HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
Not detecting Malware http://havp.hege.li/forum/viewtopic.php?f=3&t=408 |
Page 1 of 1 |
Author: | rafael [ 12 Jan 2009 05:48 ] |
Post subject: | Not detecting Malware |
I'm not able to block a malware that is downloaded via a php file. The url is: http://www.oursouthernlakes.com/images/DSC01088.php The downloaded file is not currently detected by clamav (I have submitted the sample do) but I created an UNOFFICIAL sig for it. I'm able to detect the malware with clamscan: clamdscan DSC01010.scr DSC01010.scr: DSC01010.scr.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.096 sec (0 m 0 s) |
Author: | hege [ 12 Jan 2009 08:05 ] |
Post subject: | Re: Not detecting Malware |
Did you reload HAVP with SIGHUP? Does it help if you restart it completely? |
Author: | rafael [ 12 Jan 2009 13:33 ] |
Post subject: | Re: Not detecting Malware |
I restarted clamav and havp. If you have the time you can try to reproduce the situation, the malware is still there. |
Author: | rafael [ 13 Jan 2009 04:27 ] |
Post subject: | Re: Not detecting Malware |
This is strange. I'm doing something wrong that I can't figure out. From the logs: 12/01/2009 09:07:29 10.10.203.4 GET 200 http://www.uniferblog.com/DSC01010.scr 531+205312 VIRUS ClamAV: DSC01010.scr.UNOFFICIAL 12/01/2009 09:07:40 10.10.203.4 GET 200 http://www.uniferblog.com/DSC01010.scr 421+205312 VIRUS ClamAV: DSC01010.scr.UNOFFICIAL 12/01/2009 09:08:12 10.10.203.4 GET 200 http://www.uniferblog.com/DSC01010.scr 421+205312 VIRUS ClamAV: DSC01010.scr.UNOFFICIAL 12/01/2009 09:08:15 10.10.203.4 GET 200 http://www.uniferblog.com/DSC01010.scr 421+205312 VIRUS ClamAV: DSC01010.scr.UNOFFICIAL These generated by someone in the network (who received an email with links to the malware) So havp is detecting and blocking, but I can still download it, when other malware that I have for testing is blocked. |
Author: | hege [ 14 Jan 2009 10:09 ] |
Post subject: | Re: Not detecting Malware |
Familiarize yourself with how KEEPBACKBUFFER setting works.. |
Author: | rafael [ 14 Jan 2009 15:08 ] |
Post subject: | Re: Not detecting Malware |
I found the problem. I was creating the signature with sigtool --md5 DSC01010.scr They are changing the file over time, the md5 created now is differrent from the original. |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |