Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Outline
What is ClamAV Where to get ClamAV Different ClamAV signature formats:
.hdb .mdb .ndb .ldb
Whitelisting Q&A
ClamAV
What is ClamAV?
Clam AntiVirus (ClamAV) is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways Provides a number of utilities including:
A flexible and scalable multi-threaded daemon (clamd) A command line scanner (clamscan) An advanced tool for automatic database updates (freshclam) Sigtool more later
Sigtool (ships with ClamAV) can display detailed information on CVD files:
10
12
Hashdatabase:*.hdb(contd)
Thatsit!Thesignatureisreadytobeused:
13
The easiest way to generate MD5 based section signatures is to extract target PE sections into separate files and then run sigtool with the option -- mdb:
14
15
TargetType is one of the following numbers specifying the type of the target file:
0: 1: 2: 3: Any file Portable Executable OLE2 component (eg: VBA script) HTML (normalized) 4: 5: 6: 7: Mail File Graphics ELF ASCII text file (normalized)
17
18
Opcode:
e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4
Signature:
Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4
19
Opcode:
e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4
Signature:
Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4
20
21
For 7.exe:
EP: 0x406D87 Binary string: 0x406E6C
In both cases the distance between EP and our binary string is the same: 0xE5 = 229 (decimal)
22
23
24
25
26
27
in a .ldb file:
Worm.Godog;Target:0;((0|1|2|3)& (4));66696c656578697374732028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c{-100}2e64656c65746566696c652028 {-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c;66696c6565786973747328{25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028{25}202620225c616e7469766972616c20746f6f6c6b69742070726f;66696c656578697374732028{-25}202620225c6176706572736f6e616c{100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c;66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e{100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e;666f7220{-10}203d203120746f20{10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464{-100}696620{-10}203e20{-5}207468656e206578697420666f72{300}2e6174746163686d656e74732e616464{-150}2e73656e64
28
Whitelisting
To whitelist a specific file create an entry in a database file with the extension of .fp following the MD5 signature format:
MD5:FileSize:Comment
29
Whitelisting(contd)
To whitelist a specific signature inside main.cvd add the following entry into a local file local.ign:
db_name:line_number:signature_name
ToignorethemyTestSignatureatline23 in test.ndb:
test.ndb:23:myTestSignature
Daily.ign:
30
More questions?
clamav-users@lists.clamav.net - user questions clamav-devel@lists.clamav.net - technical discussions Alternatively you can try asking on the #clamav IRC channel on irc.freenode.net If you have questions or comments on this presentation: azidouemba@sourcefire.com
31
ClamAV/VRT/Sourcefire
Websites
http://www.clamav.net http://www.snort.org htttp://www.sourcefire.com
Blogs
http://clam-av.blogspot.com http://vrt-sourcefire.blogspot.com
32
Contribute
Sample submission
http://www.clamav.net/sendvirus/
Upload statistics:
freshclam --submit-stats
Bug submission
http://bugs.clamav.net
33
Q&A
35
Source: http://www.topnews.in/wireless-worms-may-spread-same-manner-flu-222714