[sanesecurity] Re: winnow test messages?

  • From: Tom Shaw <tshaw@xxxxxxxx>
  • To: sanesecurity@xxxxxxxxxxxxx
  • Date: Fri, 24 Apr 2009 17:39:14 -0400

Tom Shaw wrote:

 At 4:30 PM -0400 4/24/09, Ricardo Stella wrote:

 Tom Shaw wrote:

  At 3:06 PM -0400 4/24/09, Ricardo Stella wrote:

  Tom Shaw wrote:

   At 3:04 PM -0400 4/23/09, Ricardo Stella wrote:

   Are there any sample test messages to trigger the winnow sigs?


   http://www.oitc.com/winnow/clamsigs/index.html


  Test signatures are also available:

      * winnow.malware.test.eicar.com - will be identified when the
  eicar.com file is detected.
      * winnow.phish.ts.test.test - will be identified when you place
  testpointstart->XXXXXXXXXXX<-testpointend in an email.


  Ok - Problem is, I'm not getting anything to get this to trigger.  I
  created a text file with the text above - Also created a text file
 with
  eicar.com string.   And I'm not getting anything...  For example,
 with
  the eicar.com file and using the winnow_malware...

  # clamscan -d ./winnow_malware.hdb -v /tmp/eicar.com    Scanning
  /tmp/eicar.com
  /tmp/eicar.com: OK

  ----------- SCAN SUMMARY -----------
  Known viruses: 330
  Engine version: 0.95.1
  Scanned directories: 0
  Scanned files: 1
  Infected files: 0
  Data scanned: 0.00 MB
  Data read: 0.00 MB (ratio 0.00:1)
  Time: 0.004 sec (0 m 0 s)


  Gee. Have you check your files against Steve's GPG sigs?  I detect
 fine.

  clamscan -d winnow_malware.hdb eicar.com
  eicar.com: winnow.malware.test.eicar.com.UNOFFICIAL FOUND


 Ok - Sorry if I'm asking newbie questions here.  Didn't mean to upset
 anyone...  If by testing the sig files you mean...

 # ./unofficial-clamav-sigs.sh -g winnow_malware.hdb

 GPG signature testing database file:
 /usr/local/etc/unofficial-dbs/ss-dbs/winnow_malware.hdb

 gpg: Signature made Fri 24 Apr 2009 02:50:48 PM EDT using DSA key ID
 31EA4D9E
 gpg: Good signature from "Sanesecurity (Sanesecurity Signatures)
 <steveb_clamav@xxxxxxxxxxxxxxxxxx>"

 # clamscan -d /usr/local/etc/unofficial-dbs/ss-dbs/winnow_malware.hdb
 /tmp/eicar.com
 /tmp/eicar.com: OK

 However,

 # clamscan /tmp/eicar.com
 /tmp/eicar.com: Eicar-Test-Signature FOUND

 The email tests Email.Sanesecurity.TestSig all work, so I know the DBs
 are being used...


 Again it tests fine here. Check the file:


 > cat /usr/local/etc/unofficial-dbs/ss-dbs/winnow_malware.hdb


 The first signature should be named winnow.malware.2 and the last
 winnow.malware.test.eicar.com

 Tom

Both entries are there...

b805dd57ea67166cdfa422b0255bf814:10752:winnow.malware.2
....
44d88612fea8a8f36de82e1278abb02f:68:winnow.malware.test.eicar.com


I hope someone chimes in here as I am pulling a blank

I take it

clamscan -d /usr/local/etc/unofficial-dbs/ss-dbs/winnow_malware.hdb eicar.com

didn't work

What OS and version are you using?

Tom

Other related posts:

  1. Home
  2. sanesecurity
  3. Archive
  4. 04-2009