'[clamav-users] Unexpected behaviour'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       clamav-users
Subject:    [clamav-users] Unexpected behaviour
From:       Konstantin <myownletters () gmail ! com>
Date:       2016-03-24 21:29:53
Message-ID: CABOOiQWX0vpbQSQLQq2HHZDEDT4V04ey=k6_sOsiTNMAiyztAA () mail ! gmail ! com
[Download RAW message or body]

Hello

I have 2 Gentoo based SMTP servers. Both hosts have the same packages
installed with the same USE flags.
I'm using clamav-0.98.7 with amavisd. Output from clamconf attached to
this message. Clamav settings and signature files are equal.

I have a custom signature
e350ca9b3b6ddbdabd3845a66f755f22122b8eb5ed79b9d19bd87e34e4aa5008:340992:Trojan.DNC4
for this doc file
https://malwr.com/analysis/ZTdiYjRiMDZlNzEyNDUwZmI3OTdiYjg4NTYxMDMyNmM/

Both hosts found malware in this file with clamscan command. No
problem in this case.

Here is the problem i have.
When a message scanned with clamd then only host1 detect trojan with
custom signature.
host1:
echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat -
"UNIX-CONNECT:/var/run/clamav/clamd.sock"
/tmp/feb_invoice_1426277.doc: Trojan_Generic.DNC4.UNOFFICIAL FOUND

host2 detect it as Heuristics.OLE2.ContainsMacros:
echo "CONTSCAN /tmp/feb_invoice_1426277.doc" | socat -
"UNIX-CONNECT:/var/run/clamav/clamd.sock"
/tmp/feb_invoice_1426277.doc: Heuristics.OLE2.ContainsMacros FOUND

Another interesting thing is that host1 detect that trojan not by
signature with size 340992(original doc file).
I suppose that there was detected a PE32 file inside that .doc file
with this signature:
c3DNC406e57af90685a7002f7ea63340a1e7d3a1ed3805e7ec8b0909865b57bd6c:126976:Trojan_Generic.DNC4

Can you guys please explain how this happened and what can be a
difference between these 2 hosts?
I expect that if a signature found then Heuristics results not appear.

Thank you.
--
This message was delivered using 100% recycled electrons.

["clamconf.txt" (text/plain)]

Checking configuration files in /etc

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamd.log"
StatsHostID disabled
StatsEnabled disabled
StatsPEDisabled disabled
StatsTimeout disabled
LogFileUnlock disabled
LogFileMaxSize = "10485760"
LogTime = "yes"
LogClean disabled
LogSyslog = "yes"
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate disabled
ExtendedDetectionInfo disabled
PidFile = "/var/run/clamav/clamd.pid"
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamav/clamd.sock"
LocalSocketGroup disabled
LocalSocketMode disabled
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "30"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "50"
ReadTimeout = "300"
CommandReadTimeout = "5"
SendBufTimeout = "500"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "600"
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
AllowSupplementaryGroups = "yes"
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "5000"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA = "yes"
ExcludePUA = "PWTool", "Spam"
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables = "yes"
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
PartitionIntersection disabled
HeuristicScanPrecedence = "yes"
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
OLE2BlockMacros = "yes"
ScanPDF = "yes"
ScanSWF = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted disabled
ForceToDisk disabled
MaxScanSize = "104857600"
MaxFileSize = "52428800"
MaxRecursion = "16"
MaxFiles = "10000"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxZipTypeRcg = "1048576"
MaxPartitions = "50"
MaxIconsPE = "100"
ScanOnAccess disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeUID disabled
OnAccessMaxFileSize = "5242880"
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled

Config file: freshclam.conf
---------------------------
StatsHostID disabled
StatsEnabled disabled
StatsTimeout disabled
LogFileMaxSize = "1048576"
LogTime = "yes"
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate disabled
PidFile = "/var/run/clamav/freshclam.pid"
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled
AllowSupplementaryGroups = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "clamav"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "database.clamav.net"
PrivateMirror disabled
MaxAttempts = "5"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "60"
ReceiveTimeout = "60"
SubmitDetectionStats disabled
DetectionStatsCountry disabled
DetectionStatsHostID disabled
SafeBrowsing disabled
Bytecode = "yes"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.98.7
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 ICONV RAR JIT

Database information
--------------------
Database directory: /var/lib/clamav
[3rd Party] javascript.ndb: 37216 sigs
daily.cld: version 21472, sigs: 83894, built on Thu Mar 24 14:24:50 2016
main.cvd: version 57, sigs: 4218790, built on Wed Mar 16 23:17:06 2016
bytecode.cvd: version 275, sigs: 45, built on Mon Mar 14 18:51:14 2016
[3rd Party] securiteinfo.hdb: 1804601 sigs
[3rd Party] securiteinfoascii.hdb: 89692 sigs
[3rd Party] securiteinfohtml.hdb: 49224 sigs
[3rd Party] custom-sigs.hdb: 1603 sigs
Total number of signatures: 6285065

Platform information
--------------------
uname: Linux 4.1.12-gentoo #1 SMP Fri Jan 8 14:56:47 UTC 2016 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.8 (1.2.8), compile flags: a9
Triple: x86_64-pc-linux-gnu
CPU: i686, Little-endian

Build information
-----------------
GNU C: 4.9.3 (4.9.3)
GNU C++: 4.9.3 (4.9.3)
CPPFLAGS: 
CFLAGS: -O2 -pipe -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
CXXFLAGS: -O2 -pipe
LDFLAGS: -Wl,-O1 -Wl,--as-needed
Configure: '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' \
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' \
'--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' \
'--disable-silent-rules' '--libdir=/usr/lib64' '--disable-experimental' \
'--disable-fanotify' '--enable-id-check' '--with-dbdir=/var/lib/clamav' \
'--with-system-tommath' '--with-zlib=/usr' '--enable-bzip2' '--disable-clamdtop' \
'--disable-ipv6' '--disable-milter' '--disable-static' '--with-iconv' \
'--without-libjson' 'build_alias=x86_64-pc-linux-gnu' \
'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-O2 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' \
sizeof(void*) = 8 Engine flevel: 80, dconf: 80



_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic