Computer Tips -Tech Info

Tag: clamav

  • ClamAV 0.94.1 to phone home

    The release candidate for version 0.94.1 of clam antivirus and they are eager for people to get out and test it. There is a new feature in this release called “malware statistics gathering” that will pass along observed malware information back to clamav.net – they hope to be posting statistics on their site. In order to enable this feature it will need to be switched on in your freshclam.conf file.

  • Good sarc monitoring tip

    Sarc is still in their month of security tips per day and todays is another good one. Todays tip is about monitoring machines, particularly those that “defend” your network. (Mail antivirus scanners/ proxy fitlers/scanners/etc.) The core of the advice is to not just ping – that only tells you if the system exists and is online – it doesn’t tell if things are working. They suggest scripting tests (antivirus scanner can be tested via the EICAR test signature for instance.) They note that doesn’t tell if the av scanner is updated (I prefer a crontab output of the days updates – looks like there were around 9 clamav signature updates yesterday.

    (more…)

  • Clamav 0.88.4 and prior DoS

    According to incidents.org a denial of service vulnerability has been noted in all versions of clamav prior to 0.88.4 (inclusive). At incidents last report the download for 0.88.4 was back after disappearing for a while which seemed to indicate a fix, however. I wasn’t aware 0.88.4 had been released before today (?). It looks as though http://www.clamav.net/ has perhaps a re-release of 0.88.4? that fixes it? Clamav is a popular open source antivirus scanning engine.

    –UPDATED AND CORRECTED – looking at the Secunia advisory version 0.88.3 and 0.88.2 are vulnerable others may be – and I suspect that 0.88.4 is the version that will fix it – so it looks as though 0.88.4 will be the fixed version. AGAIN – it looks as though 0.88.4 FIXES the DoS vulnerability.

  • Clamav 0.88.2 for Mandrake 10.0 rpms

    Since I have a few old Mandrake 10.0 servers out there churning along, I’ve rebuilt the Clamav package to reflect the recent security fix version 0.88.2 is up on the site at http://www.averyjparker.com/wp-content/downloads/clamav882/ As always, the rpms are here more for my convenience than anything else, rebuilt straight from the cooker package and built on 10.0 …. in other words, they work for me and that’s why they’re here.

    (more…)

  • OK – just fresh off the 5 wordpress install updates and now clamav…

    So, I spent the better part of the evening doing WordPress updates to get 5 blogs up to v. 2.0.2 and now….. clamav has multiple vulnerabilities …………… oi…. now it’s time to rebuild clamav to install on 2 machines……

    (more…)

  • Clamav vulnerability

    There’s a security fix available for a vulnerability in Clamantivirus. Version 0.88 fixes the vulnerability which could allow a remote attacker to control a machine running clamantivirus. The Security Fix has coverage on this, and the update can be found at the clamav site. This affects ClamWin as well, available here

    (more…)

  • Another update to exploit?

    I didn’t see this reported anywhere, but since yesterday when there was an update to the metasploit module for the WMF vulnerability I think there’s been yet another update. I read yesterday that it had been updated and could evade all known IDS signatures. I downloaded the update to continue my Win98 testing. Then today found that there was another update. I haven’t compared the old/new versions but can’t help but wonder if this means more scrambling of antivirus writers for new signatures to keep up.

    (more…)

  • Antivirus scanning update for WMF

    I hung on to the last batch of 20 wmf exploit samples I had been working with for the purpose of testing my clamantivirus install against them to see when “full detection” of all 20 had been acheived. Last night, with version 1227 of the daily.cvd database, they were still detecting 8 out of the 20. Now, the signatures seem to have improved as with version 1228 of daily.cvd clamav detects all 20 as Exploit.WMF.Gen-3 FOUND

    (more…)

  • More WMF exploit testing on Windows 98

    I’ve spent some more effort on trying to infect Windows 98 SE in a virtual machine with some of the exploit samples I can find. The first attempt was at a website with the .wmf download. No luck infecting the system there. Then, I’ve loaded up the image and visited kyeu dot info/WMF/ and tried each of the files there. I don’t have a zip handler in my Windows 98 SE image so that didn’t get tested, but I’m getting nowhere here. Gif opens with Explorer and gives a red x to indicate a broken image, the text file opens as a binary file viewed in a text editor, the htm file does the same only in explorer (I see what I’d usually see if I tried to open a binary file in a web browser…) The avi opens with Media Player and complains about it being an incompatible format.

    (more…)

  • WMF zero-day exploit first hand experience

    Well, I’ve just spent the better part of 6 hours (maybe a bit more) “sacrificing” a virtual machine to the zero-day Windows Meta File (WMF) exploit and all the malware that comes in. I picked one site from the sunbeltblog list to infect the virtual machine with and can attest to it being quite nasty. I was able to get the virtual machine *mostly* clean. I still haven’t gone back over it to try and make sure, but I’ll be posting some details from the “fun” tomorrow.

    (more…)