Tom Shaw wrote:At 4:30 PM -0400 4/24/09, Ricardo Stella wrote:Tom Shaw wrote:At 3:06 PM -0400 4/24/09, Ricardo Stella wrote:Tom Shaw wrote:At 3:04 PM -0400 4/23/09, Ricardo Stella wrote:Are there any sample test messages to trigger the winnow sigs?http://www.oitc.com/winnow/clamsigs/index.htmlTest signatures are also available: * winnow.malware.test.eicar.com - will be identified when the eicar.com file is detected. * winnow.phish.ts.test.test - will be identified when you place testpointstart->XXXXXXXXXXX<-testpointend in an email. Ok - Problem is, I'm not getting anything to get this to trigger. I created a text file with the text above - Also created a text file with eicar.com string. And I'm not getting anything... For example, with the eicar.com file and using the winnow_malware... # clamscan -d ./winnow_malware.hdb -v /tmp/eicar.com Scanning /tmp/eicar.com /tmp/eicar.com: OK ----------- SCAN SUMMARY ----------- Known viruses: 330 Engine version: 0.95.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.004 sec (0 m 0 s)Gee. Have you check your files against Steve's GPG sigs? I detect fine. clamscan -d winnow_malware.hdb eicar.com eicar.com: winnow.malware.test.eicar.com.UNOFFICIAL FOUNDOk - Sorry if I'm asking newbie questions here. Didn't mean to upset anyone... If by testing the sig files you mean... # ./unofficial-clamav-sigs.sh -g winnow_malware.hdb GPG signature testing database file: /usr/local/etc/unofficial-dbs/ss-dbs/winnow_malware.hdb gpg: Signature made Fri 24 Apr 2009 02:50:48 PM EDT using DSA key ID 31EA4D9E gpg: Good signature from "Sanesecurity (Sanesecurity Signatures) <steveb_clamav@xxxxxxxxxxxxxxxxxx>" # clamscan -d /usr/local/etc/unofficial-dbs/ss-dbs/winnow_malware.hdb /tmp/eicar.com /tmp/eicar.com: OK However, # clamscan /tmp/eicar.com /tmp/eicar.com: Eicar-Test-Signature FOUND The email tests Email.Sanesecurity.TestSig all work, so I know the DBs are being used...Again it tests fine here. Check the file:> cat /usr/local/etc/unofficial-dbs/ss-dbs/winnow_malware.hdbThe first signature should be named winnow.malware.2 and the last winnow.malware.test.eicar.com TomBoth entries are there... b805dd57ea67166cdfa422b0255bf814:10752:winnow.malware.2 .... 44d88612fea8a8f36de82e1278abb02f:68:winnow.malware.test.eicar.com
I hope someone chimes in here as I am pulling a blank I take it clamscan -d /usr/local/etc/unofficial-dbs/ss-dbs/winnow_malware.hdb eicar.com didn't work What OS and version are you using? Tom