Mailing List Archive

Sorry to bother, but do you guys want raw emails or just the payload Word
Docs?

I just sent payloads, since they are real emails with responses and a virus
attached.

I can however scrub the raws and send a few of those as well.

Sincerely,



Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

hi eric,

Am 21.12.20 um 17:59 schrieb eric-list@truenet.com:
> Sorry to bother, but do you guys want raw emails or just the payload
> Word Docs?
>
> I just sent payloads, since they are real emails with responses and a
> virus attached.

this is pretty useless as clamav's reporting process is far too slow or
or is not made for rapidly changing attack vectors used by emotet (never
saw clamav hits with default signatures enabled on the last big emotet
waves on my side, may be different somewhere else).

for hunting emotet you can report to sanesecurity where steve and his
team are taking care and use their 3rd-party signatures. and/or use
urlhaus (driven by abuse.ch) 3rd-party signatures feeded by lots of
(emotet) malware hunters floating around on
https://twitter.com/cryptolaemus1 - all of them doing a great job here.

btw - lots of vulnerable/unpatched wordpress installs involved as
always, may be related to fresh CVE-2020-35489

https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/

regards
max


> I can however scrub the raws and send a few of those as well.
>
> Sincerely,
>
> ?
>
> Eric Tykwinski
>
> TrueNet, Inc.
>
> P: 610-429-8300
>
> ?
>
> ?
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi,

... or you can use SecuriteInfo signatures. The lastest emotet malwares
variant are already detected today.
More information at http://ow.ly/LqfdL


--
Cordialement / Best regards,

Arnaud Jacques
G?rant de SecuriteInfo.com

T?l?phone : +33-(0)3.60.47.09.81
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I pretty much disagree with this. 90% or greater of what is sent into clamav.net<http://clamav.net> is covered in less than 24 hours, and to a much greater degree. We don’t aim to cover just the sample you sent in, we cover all the variants of that sample at the time, if possible.

On Dec 21, 2020, at 3:34 PM, max <mn@sbg.at<mailto:mn@sbg.at>> wrote:

hi eric,

Am 21.12.20 um 17:59 schrieb eric-list@truenet.com<mailto:eric-list@truenet.com>:
Sorry to bother, but do you guys want raw emails or just the payload
Word Docs?

I just sent payloads, since they are real emails with responses and a
virus attached.

this is pretty useless as clamav's reporting process is far too slow or
or is not made for rapidly changing attack vectors used by emotet (never
saw clamav hits with default signatures enabled on the last big emotet
waves on my side, may be different somewhere else).

for hunting emotet you can report to sanesecurity where steve and his
team are taking care and use their 3rd-party signatures. and/or use
urlhaus (driven by abuse.ch<http://abuse.ch/>) 3rd-party signatures feeded by lots of
(emotet) malware hunters floating around on
https://twitter.com/cryptolaemus1 - all of them doing a great job here.

btw - lots of vulnerable/unpatched wordpress installs involved as
always, may be related to fresh CVE-2020-35489

https://www.getastra.com/blog/911/plugin-exploit/contact-form-7-unrestricted-file-upload-vulnerability/

regards
max


I can however scrub the raws and send a few of those as well.

Sincerely,



Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300







_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Joel,

> I pretty much disagree with this. 90% or greater of what is sent into http://clamav.net is covered in less than 24 hours, and to a much greater degree. We don’t aim to cover just the > sample you sent in, we cover all the variants of that sample at the time, if possible.

I pretty much agree with you there, if it's not you guys getting them right away, it'll be a third party signature, like SecuriteInfo, or SaneSecurity, so I've got no problems.
Hell, the reason I like ClamAV so much is that it's not a mystery black box, and I can write my own signatures if I need to.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300





_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Dec 21, 2020, at 4:02 PM, eric-list@truenet.com<mailto:eric-list@truenet.com> wrote:

Joel,

I pretty much disagree with this. 90% or greater of what is sent into http://clamav.net<http://clamav.net/> is covered in less than 24 hours, and to a much greater degree. We don’t aim to cover just the > sample you sent in, we cover all the variants of that sample at the time, if possible.

I pretty much agree with you there, if it's not you guys getting them right away, it'll be a third party signature, like SecuriteInfo, or SaneSecurity, so I've got no problems.
Hell, the reason I like ClamAV so much is that it's not a mystery black box, and I can write my own signatures if I need to.

The beauty of open source. Also, it’s free. So there’s that.

I would like to see more third party signature providers distribute through the signed packages so that every user is getting the signatures instead of a few.

Joel,

> I would like to see more third party signature providers distribute
> through the signed packages so that every user is getting the signatures
> instead of a few.

Last month I sent a generic sig using
https://www.clamav.net/reports/signature and AFAIK it is still not
published.

If you do not publish the signature I created and I gave you, I'd be
happy to know why.

I have several generic signature ready to give you if you are agree to
publish them.


--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Mon, 21 Dec 2020, eric-list@truenet.com wrote:

> I can however scrub the raws and send a few of those as well.

If you could zip up a few complete emails for me to look at I'd be
most grateful. If you need to sanitize content in the bodies that's
fine but it would be best for me if you can leave the headers intact.

I've whitelisted your list address for mail to mine.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hiya

Can you please submit to Sanesecurity too.

https://sanesecurity.com/contact-us/

Regards
Brent

On 2020/12/21 18:44, eric-list@truenet.com wrote:
>
> I?m going to start posting a few to https://www.clamav.net/reports/malware
>
> Sincerely,
>
> Eric Tykwinski
>
> TrueNet, Inc.
>
> P: 610-429-8300
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Isn’t that literally the opposite of what needs to happen?

On Dec 22, 2020, at 1:27 AM, Brent Clark via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:


Hiya

Can you please submit to Sanesecurity too.

https://sanesecurity.com/contact-us/

Regards
Brent

On 2020/12/21 18:44, eric-list@truenet.com<mailto:eric-list@truenet.com> wrote:
I’m going to start posting a few to https://www.clamav.net/reports/malware

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300




_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml