan TA17-293A_\ Advanced\ Persistent\ Threat\ Activity\ Targeting\ Energy\ and\ Other\ Critical\ Infrastructure\ Sectors.eml
TA17-293A_ Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors.eml: OK
----------- SCAN SUMMARY -----------
Known viruses: 6320077
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.30 MB
Data read: 0.10 MB (ratio 3.08:1)
Time: 11.661 sec (0 m 11 s)
I definitely have that signature in ClamAV as well: PUA.Win.Trojan.Xored-1:3:*:63686172636f6465617428{-5}295e
Perhaps amavisd is different in the way it scans?
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
More information about the clamav-users
mailing list