Discussion:
Unofficial malware signatures for Clamav
Arnaud Jacques
2007-08-18 14:54:31 UTC
Permalink
Hello Clamav users,

With more than 140000 official signatures, Clamav's detection rate is
excellent.
However, because of many viruses, trojans, spywares, and other badwares on the
Wild, SecuriteInfo.com has created its own signatures.
These signatures will be removed gradually when Clamav will include the
samples in its official database.

More information and FREE DOWNLOAD at :
http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml
--
Cordialement / Best regards,

Arnaud Jacques
Consultant Sécurité
SecuriteInfo.com
http://www.securiteinfo.com
http://www.securiteinfo.net
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
René Berber
2007-08-18 22:05:54 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Arnaud Jacques
Hello Clamav users,
With more than 140000 official signatures, Clamav's detection rate is
excellent.
However, because of many viruses, trojans, spywares, and other badwares on the
Wild, SecuriteInfo.com has created its own signatures.
These signatures will be removed gradually when Clamav will include the
samples in its official database.
http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml
Are you going to setup a general download address, like SaneSecurity?

I ask because I see that your download link is a bare IP address, which you may
change as much as you want, but I would prefer to use a script with only one
address, just like I use with SaneSecurity and MSRBL.
- --
René Berber
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Cygwin)

iD8DBQFGx21CL3NNweKTRgwRCNvhAKD/aZGhfpOx07WNQCChTmzIyXEjTwCgrqt0
p/ON3eSLWarv0Z5KTW6Iz8c=
=5rRa
-----END PGP SIGNATURE-----

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Arnaud Jacques
2007-08-19 15:20:50 UTC
Permalink
Hello René,
Post by René Berber
Are you going to setup a general download address, like SaneSecurity?
I ask because I see that your download link is a bare IP address, which you
may change as much as you want, but I would prefer to use a script with
only one address, just like I use with SaneSecurity and MSRBL.
For now, the IP address is fixed. AFAIK, it will not change in the near
future. You can use it for your script.
--
Cordialement / Best regards,

Arnaud Jacques
Consultant Sécurité
SecuriteInfo.com
http://www.securiteinfo.com
http://www.securiteinfo.net
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Andrew McGlashan
2007-08-19 16:21:46 UTC
Permalink
Hi,
Post by Arnaud Jacques
Post by René Berber
I ask because I see that your download link is a bare IP address,
which you may change as much as you want, but I would prefer to use
a script with only one address, just like I use with SaneSecurity
and MSRBL.
For now, the IP address is fixed. AFAIK, it will not change in the
near future. You can use it for your script.
Why not set up your own local host file entry [or similar] and use a
constant host name of your choice? If the IP address does change, then you
only need to adjust your relevant local hosts file and not adjust your
scripts again.

Kind Regards

AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP

Current Fixed Line No: 03 8705 0300
Mobile: 04 2574 1827 Fax: 03 8790 1224

National No: 1300 85 3804

Affinity Vision Australia Pty Ltd
http://www.affinityvision.com.au
http://adsl2choice.net

In Case of Emergency -- http://www.affinityvision.com.au/ice.html

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Arnaud Jacques
2007-08-19 17:05:49 UTC
Permalink
Post by Andrew McGlashan
Hi,
Post by Arnaud Jacques
Post by René Berber
I ask because I see that your download link is a bare IP address,
which you may change as much as you want, but I would prefer to use
a script with only one address, just like I use with SaneSecurity
and MSRBL.
For now, the IP address is fixed. AFAIK, it will not change in the
near future. You can use it for your script.
Why not set up your own local host file entry [or similar] and use a
constant host name of your choice? If the IP address does change, then you
only need to adjust your relevant local hosts file and not adjust your
scripts again.
I'm just too lazy to do the DNS stuff. I will do it when I got 5 minutes...
:)
--
Cordialement / Best regards,

Arnaud Jacques
Consultant Sécurité
SecuriteInfo.com
http://www.securiteinfo.com
http://www.securiteinfo.net
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Dennis Peterson
2007-08-19 04:03:42 UTC
Permalink
Post by Arnaud Jacques
Hello Clamav users,
With more than 140000 official signatures, Clamav's detection rate is
excellent.
However, because of many viruses, trojans, spywares, and other badwares on the
Wild, SecuriteInfo.com has created its own signatures.
These signatures will be removed gradually when Clamav will include the
samples in its official database.
http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml
So that your signatures are easily discovered in my logs I've prefixed
all the virus names with vx so that Backdoor.Win32.LiveList.a becomes
vxBackdoor.Win32.LiveList.a. I'd recommend you do the same - credit
where credit is due.

dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Arnaud Jacques
2007-08-19 15:22:34 UTC
Permalink
Hello Dennis,
Post by Dennis Peterson
So that your signatures are easily discovered in my logs I've prefixed
all the virus names with vx so that Backdoor.Win32.LiveList.a becomes
vxBackdoor.Win32.LiveList.a. I'd recommend you do the same - credit
where credit is due.
Good idea. Will do it on next update.
--
Cordialement / Best regards,

Arnaud Jacques
Consultant Sécurité
SecuriteInfo.com
http://www.securiteinfo.com
http://www.securiteinfo.net
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Bill Landry
2007-08-19 17:21:38 UTC
Permalink
Post by Arnaud Jacques
Hello Dennis,
Post by Dennis Peterson
So that your signatures are easily discovered in my logs I've prefixed
all the virus names with vx so that Backdoor.Win32.LiveList.a becomes
vxBackdoor.Win32.LiveList.a. I'd recommend you do the same - credit
where credit is due.
Good idea. Will do it on next update.
Please do VX. or some other clean identity, vx without a dot isn't really
readable.
I agree, which is exactly what I did in prefixing my signature file
after Dennis made his original suggestion.

Arnaud, if you are okay with it, I was thinking about adding VX
signature updates to my publicly available download script hosted at
http://www.sanesecurity.com/clamav/ss-msrbl.txt. I currently provides
scripted update downloads for SaneSecurity and MSRBL signature files. I
was also thinking about adding the MBL signatures, as well.

Note that checks may be done more often than daily, however, downloads
are only done if an update is detected. If you would rather I not add
the VX signature file to the script, just let me know.

Thanks,

Bill
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Arnaud Jacques
2007-08-19 19:10:41 UTC
Permalink
Post by Bill Landry
Post by Arnaud Jacques
Hello Dennis,
Post by Dennis Peterson
So that your signatures are easily discovered in my logs I've prefixed
all the virus names with vx so that Backdoor.Win32.LiveList.a becomes
vxBackdoor.Win32.LiveList.a. I'd recommend you do the same - credit
where credit is due.
Good idea. Will do it on next update.
Please do VX. or some other clean identity, vx without a dot isn't really
readable.
I uploaded a new version with "VX." prefix.
Post by Bill Landry
Arnaud, if you are okay with it, I was thinking about adding VX
signature updates to my publicly available download script hosted at
http://www.sanesecurity.com/clamav/ss-msrbl.txt. I currently provides
scripted update downloads for SaneSecurity and MSRBL signature files. I
was also thinking about adding the MBL signatures, as well.
I'm OK with it.
--
Cordialement / Best regards,

Arnaud Jacques
Consultant Sécurité
SecuriteInfo.com
http://www.securiteinfo.com
http://www.securiteinfo.net
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Gerard
2007-08-19 19:37:32 UTC
Permalink
Post by Arnaud Jacques
Post by Bill Landry
Arnaud, if you are okay with it, I was thinking about adding VX
signature updates to my publicly available download script hosted at
http://www.sanesecurity.com/clamav/ss-msrbl.txt. I currently provides
scripted update downloads for SaneSecurity and MSRBL signature files. I
was also thinking about adding the MBL signatures, as well.
I'm OK with it.
I wrote the 'scamp.sh' script that is available at "SaneSecurity". I
have all ready sent Steve an updated file that will download and
install your signatures. I am not sure if Steve has had the time to
upload it to his servers yet. He is quite busy.

Assuming that the user runs the script as directed, it should only
download your file when it changes.
--
Gerard
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Steve Basford
2007-08-19 20:31:39 UTC
Permalink
Post by Gerard
I am not sure if Steve has had the time to
upload it to his servers yet. He is quite busy.
Just uploaded the updated script to both domains :)

Cheers,

Steve
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Bill Landry
2007-08-19 20:17:21 UTC
Permalink
Post by Arnaud Jacques
I uploaded a new version with "VX." prefix.
Post by Bill Landry
Arnaud, if you are okay with it, I was thinking about adding VX
signature updates to my publicly available download script hosted at
http://www.sanesecurity.com/clamav/ss-msrbl.txt. I currently provides
scripted update downloads for SaneSecurity and MSRBL signature files. I
was also thinking about adding the MBL signatures, as well.
I'm OK with it.
Great, but I'll wait and send Steve an update to post after you have
updated your DNS (don't want to have to send him too many updates to
post to his site).

Thanks for your contribution to the ClamAV user community and for
allowing me to add your signatures to my download script!

Best regards,

Bill
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Bill Landry
2007-08-20 00:17:08 UTC
Permalink
Post by Bill Landry
Post by Arnaud Jacques
I uploaded a new version with "VX." prefix.
Post by Bill Landry
Arnaud, if you are okay with it, I was thinking about adding VX
signature updates to my publicly available download script hosted at
http://www.sanesecurity.com/clamav/ss-msrbl.txt. I currently provides
scripted update downloads for SaneSecurity and MSRBL signature files. I
was also thinking about adding the MBL signatures, as well.
I'm OK with it.
Great, but I'll wait and send Steve an update to post after you have
updated your DNS (don't want to have to send him too many updates to
post to his site).
Arnaud, I see that sd-9798.dedibox.fr has a "A" record that points to
88.191.56.100, and their is also a "PTR" record for 88.191.56.100 that
points back to sd-9798.dedibox.fr. If this will not change, we can
simple point to sd-9798.dedibox.fr in our download scripts. Does that
work for you?

Bill
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Arnaud Jacques
2007-08-20 10:25:59 UTC
Permalink
Post by Bill Landry
Arnaud, I see that sd-9798.dedibox.fr has a "A" record that points to
88.191.56.100, and their is also a "PTR" record for 88.191.56.100 that
points back to sd-9798.dedibox.fr. If this will not change, we can
simple point to sd-9798.dedibox.fr in our download scripts. Does that
work for you?
Please use http://clamav.securiteinfo.com/vx.hdb.gz for your scripts.
Thank you by advance.
--
Cordialement / Best regards,

Arnaud Jacques
Consultant Sécurité
SecuriteInfo.com
http://www.securiteinfo.com
http://www.securiteinfo.net
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Loading...