Mailing List Archive

Hi there,

On Fri, 30 Aug 2019, Manna, Mohammed via clamav-users wrote:

> What I can see that ClamAV cannot always successfully detect reverse
> shell type of files (built using Metasploit msfvenom). And also, if
> the file is covered using a pseudo extension e.g. test.exe.txt
>
> When I was comparing this on virustotal.com ClamAV seems to be
> missing quite a lot of them. Is there any reason why ClamAV doesn't
> do a more extensive search?

ClamAV is by no means perfect, but you haven't told us how you have
configured it, nor how you are using it, so it's difficult to make any
particular observations.

There is a system for reporting failed detections which you can use,
but to avoid wasted effort it will be as well for you first to check
that your issue is not simply the expected result of how you have
configured your ClamAV installation.

> Reverse shell or bind shell both are sensitive files and I was
> expecting ClamAV to be detecting them somehow.

In network security, expecting things to work as intended is sure to
lead to eventual disappointment. If instead you expect things to
fail, and base your behaviour on that expectation, you will likely be
surprised less often - and suffer fewer system compromises.

For example, although I scan all mail using ClamAV, I never expect it
to find anything; but I also block all mail from more than a hundred
and sixty ISO 3166 country codes, which is partly why ClamAV hasn't
reported anything malicious in our mail since last September. That
doesn't mean that ClamAV wouldn't have found anything if it had been
given the opportunity to scan it, but it *does* mean that there is a
much reduced probability of something nasty reaching one of my users.
Of course, even if it did, it's unlikely to have any serious effect
because (a) the users are educated and (b) they're using Linux boxes
which are immune from the vast majority of malicious software. This
is called "defence in depth". There's more, which I won't reveal in
a public forum.

> Could someone clarify? Also, if this is mentioned anywhere in the
> docs, I would be grateful if you please point me to that.

The 'man' pages for clamscan, clamd.conf and clamsubmit might be good
places to start.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi There,

> -----Original Message-----
> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
> G.W. Haywood via clamav-users
> Sent: 31 August 2019 08:39
> To: Manna, Mohammed via clamav-users <clamav-users@lists.clamav.net>
> Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
> Subject: Re: [clamav-users] Question regarding Metasploit signatures
>
> Hi there,
>
> On Fri, 30 Aug 2019, Manna, Mohammed via clamav-users wrote:
>
> > What I can see that ClamAV cannot always successfully detect reverse
> > shell type of files (built using Metasploit msfvenom). And also, if
> > the file is covered using a pseudo extension e.g. test.exe.txt
> >
> > When I was comparing this on virustotal.com ClamAV seems to be
> > missing quite a lot of them. Is there any reason why ClamAV doesn't
> > do a more extensive search?
>
> ClamAV is by no means perfect, but you haven't told us how you have
> configured it, nor how you are using it, so it's difficult to make any
> particular observations.
>
> There is a system for reporting failed detections which you can use,
> but to avoid wasted effort it will be as well for you first to check
> that your issue is not simply the expected result of how you have
> configured your ClamAV installation.
>
> > Reverse shell or bind shell both are sensitive files and I was
> > expecting ClamAV to be detecting them somehow.
>
> In network security, expecting things to work as intended is sure to
> lead to eventual disappointment. If instead you expect things to
> fail, and base your behaviour on that expectation, you will likely be
> surprised less often - and suffer fewer system compromises.
>
> For example, although I scan all mail using ClamAV, I never expect it
> to find anything; but I also block all mail from more than a hundred
> and sixty ISO 3166 country codes, which is partly why ClamAV hasn't
> reported anything malicious in our mail since last September. That
> doesn't mean that ClamAV wouldn't have found anything if it had been
> given the opportunity to scan it, but it *does* mean that there is a
> much reduced probability of something nasty reaching one of my users.
> Of course, even if it did, it's unlikely to have any serious effect
> because (a) the users are educated and (b) they're using Linux boxes
> which are immune from the vast majority of malicious software. This
> is called "defence in depth". There's more, which I won't reveal in
> a public forum.
>
> > Could someone clarify? Also, if this is mentioned anywhere in the
> > docs, I would be grateful if you please point me to that.
>
> The 'man' pages for clamscan, clamd.conf and clamsubmit might be good
> places to start.
>
[[MM]] What you are have said here makes sense. As for my test, I unzipped portable ClamAV on linux, then generated a reverse shell file using Metasploit to scan it with ClamAV.
I used the latest virus DB and engine from ClamAV.net. It missed detection for any tcp/http reverse shell generation. As a comparison, we run the same test with a different AV provider
on Windows OS. The detection was successful. Hence, my question or curiosity over how ClamAV determines the *true* threat level of a malicious file.
I do agree with your statement on user education and operating system. However, the global userbase cannot be fully educated/converted to mitigate this ????. My intention was
Just to understand why this is constantly being missed.
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> Hence, my question or curiosity over how ClamAV determines
> the *true* threat level of a malicious file.

If the virus pattern is in one of the database files, then you are
alerted... If it's not, then no alert... That's how every antivirus
works...

You are more than welcome to report files for the clamav team to check
out and add to the db:

https://www.clamav.net/reports/malware

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Sat, 31 Aug 2019, J.R. via clamav-users wrote:

> If the virus pattern is in one of the database files, then you are
> alerted... If it's not, then no alert... That's how every antivirus
> works...

There's a bit more to it than that. Some detection is based on other
characteristics, such as behaviour. But I think it's true to say that
the mainstay of detection by ClamAV is through the signature databases.
That's how I use it - there are a few excellent third-party databases.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml