clamav-unofficial signatures related question

General eFa discussion
Post Reply
ovizii
Posts: 463
Joined: 11 May 2016 08:08

clamav-unofficial signatures related question

Post by ovizii »

I have 2 EFAs.

EFA A caught an email with: SecuriteInfo.com.Ransomware
I was curios and did this on EFA A:

Code: Select all

sigtool --find-sigs SecuriteInfo.com.Ransomware
results in a long string of similar lines:

Code: Select all

[javascript.ndb] SecuriteInfo.com.Ransomware:3:*:687474703a2f2f7a7077616e672e6e6574
and checking the exact signature:

Code: Select all

sigtool --find-sigs SecuriteInfo.com.Ransomware | sigtool --decode-sigs
results in details:

Code: Select all

DECODED SIGNATURE:
http://zurrmax.de
VIRUS NAME: SecuriteInfo.com.Ransomware
Trying this on EFA B which uses the same subscription keys for malwarepatrol and securiteinfo I get this:

Code: Select all

sigtool --find-sigs SecuriteInfo.com.Ransomware

Code: Select all

[securiteinfohtml.hdb] 4b5781eb7cd6900b04155f1ce77f2e0a:16469:SecuriteInfo.com.Ransomware-B.31656.30052.9000

Code: Select all

sigtool --find-sigs SecuriteInfo.com.Ransomware | sigtool --decode-sigs
ERROR: decodesig: Invalid or not supported signature format
TOKENS COUNT: 3
So instead of comparing my config files inside: /etc/clamav-unofficial-sigs/ line by line I simply copied all those config files from EFA A to EFA B and waited about 48 hours but the above still holds true.

Any ideas?
Top
User avatar
pdwalker
Posts: 1583
Joined: 18 Mar 2015 09:16

Re: clamav-unofficial signatures related question

Post by pdwalker »

I get the same problem

Code: Select all

[root@efa clamav-unofficial-sigs]# sigtool --find-sigs SecuriteInfo.com.Ransomware-B.31656.30052.9000
[securiteinfohtml.hdb] 4b5781eb7cd6900b04155f1ce77f2e0a:16469:SecuriteInfo.com.Ransomware-B.31656.30052.9000
^C
[root@efa clamav-unofficial-sigs]# sigtool --find-sigs SecuriteInfo.com.Ransomware-B.31656.30052.9000 | sigtool --decode-sigs
ERROR: decodesig: Invalid or not supported signature format
TOKENS COUNT: 3
Are there any differences in your /var/lib/clamav-unofficial-sigs directory between the two machines? (md5sum will tell you). How about in /var/lib/clamav/ ?
Top
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: clamav-unofficial signatures related question

Post by ovizii »

for what its worth I checked these and I get these exact same md5 hashes on both machines for this folder (haven't checked the others as this one contains the securite DBs)

Code: Select all

md5sum /var/lib/clamav-unofficial-sigs/dbs-si/*
8a278699859e4e9149444fe98fbebbd6  /var/lib/clamav-unofficial-sigs/dbs-si/javascript.ndb
bb199e4976d98e5ec0e42329e1a0fe4c  /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfoandroid.hdb
e9a8c9fb74252ec6dc85e9d60b537f7a  /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfoascii.hdb
ce2156b554a6b1d2aa5508bac18a1f84  /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfo.hdb
f686bf43f6d2319db1d04d1f059add27  /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfohtml.hdb
f4f7f8c4b8c4ce9a634d7957f10a0711  /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfo.ign2
6f83073ba1fca9ab16972faed9a6a379  /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfopdf.hdb
this one for the other securite DBs:

Code: Select all

md5sum /var/lib/clamav/securiteinfo*
bb199e4976d98e5ec0e42329e1a0fe4c  /var/lib/clamav/securiteinfoandroid.hdb
e9a8c9fb74252ec6dc85e9d60b537f7a  /var/lib/clamav/securiteinfoascii.hdb
ce2156b554a6b1d2aa5508bac18a1f84  /var/lib/clamav/securiteinfo.hdb
f686bf43f6d2319db1d04d1f059add27  /var/lib/clamav/securiteinfohtml.hdb
f4f7f8c4b8c4ce9a634d7957f10a0711  /var/lib/clamav/securiteinfo.ign2
6f83073ba1fca9ab16972faed9a6a379  /var/lib/clamav/securiteinfopdf.hdb
Top
Post Reply

Return to “Discussion”