Mailing List Archive

Some questions about HeuristicScan
I have three questions about Heuristic Scan in ClamAV .
1.What type of file will be scanned as a Heuristic scan?
2.How can I configure the Heuristic function with enable or disable?
3.How can I get some files that can test the Heuristic function?

Thanks.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: Some questions about HeuristicScan [ In reply to ]
On Tue, 30 Nov 2010 17:46:49 +0800
Tony Zhai <tonyzhai@gmail.com> wrote:

> I have three questions about Heuristic Scan in ClamAV .
> 1.What type of file will be scanned as a Heuristic scan?

All engine detections (as opposed to signature-based) are prefixed with
Heuristics.

> 2.How can I configure the Heuristic function with enable or disable?

Depends on category, you can enable/disable these in clamd.conf:

ArchiveBlockEncrypted:
Heuristics.Encrypted.RAR
Heuristics.Encrypted.Zip

OLE2BlockMacros:
Heuristics.OLE2.ContainsMacros

PhishingScanURLs:
Heuristics.Phishing.Email
Heuristics.Phishing.Email.Cloaked.Null
Heuristics.Phishing.Email.Cloaked.NumericIP
Heuristics.Phishing.Email.Cloaked.Username
Heuristics.Phishing.Email.SpoofedDomain
Heuristics.Phishing.Email.SSL-Spoof
Heuristics.Phishing.URL.Blacklisted

SafeBrowsing (freshclam.conf):
Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net
Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net

StructuredDataDetection:
Heuristics.Structured.CreditCardNumber
Heuristics.Structured.SSN

AlgorithmicDetection:
Heuristics.Exploit.W32.MS04-028
Heuristics.Exploit.W32.MS05-002
Heuristics.PDF.ObfuscatedNameObject
Heuristics.Trojan.Swizzor.Gen
Heuristics.W32.Kriz
Heuristics.W32.Magistr.A
Heuristics.W32.Magistr.A.dam
Heuristics.W32.Magistr.B
Heuristics.W32.Magistr.B.dam
Heuristics.W32.Parite.B
Heuristics.W32.Polipos.A
Heuristics.Worm.Mydoom.M.log

> 3.How can I get some files that can test the Heuristic function?

Depends on category again. For Heuristics.Encrypted.RAR you can create
an encrypted file yourself. Which one do you want to test?

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: Some questions about HeuristicScan [ In reply to ]
Actually,I want to test everyone. We have tested Heuristics.Encrypted.RAR,
what about others?
Thanks.

>> I have three questions about Heuristic Scan in ClamAV .
>> 1.What type of file will be scanned as a Heuristic scan?
>
> All engine detections (as opposed to signature-based) are prefixed with
> Heuristics.
>
>> 2.How can I configure the Heuristic function with enable or disable?
>
> Depends on category, you can enable/disable these in clamd.conf:
>
> ArchiveBlockEncrypted:
> Heuristics.Encrypted.RAR
> Heuristics.Encrypted.Zip
>
> OLE2BlockMacros:
> Heuristics.OLE2.ContainsMacros
>
> PhishingScanURLs:
> Heuristics.Phishing.Email
> Heuristics.Phishing.Email.Cloaked.Null
> Heuristics.Phishing.Email.Cloaked.NumericIP
> Heuristics.Phishing.Email.Cloaked.Username
> Heuristics.Phishing.Email.SpoofedDomain
> Heuristics.Phishing.Email.SSL-Spoof
> Heuristics.Phishing.URL.Blacklisted
>
> SafeBrowsing (freshclam.conf):
> Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net
> Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net
>
> StructuredDataDetection:
> Heuristics.Structured.CreditCardNumber
> Heuristics.Structured.SSN
>
> AlgorithmicDetection:
> Heuristics.Exploit.W32.MS04-028
> Heuristics.Exploit.W32.MS05-002
> Heuristics.PDF.ObfuscatedNameObject
> Heuristics.Trojan.Swizzor.Gen
> Heuristics.W32.Kriz
> Heuristics.W32.Magistr.A
> Heuristics.W32.Magistr.A.dam
> Heuristics.W32.Magistr.B
> Heuristics.W32.Magistr.B.dam
> Heuristics.W32.Parite.B
> Heuristics.W32.Polipos.A
> Heuristics.Worm.Mydoom.M.log
>
>> 3.How can I get some files that can test the Heuristic function?
>
> Depends on category again. For Heuristics.Encrypted.RAR you can create
> an encrypted file yourself. Which one do you want to test?
>
> Best regards,
> --Edwin
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: Some questions about HeuristicScan [ In reply to ]
On Wed, 1 Dec 2010 15:40:17 +0800
Tony Zhai <tonyzhai@gmail.com> wrote:

> Actually,I want to test everyone. We have tested
> Heuristics.Encrypted.RAR, what about others?

Phishing: send an HTML email where the href
points to some site, and the contents of the link points to ebay (or
another one listed in daily.pdb).
Safebrowsing: enable it, and send a
link that you know is in the safebrowsing DB (for example because
firefox reports it as an attack/phishing site).
StructuredData: enable it, and send some SSN/credit card info in an
email
For the exploits you might find some PoCs on full-disclosure.
For the Heuristics.W32.* malware you'll just have to rely on your own
collection.

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net