Mailing List Archive

[clamav-users] signature exists, but not detecting
Hi,

Uploaded a file to virustools.com and results show that ClamAV detects the
Unix.Trojan.Tsunami-6981155-0 exploit.

The command-line utility did not detect it. Up-to-date DB. The signature
appears to exist in the signature database.

Something I'm missing?

# freshclam
ClamAV update process started at Tue Feb 23 12:12:30 2021
daily.cld database is up to date (version: 26089, sigs: 4000162, f-level:
63, builder: raynman)
main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60,
builder: sigmgr)
bytecode.cvd database is up to date (version: 332, sigs: 93, f-level: 63,
builder: awillia2)


# clamscan /var/tmp/pty3
/var/tmp/pty3: OK

----------- SCAN SUMMARY -----------
Known viruses: 8565230
Engine version: 0.103.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.04 MB
Data read: 0.04 MB (ratio 1.00:1)
Time: 14.528 sec (0 m 14 s)
Start Date: 2021:02:23 12:13:43
End Date: 2021:02:23 12:13:57


# sigtools --find "6981155"
[daily.ldb]
Unix.Trojan.Tsunami-6981155-0;Engine:51-255,Target:6;0&1&2&3&4;4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520372e303b2057696e646f7773204e5420362e303b204d794945323b20534c4343313b202e4e455420434c5220322e302e35303732373b204d656469612043656e74657220504320352e3029;4d6f7a696c6c612f352e30202857696e646f77733b20553b2057696e646f7773204e5420362e313b2063733b2072763a312e392e322e3629204765636b6f2f3230313030363238206d796962726f772f34616c70686132;4d6f7a696c6c612f352e302028636f6d70617469626c653b20553b204142726f77736520302e363b2053796c6c61626c6529204170706c655765624b69742f3432302b20284b48544d4c2c206c696b65204765636b6f29;4d6f7a696c6c612f352e3020285831313b20553b204c696e757820693638363b20706c2d504c3b2072763a312e392e302e3629204765636b6f2f32303039303230393131;4d6f7a696c6c612f352e3020284d6163696e746f73683b20553b20496e74656c204d6163204f5320583b20656e3b2072763a312e382e312e313129204765636b6f2f32303037313132382043616d696e6f2f312e352e34
Re: [clamav-users] signature exists, but not detecting [ In reply to ]
On Tue, Feb 23, 2021 at 09:30 AM, Ron Seguin via clamav-users wrote:
> Hi,
>
> Uploaded a file to virustools.com <http://virustools.com/> and results show that ClamAV detects the Unix.Trojan.Tsunami-6981155-0 exploit.

I'm not familiar with virustools.com and I get a redirect when I attempt to access it. Did you mean VirusTotal? If so, can you provide the link to the actual results of the file you uploaded?

> The command-line utility did not detect it. Up-to-date DB. The signature appears to exist in the signature database.
>
> Something I'm missing?
>
> # freshclam
> ClamAV update process started at Tue Feb 23 12:12:30 2021
> daily.cld database is up to date (version: 26089, sigs: 4000162, f-level: 63, builder: raynman)
> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
> bytecode.cvd database is up to date (version: 332, sigs: 93, f-level: 63, builder: awillia2)
>
>
> # clamscan /var/tmp/pty3
> /var/tmp/pty3: OK
> ----------- SCAN SUMMARY -----------
> Known viruses: 8565230
> Engine version: 0.103.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.04 MB
> Data read: 0.04 MB (ratio 1.00:1)
> Time: 14.528 sec (0 m 14 s)
> Start Date: 2021:02:23 12:13:43
> End Date: 2021:02:23 12:13:57
>
>
> # sigtools --find "6981155"
> [daily.ldb] Unix.Trojan.Tsunami-6981155-0;Engine:51-255,Target:6;0&1&2&3&4;4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520372e303b2057696e646f7773204e5420362e303b204d794945323b20534c4343313b202e4e455420434c5220322e302e35303732373b204d656469612043656e74657220504320352e3029;4d6f7a696c6c612f352e30202857696e646f77733b20553b2057696e646f7773204e5420362e313b2063733b2072763a312e392e322e3629204765636b6f2f3230313030363238206d796962726f772f34616c70686132;4d6f7a696c6c612f352e302028636f6d70617469626c653b20553b204142726f77736520302e363b2053796c6c61626c6529204170706c655765624b69742f3432302b20284b48544d4c2c206c696b65204765636b6f29;4d6f7a696c6c612f352e3020285831313b20553b204c696e757820693638363b20706c2d504c3b2072763a312e392e302e3629204765636b6f2f32303039303230393131;4d6f7a696c6c612f352e3020284d6163696e746f73683b20553b20496e74656c204d6163204f5320583b20656e3b2072763a312e382e312e313129204765636b6f2f32303037313132382043616d696e6f2f312e352e34

You might find this breakout more useful when searching the file for matching strings:

~ % sigtool -fUnix.Trojan.Tsunami-6981155-0|sigtool --decode-sigs
VIRUS NAME: Unix.Trojan.Tsunami-6981155-0
TDB: Engine:51-255,Target:6
LOGICAL EXPRESSION: 0&1&2&3&4
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0)
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4

-Al-
Re: [clamav-users] signature exists, but not detecting [ In reply to ]
Yes, my apologies. It was VirusTotal. Here's the link. Thanks.

https://www.virustotal.com/gui/file/d2178904c657f7226212e535581ba61d8aa5383bf01ca94184ac76b5e8b0f98a/detection

On Tue, Feb 23, 2021 at 10:03 PM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

>
>
> On Tue, Feb 23, 2021 at 09:30 AM, Ron Seguin via clamav-users wrote:
>
> Hi,
>
> Uploaded a file to virustools.com and results show that ClamAV detects
> the Unix.Trojan.Tsunami-6981155-0 exploit.
>
>
> I'm not familiar with virustools.com and I get a redirect when I attempt
> to access it. Did you mean VirusTotal? If so, can you provide the link to
> the actual results of the file you uploaded?
>
> The command-line utility did not detect it. Up-to-date DB. The signature
> appears to exist in the signature database.
>
> Something I'm missing?
>
> # freshclam
> ClamAV update process started at Tue Feb 23 12:12:30 2021
> daily.cld database is up to date (version: 26089, sigs: 4000162, f-level:
> 63, builder: raynman)
> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60,
> builder: sigmgr)
> bytecode.cvd database is up to date (version: 332, sigs: 93, f-level: 63,
> builder: awillia2)
>
>
> # clamscan /var/tmp/pty3
> /var/tmp/pty3: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8565230
> Engine version: 0.103.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.04 MB
> Data read: 0.04 MB (ratio 1.00:1)
> Time: 14.528 sec (0 m 14 s)
> Start Date: 2021:02:23 12:13:43
> End Date: 2021:02:23 12:13:57
>
>
> # sigtools --find "6981155"
> [daily.ldb]
> Unix.Trojan.Tsunami-6981155-0;Engine:51-255,Target:6;0&1&2&3&4;4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520372e303b2057696e646f7773204e5420362e303b204d794945323b20534c4343313b202e4e455420434c5220322e302e35303732373b204d656469612043656e74657220504320352e3029;4d6f7a696c6c612f352e30202857696e646f77733b20553b2057696e646f7773204e5420362e313b2063733b2072763a312e392e322e3629204765636b6f2f3230313030363238206d796962726f772f34616c70686132;4d6f7a696c6c612f352e302028636f6d70617469626c653b20553b204142726f77736520302e363b2053796c6c61626c6529204170706c655765624b69742f3432302b20284b48544d4c2c206c696b65204765636b6f29;4d6f7a696c6c612f352e3020285831313b20553b204c696e757820693638363b20706c2d504c3b2072763a312e392e302e3629204765636b6f2f32303039303230393131;4d6f7a696c6c612f352e3020284d6163696e746f73683b20553b20496e74656c204d6163204f5320583b20656e3b2072763a312e382e312e313129204765636b6f2f32303037313132382043616d696e6f2f312e352e34
>
>
> You might find this breakout more useful when searching the file for
> matching strings:
>
> *~* % sigtool -fUnix.Trojan.Tsunami-6981155-0|sigtool --decode-sigs
> VIRUS NAME: Unix.Trojan.Tsunami-6981155-0
> TDB: Engine:51-255,Target:6
> LOGICAL EXPRESSION: 0&1&2&3&4
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR
> 2.0.50727; Media Center PC 5.0)
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628
> myibrow/4alpha2
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+
> (KHTML, like Gecko)
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128
> Camino/1.5.4
>
> -Al-
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: [clamav-users] signature exists, but not detecting [ In reply to ]
I noted that the scan was from six months ago, so I reanalyzed the file and see that ClamAV no longer detects it as infected, although 31/62 scanners did. The signature itself was added to the ClamAV db almost two years ago, on May 27, 2019, so does seem strange that it detected six months ago, but not now. Only thing that changed in that time period was the ClamAV scan engine.

-Al-

On Tue, Feb 23, 2021 at 19:12 PM, Ron Seguin via clamav-users wrote:
> Yes, my apologies. It was VirusTotal. Here's the link. Thanks.
>
> https://www.virustotal.com/gui/file/d2178904c657f7226212e535581ba61d8aa5383bf01ca94184ac76b5e8b0f98a/detection <https://www.virustotal.com/gui/file/d2178904c657f7226212e535581ba61d8aa5383bf01ca94184ac76b5e8b0f98a/detection>
>
> On Tue, Feb 23, 2021 at 10:03 PM Al Varnell via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
>
> On Tue, Feb 23, 2021 at 09:30 AM, Ron Seguin via clamav-users wrote:
>> Hi,
>>
>> Uploaded a file to virustools.com <http://virustools.com/> and results show that ClamAV detects the Unix.Trojan.Tsunami-6981155-0 exploit.
>
> I'm not familiar with virustools.com <http://virustools.com/> and I get a redirect when I attempt to access it. Did you mean VirusTotal? If so, can you provide the link to the actual results of the file you uploaded?
>
>> The command-line utility did not detect it. Up-to-date DB. The signature appears to exist in the signature database.
>>
>> Something I'm missing?
>>
>> # freshclam
>> ClamAV update process started at Tue Feb 23 12:12:30 2021
>> daily.cld database is up to date (version: 26089, sigs: 4000162, f-level: 63, builder: raynman)
>> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
>> bytecode.cvd database is up to date (version: 332, sigs: 93, f-level: 63, builder: awillia2)
>>
>>
>> # clamscan /var/tmp/pty3
>> /var/tmp/pty3: OK
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 8565230
>> Engine version: 0.103.1
>> Scanned directories: 0
>> Scanned files: 1
>> Infected files: 0
>> Data scanned: 0.04 MB
>> Data read: 0.04 MB (ratio 1.00:1)
>> Time: 14.528 sec (0 m 14 s)
>> Start Date: 2021:02:23 12:13:43
>> End Date: 2021:02:23 12:13:57
>>
>>
>> # sigtools --find "6981155"
>> [daily.ldb] Unix.Trojan.Tsunami-6981155-0;Engine:51-255,Target:6;0&1&2&3&4;4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520372e303b2057696e646f7773204e5420362e303b204d794945323b20534c4343313b202e4e455420434c5220322e302e35303732373b204d656469612043656e74657220504320352e3029;4d6f7a696c6c612f352e30202857696e646f77733b20553b2057696e646f7773204e5420362e313b2063733b2072763a312e392e322e3629204765636b6f2f3230313030363238206d796962726f772f34616c70686132;4d6f7a696c6c612f352e302028636f6d70617469626c653b20553b204142726f77736520302e363b2053796c6c61626c6529204170706c655765624b69742f3432302b20284b48544d4c2c206c696b65204765636b6f29;4d6f7a696c6c612f352e3020285831313b20553b204c696e757820693638363b20706c2d504c3b2072763a312e392e302e3629204765636b6f2f32303039303230393131;4d6f7a696c6c612f352e3020284d6163696e746f73683b20553b20496e74656c204d6163204f5320583b20656e3b2072763a312e382e312e313129204765636b6f2f32303037313132382043616d696e6f2f312e352e34
>
> You might find this breakout more useful when searching the file for matching strings:
>
> ~ % sigtool -fUnix.Trojan.Tsunami-6981155-0|sigtool --decode-sigs
> VIRUS NAME: Unix.Trojan.Tsunami-6981155-0
> TDB: Engine:51-255,Target:6
> LOGICAL EXPRESSION: 0&1&2&3&4
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0)
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
>
> -Al-
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
Re: [clamav-users] signature exists, but not detecting [ In reply to ]
Hi there,

On Tue, 23 Feb 2021, Al Varnell via clamav-users wrote:

> On Tue, Feb 23, 2021 at 19:12 PM, Ron Seguin via clamav-users wrote:
>
>> Yes, my apologies. It was VirusTotal. Here's the link. Thanks.
>>
> I noted that the scan was from six months ago, so I reanalyzed the
> file and see that ClamAV no longer detects it as infected, although
> 31/62 scanners did. The signature itself was added to the ClamAV db
> almost two years ago, on May 27, 2019, so does seem strange that it
> detected six months ago, but not now. Only thing that changed in
> that time period was the ClamAV scan engine.

It does start to sound like a regression. If one of you can let me
have a copy of the file I'll be glad to build a few old versions of
ClamAV and find out which versions detect it and which versions fail.

But maybe Talos has older versions set up ready to roll - you'd think
running a body of known bad files past the latest version to exercise
at least a representative fraction of all the signatures before its
release ought to be part of the release testing procedures. Micah?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] signature exists, but not detecting [ In reply to ]
On Tue, Feb 23, 2021 at 19:12 PM, Ron Seguin via clamav-users wrote:
> Yes, my apologies. It was VirusTotal. Here's the link. Thanks.
>
> https://www.virustotal.com/gui/file/d2178904c657f7226212e535581ba61d8aa5383bf01ca94184ac76b5e8b0f98a/detection <https://www.virustotal.com/gui/file/d2178904c657f7226212e535581ba61d8aa5383bf01ca94184ac76b5e8b0f98a/detection>
>
> On Tue, Feb 23, 2021 at 10:03 PM Al Varnell via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
>
> On Tue, Feb 23, 2021 at 09:30 AM, Ron Seguin via clamav-users wrote:
>> Hi,
>>
>> Uploaded a file to virustools.com <http://virustools.com/> and results show that ClamAV detects the Unix.Trojan.Tsunami-6981155-0 exploit.
>
> I'm not familiar with virustools.com <http://virustools.com/> and I get a redirect when I attempt to access it. Did you mean VirusTotal? If so, can you provide the link to the actual results of the file you uploaded?
>
>> The command-line utility did not detect it. Up-to-date DB. The signature appears to exist in the signature database.
>>
>> Something I'm missing?
>>
>> # freshclam
>> ClamAV update process started at Tue Feb 23 12:12:30 2021
>> daily.cld database is up to date (version: 26089, sigs: 4000162, f-level: 63, builder: raynman)
>> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
>> bytecode.cvd database is up to date (version: 332, sigs: 93, f-level: 63, builder: awillia2)
>>
>>
>> # clamscan /var/tmp/pty3
>> /var/tmp/pty3: OK
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 8565230
>> Engine version: 0.103.1
>> Scanned directories: 0
>> Scanned files: 1
>> Infected files: 0
>> Data scanned: 0.04 MB
>> Data read: 0.04 MB (ratio 1.00:1)
>> Time: 14.528 sec (0 m 14 s)
>> Start Date: 2021:02:23 12:13:43
>> End Date: 2021:02:23 12:13:57
>>
>>
>> # sigtools --find "6981155"
>> [daily.ldb] Unix.Trojan.Tsunami-6981155-0;Engine:51-255,Target:6;0&1&2&3&4;4d6f7a696c6c612f342e302028636f6d70617469626c653b204d53494520372e303b2057696e646f7773204e5420362e303b204d794945323b20534c4343313b202e4e455420434c5220322e302e35303732373b204d656469612043656e74657220504320352e3029;4d6f7a696c6c612f352e30202857696e646f77733b20553b2057696e646f7773204e5420362e313b2063733b2072763a312e392e322e3629204765636b6f2f3230313030363238206d796962726f772f34616c70686132;4d6f7a696c6c612f352e302028636f6d70617469626c653b20553b204142726f77736520302e363b2053796c6c61626c6529204170706c655765624b69742f3432302b20284b48544d4c2c206c696b65204765636b6f29;4d6f7a696c6c612f352e3020285831313b20553b204c696e757820693638363b20706c2d504c3b2072763a312e392e302e3629204765636b6f2f32303039303230393131;4d6f7a696c6c612f352e3020284d6163696e746f73683b20553b20496e74656c204d6163204f5320583b20656e3b2072763a312e382e312e313129204765636b6f2f32303037313132382043616d696e6f2f312e352e34
>
> You might find this breakout more useful when searching the file for matching strings:
>
> ~ % sigtool -fUnix.Trojan.Tsunami-6981155-0|sigtool --decode-sigs
> VIRUS NAME: Unix.Trojan.Tsunami-6981155-0
> TDB: Engine:51-255,Target:6
> LOGICAL EXPRESSION: 0&1&2&3&4
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0)
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
>
> -Al-
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml