Mailing List Archive

I'm certain that the answer to your first question is yes, as there are almost 15,000 signatures in the current database that specifically address ransomware and have been since they first appeared. Most address the Windows platform. Ransomware detection and removal is no different from that used for any other type of malware.

I'm unaware of any testing by an independent organization that included specialized ransomware software and am certain that any such testing would vary by platform, and you haven't specified what platform(s) you are interested in.

Sent from my iPad

-Al-

> On Sep 30, 2020, at 13:47, Mat via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Does clamav support remove ransomware?
> If Yes, how effective compared to some specialized ransomware cleanup software out there?

Hi there,

On Wed, 30 Sep 2020, Mat via clamav-users wrote:

> Does clamav support remove ransomware?

No.

It does have options to remove or move files which it considers to be
'infected' but you would need to be sure that you understand the risks
of doing something like that before doing it automatically. I can't
imagine any circumstances under which I would recommend it, not least
because some methods used by ClamAV to look for suspicious files are
prone to accidental 'false positives'. These can and do happen when a
signature is added to a database, at any time, without warning, and
could easily identify an essential system file falsely as malicious.
If you look in the archives for this list you will find examples.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Wed, 30 Sep 2020, Al Varnell via clamav-users wrote:

> I'm certain that the answer to your first question is yes ...

Careful, the OP said 'remove' not 'detect'!

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

This removal(post infection) I am talking about on Linux platforms.


On Wed, Sep 30, 2020 at 4:06 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Wed, 30 Sep 2020, Al Varnell via clamav-users wrote:
>
> > I'm certain that the answer to your first question is yes ...
>
> Careful, the OP said 'remove' not 'detect'!
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

To the best of my knowledge, ClamAV does not *remove* any malware.

It is usually used to detect malware *prior* to infection;
and I do not think that much effort has been made to teach it
to detect infected systems (please tell me if I am wrong).

On Sat, 3 Oct 2020, Mat via clamav-users wrote:

> This removal(post infection) I am talking about on Linux platforms.
>
>
> On Wed, Sep 30, 2020 at 4:06 PM G.W. Haywood via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> > Hi there,
> >
> > On Wed, 30 Sep 2020, Al Varnell via clamav-users wrote:
> >
> > > I'm certain that the answer to your first question is yes ...
> >
> > Careful, the OP said 'remove' not 'detect'!

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 2020-10-01 01:03, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Wed, 30 Sep 2020, Mat via clamav-users wrote:
>
>> Does clamav support remove ransomware?
>
> No.
>
> It does have options to remove or move files which it considers to be
> 'infected' but you would need to be sure that you understand the risks
> of doing something like that before doing it automatically.  I can't
> imagine any circumstances under which I would recommend it, not least
> because some methods used by ClamAV to look for suspicious files are
> prone to accidental 'false positives'.  These can and do happen when a
> signature is added to a database, at any time, without warning, and
> could easily identify an essential system file falsely as malicious.
> If you look in the archives for this list you will find examples.
>
I concur with the above posting. Clamav was original (AFAIK) meant to be
a virus scanner within a mail system. That grew into a more wider
spectrum called "malware" scanner. As such it is still a basic scanner
designed to check files for malware, before they are used (using
clamonac) or even stored on your system. There is an option to block
access to the file in question if it is flagged as having malware.

Scanning a running system use to be doable in the distance past, until
malware incorporated techniques to avoid detecting. That is the reason
why you should always boot from a CD or other uncompromised device when
you try a system wide scan, including boot sectors etc.
Also, ransomware is usually only present prior to "locking" files. After
that it normally deletes itself from the system in order to make
recovering the used key a difficult exercise.

So, the lesson is: practice save online discipline. Privately and
business wise.

--- Frans

--
A: Yes, just like that A: Ja, net zo
Q: Oh, Just like reading a book backwards Q: Oh, net als een boek achterstevoren lezen
A: Because it upsets the natural flow of a story A: Omdat het de natuurlijke gang uit het verhaal haalt
Q: Why is top-posting annoying? Q: Waarom is Top-posting zo irritant?


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Sat, 3 Oct 2020, Andrew C Aitchison via clamav-users wrote:
> On Sat, 3 Oct 2020, Mat via clamav-users wrote:
>
>> This removal(post infection) I am talking about on Linux platforms.
>
> To the best of my knowledge, ClamAV does not *remove* any malware.
>
> It is usually used to detect malware *prior* to infection;
> and I do not think that much effort has been made to teach it
> to detect infected systems (please tell me if I am wrong).

No, you're not wrong but it isn't black and white. As I said there is
a facility which can remove (or move) files which ClamAV identifies as
suspect but that's a long way from "removing ransomware". In the 21st
century malware is much more capable than it was in the early days and
a lot of it goes to quite a bit of trouble to make itself persistent.
Simply deleting a file or two is unlikley to be successful. You might
be lucky, but how do you know something stealthy wasn't left behind?
And if you happen to delete a perfectly innocent file because ClamAV
identified it falsely as malicious you can break the system.

Over twenty years ago I saw intrusions into Linux boxes where several
different binaries in the system were modified, so that if one file
was removed by root on the running system, by the time the next file
could be found and removed the first one had been re-infected. The
infected system files hid the processes that the malware used. Even
if you did delete all the infected files, the system would no longer
operate because the infected files were essential system binaries.

Those systems were infected because they were running an FTP server
which was vulnerable, but the really exasperating thing was that they
hadn't needed to run an FTP server. No FTP data was available, and
they shouldn't have been listening for FTP connections at all.

The way to deal with that kind of thing is to shut the system down and
very thoroughly inspect it, using a trusted system, and preferably do
a fresh installation. With malware now starting to affect firmware on
motherboards and in mass storage devices, even that isn't guaranteed
to fix the problem.

If ransomware has actually encrypted files on a system then ClamAV has
no facility to attempt to recover them. Indeed if the ransomware has
been coded carefully, then with current technology it is probably not
feasible to recover the encrypted files without the key for which you
have been asked to pay. That's one of the reasons so many people say
how important it is to make regular backups - and also to test them -
and not to run services that aren't required, and to keep up-to-date
with security patches, and all that other good stuff.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml