[clamav-users] signature for cve2017-11882

Jigar ojigar at gmail.com
Sun Mar 28 09:03:18 UTC 2021 

Hello,

I will try to share the infected file.

Meanwhile I am sharing the debug out file file of sigtool command. May
help for further help.
We have also attached signature generated using this tmp files.

Following files are used to scan the file.

1585770 Aug 29  2018 spam_marketing.ndb
 clam clam  90810880 Nov 11  2019 safebrowsing.cld.bak
 clam clam     11098 May 21  2020 sanesecurity.ftm
clam clam       136 Jul 20  2020 whitelist.ign2
 clam clam 312952834 Mar  9 10:48 securiteinfoold.hdb
clam clam 117859675 Mar 12 11:55 main.cvd
 clam clam   1926677 Mar 19 11:07 scam.ndb
clam clam    245189 Mar 19 11:07 lott.ndb
clam clam    226541 Mar 19 11:20 foxhole_filename.cdb
clam clam     73808 Mar 19 14:43 malwarehash.hsb
clam clam  41321567 Mar 24 10:19 safebrowsing.cvd
clam clam     13634 Mar 24 10:20 porcupine.hsb
clam clam    632041 Mar 24 16:36 jurlbl.ndb
clam clam   4142107 Mar 25 10:44 phish.ndb
clam clam  16405860 Mar 26 09:36 securiteinfo.hdb
clam clam   7203325 Mar 26 09:36 securiteinfohtml.hdb
clam clam   1438720 Mar 26 13:32 bytecode.cld
clam clam 320460288 Mar 26 13:32 daily.cld
clam clam    188708 Mar 26 13:32 jurlbla.ndb
clam clam   8421132 Mar 26 13:32 securiteinfoascii.hdb
clam clam    592970 Mar 26 13:32 urlhaus.ndb
clam clam    648587 Mar 26 13:48 porcupine.ndb
clam clam   1626345 Mar 26 13:49 phishtank.ndb

With Regards
Jigar Raval


On Sun, Mar 28, 2021 at 1:26 PM G.W. Haywood via clamav-users
<clamav-users at lists.clamav.net> wrote:
>
> Hello again,
>
> On Sun, 28 Mar 2021, Jigar via clamav-users wrote:
> > On Sat, Mar 27, 2021 at 11:28 PM G.W. Haywood via clamav-users wrote:
> >>
> >> This is a rather old CVE, what databases do you use for your ClamAV
> >> installation?  Perhaps what you have seen recently is a new threat
> >> which has been engineered to avoid some of the existing signatures.
> >
> > ...
> > We have also  scannws using the latest clamav signature, porcupine,
> > etc. but could not detect it. ...
>
> Can you give full details?  To tell us 'etc.' does not help.
>
> This is the address to use for reporting malware to the ClamAV team:
>
> https://www.clamav.net/reports/malware
>
> Did you use it?  If so, you probably don't need to do more, but you
> may need to be patient.  The signature team is small and busy.
>
> If you would place an encrypted archive of the malicious file(s)
> somewhere on the Web so that I can download it, I can take a look.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 28sig.hdb
Type: application/octet-stream
Size: 214 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210328/ae4ffbc4/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-08mar-tmp.tar.gz
Type: application/x-gzip
Size: 2651284 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210328/ae4ffbc4/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-receipt-tmp.tar.gz
Type: application/x-gzip
Size: 2584121 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210328/ae4ffbc4/attachment-0003.bin>

More information about the clamav-users mailing list