| HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
| Exploit.Java.ByteVerify - Bypass HAVP http://havp.hege.li/forum/viewtopic.php?f=3&t=37 |
Page 1 of 1 |
| Author: | dayne [ 14 Mar 2006 07:36 ] |
| Post subject: | Exploit.Java.ByteVerify - Bypass HAVP |
I am using Clamav with HAVP. I know this may sound bad. But one of our users downloaded and infected their workstation with this trojan virus. They were browsing a hentia site (I know, our url filter did not have this listed as a porn site...it is in the blacklist now) I have my HAVP logs, and nothing was found. However the workstation antivirus found it running in memory and quarantined it. I submitted the sample to virustotal.com and it said Clamav detected it as a virus (Exploit.Java.ByteVerify). So some how this bypassed HAVP? I have HAVP 0.78. I am using default config settings except for: KEEPBACKDATA = 1000000 TRICKLING = 10 MAXSCANSIZE = 20000000 13/03/2006 16:54:05 127.0.0.1 http://game4all.biz/adv/030/count.jar 200 GET OK 13/03/2006 16:54:06 127.0.0.1 http://game4all.biz/adv/030/com/ms/secu ... ader.class 404 GET OK These urls pass the virus to the user. Any help would be much appreciated. Best regards, Dayne |
|
| Author: | hege [ 14 Mar 2006 10:11 ] |
| Post subject: | |
I'm sorry but ClamAV does not detect this.. this if from virustotal: ClamAV devel-20060126 03.14.2006 no virus found Also tested myself with newest clamav and clamav-devel. This is sad, since I (and many others I suppose..) have sent count.jar sample to clamav long time ago.. Quick fix would be to make it yourself: sigtool --md5 count.jar > /usr/local/share/clamav/local.hdb But no worries, it is not really a serious "virus". ClamAV does recognize all the bad ones. 
Cheers, Henrik |
|
| Author: | Guest [ 17 Apr 2006 13:29 ] |
| Post subject: | |
i just tested this with the avg scanner (which is free for home use) and it had been detected! also the mailscanner version of f-prot is able to detect it (but isn't free) markus |
|
| Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|