Mailing List Archive

Hi there,

On Fri, 22 Jan 2021, Chaminda Indrajith via clamav-users wrote:

> Regularly we receive DOC files which contains virus.

There are many different ways to solve your problem, but we need a lot
more information from you. How do you receive these files?

> These virus is not detected by ClamAV ...

This is not unusual. Can you let us have your ClamAV configuration?
If you're using Linux it's simplest to send the ouptut of

clamconf -n

but please tell us more about your ClamAV installation - for example
what operating system you're using to run it. For more information
about what information will be useful see some of my previous posts
in the list archives, which can be found for example at

https://marc.info/?l=clamav-users&r=1&w=2

> #rtfobj Balance\ Sheet\ .doc
> ...

On its own this information is not particularly useful. The files you
receive do not necessarily give up that information to the scanner
without some effort, so we need to see exactly what the scanner sees.
Perhaps you can put samples somewhere (safe) on the Web for us to see.

> How can we write customized rules to detect these doc file.

You do not need to do that. You can submit the files to the ClamAV
team, and for example to one of the third parties which provide
signatures, e.g. Sanesecurity or Securiteinfo. If you submit samples,
then in addition to solving your own problem you also provide a useful
service to the community:

https://www.clamav.net/contact

If you do want to do write your own signatures you should read the
documentation. You could for example start with

https://www.clamav.net/documents/creating-signatures-for-clamav

but you might find it easier to deploy Yara rules:

https://www.clamav.net/documents/using-yara-rules-in-clamav

You need to tell us more about how you are using ClamAV. In my first
question I asked you how you receive the malicious files. If it's by
email then you might want to use ClamAV to filter the incoming mail
messages. There are several ways to do that, but I won't go into it
until I know a little more about how you're receiving the files.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi,
Please find the details requested

>There are many different ways to solve your problem, but we need a lot more
information from you. How do you receive these files?

Mainly, we get these virus via E-mail. We have Mail Gateways which are used
for filtering mails for your customer mail servers. So, daily we get viruses
which are not detected by ClamAV running on our Mail Gateways.

>This is not unusual. Can you let us have your ClamAV configuration?

[root@mailin-04 ~]# clamconf -n
Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
LogFile = "/var/log/clamd.scan"
LogTime = "yes"
LogClean = "yes"
LogSyslog = "yes"
PidFile = "/var/run/clamd.scan/clamd.pid"
LocalSocket = "/var/run/clamd.scan/clamd.sock"
LocalSocketGroup = "mtagroup"
User = "clamscan"
OLE2BlockMacros = "yes"
*** AllowSupplementaryGroups is DEPRECATED ***

Config file: freshclam.conf
---------------------------
DatabaseMirror = "database.clamav.net"

mail/clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.0
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2
ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
main.cld: version 59, sigs: 4564902, built on Mon Nov 25 19:26:15 2019
bytecode.cld: version 331, sigs: 94, built on Thu Sep 19 21:42:33 2019
daily.cld: version 26056, sigs: 4199611, built on Thu Jan 21 18:04:40 2021
bytecode.cvd: version 331, sigs: 94, built on Thu Sep 19 21:42:33 2019
[3rd Party] hackingteam.hsb: 435 sigs
[3rd Party] porcupine.hsb: 121 sigs
[3rd Party] rfxn.ndb: 2039 sigs
[3rd Party] rfxn.hdb: 12927 sigs
[3rd Party] securiteinfoascii.hdb: 90606 sigs
main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 19:26:15 2019
[3rd Party] sanesecurity.ftm: 170 sigs
[3rd Party] sigwhitelist.ign2: 10 sigs
[3rd Party] blurl.ndb: 1558 sigs
[3rd Party] junk.ndb: 60121 sigs
[3rd Party] jurlbl.ndb: 1540 sigs
[3rd Party] malwarehash.hsb: 771 sigs
[3rd Party] phish.ndb: 28027 sigs
[3rd Party] rogue.hdb: 372 sigs
[3rd Party] scam.ndb: 12742 sigs
[3rd Party] spamattach.hdb: 14 sigs
[3rd Party] spamimg.hdb: 200 sigs
[3rd Party] badmacro.ndb: 614 sigs
[3rd Party] jurlbla.ndb: 1561 sigs
[3rd Party] lott.ndb: 2335 sigs
[3rd Party] shelter.ldb: 49 sigs
[3rd Party] spam.ldb: 2 sigs
[3rd Party] spear.ndb: 1 sig
[3rd Party] spearl.ndb: 1 sig
[3rd Party] malware.expert.hdb: 1 sig
[3rd Party] malware.expert.fp: 1 sig
[3rd Party] malware.expert.ldb: 1 sig
[3rd Party] malware.expert.ndb: 1 sig
[3rd Party] foxhole_filename.cdb: 2613 sigs
[3rd Party] foxhole_generic.cdb: 212 sigs
[3rd Party] foxhole_js.cdb: 48 sigs
[3rd Party] foxhole_js.ndb: 4 sigs
[3rd Party] winnow_bad_cw.hdb: 1 sig
[3rd Party] winnow_extended_malware.hdb: 245 sigs
[3rd Party] winnow_malware_links.ndb: 133 sigs
[3rd Party] winnow_malware.hdb: 293 sigs
[3rd Party] winnow_phish_complete_url.ndb: 54 sigs
[3rd Party] winnow.attachments.hdb: 182 sigs
[3rd Party] urlhaus.ndb: 8201 sigs
[3rd Party] winnow_extended_malware_links.ndb: 1 sig
[3rd Party] winnow_spam_complete.ndb: 26 sigs
[3rd Party] winnow.complex.patterns.ldb: 3 sigs
[3rd Party] MiscreantPunch099-Low.ldb: 1199 sigs
[3rd Party] scamnailer.ndb: 1 sig
[3rd Party] bofhland_cracked_URL.ndb: 40 sigs
[3rd Party] bofhland_malware_attach.hdb: 1836 sigs
[3rd Party] bofhland_malware_URL.ndb: 4 sigs
[3rd Party] bofhland_phishing_URL.ndb: 72 sigs
[3rd Party] phishtank.ndb: 9270 sigs
[3rd Party] porcupine.ndb: 6805 sigs
[3rd Party] securiteinfo.hdb: 127854 sigs
[3rd Party] securiteinfohtml.hdb: 52920 sigs
[3rd Party] securiteinfo.ign2: 142 sigs
[3rd Party] customsig.ndb: 3 sigs
[3rd Party] ebrandidc.ndb: 155 sigs
[3rd Party] ebrandidc.hdb: 12 sigs
Total number of signatures: 13758152

Platform information
--------------------
uname: Linux 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020
x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.7 (1.2.7), compile flags: a9
platform id: 0x0a2179790800000002040805

Build information
-----------------
GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic
-fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic
LDFLAGS: -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
-Wl,--as-needed -lprelude
Configure: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--localstatedir=/var'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--enable-milter' '--disable-clamav'
'--disable-static' '--disable-zlib-vcheck' '--disable-unrar'
'--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav'
'--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath'
'--disable-silent-rules' '--enable-clamdtop' '--enable-prelude'
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic'
'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
-Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector-strong --param=ssp-buffer-size=4
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64
-mtune=generic' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 121, dconf: 121
[root@mailin-04 ~]#

>but please tell us more about your ClamAV installation - for example what
operating system you're using to run it. For more >information about what
information will be useful see some of my previous posts in the list
archives, which can be found for >example at

ClamAV is installed in our Mail Gateways as the Virus Scanner. ClamAV is
integrated with MailScanner running on each mail gateway.

[root@mailin-04 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

>Perhaps you can put samples somewhere (safe) on the Web for us to see.

I can put the viruses in a FTP server and share them with you.

>You do not need to do that. You can submit the files to the ClamAV team,
and for example to one of the third parties which >provide signatures, e.g.
Sanesecurity or Securiteinfo. If you submit samples, then in addition to
solving your own problem you >also provide a useful service to the
community:

Usually, I forward the virus mails to Sanesecurity.

I hope that I have provided the sufficient information for you.

Thanks for your support.

Regards

Chaminda Indrajith



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Fri, 22 Jan 2021, Chaminda Indrajith via clamav-users wrote:

> Mainly, we get these virus via E-mail. ...

Can I assume that it's clamd which scans these emails?

> OLE2BlockMacros = "yes"

There are other settings which you might want to investigate. See
for example the 'Alert...' options in the clamd.conf man page which
mostly default to 'no'.

> mail/clamav-milter.conf not found

If you do not use clamav-milter, what takes the message from the mail
server and presents it to clamd? Do you have evidence that clamd at
least finds some threats (of whatever kind) in your incoming mail?

> Database information
> ...

A good selection of signatures. :)

> [root@mailin-04 ~]# cat /etc/redhat-release
> CentOS Linux release 7.9.2009 (Core)

Shame about CentOS. :(

> I can put the viruses in a FTP server and share them with you.

Please do. Please provide the files as complete original email
messages, not just as the attached files (and let me know where
I can find them of course. :)

> Usually, I forward the virus mails to Sanesecurity.

+1

You might want to send them to the ClamAV team too, and perhaps
also to Securiteinfo - the maintainer of those signatures has
occasionally asked on this list for samples to be sent to him.
The ClamAV team is more interested in malware/phishing than spam.

It can be onerous to make many submissions, I'm working on a system
which automates it to some extent but it's not yet ready to publish.

> I hope that I have provided the sufficient information for you.

We're getting there. :)

> Thanks for your support.

You're welcome.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi ,

> Mainly, we get these virus via E-mail. ...

Can I assume that it's clamd which scans these emails?
Yes. Clamd scans the e-mails

> OLE2BlockMacros = "yes"

There are other settings which you might want to investigate. See for
example the 'Alert...' options in the clamd.conf man page which mostly
default to 'no'.

I will check the Alert option in Clamd.conf

> mail/clamav-milter.conf not found

If you do not use clamav-milter, what takes the message from the mail server
and presents it to clamd? Do you have evidence that clamd at least finds
some threats (of whatever kind) in your incoming mail?

I use MailScanner and MailScanner takes the message from postfix and present
it to clamd. Yes, I have the evidence that Clamd finds threats, but it
cannot detect some of the threats


> I can put the viruses in a FTP server and share them with you.

Please do. Please provide the files as complete original email messages,
not just as the attached files (and let me know where I can find them of
course. :)

I will share the complete messages that stored by MailScanner and I will
share the FTP access details separately. Daily I will share the threats that
were not detected by Clamd
> Usually, I forward the virus mails to Sanesecurity.

+1

You might want to send them to the ClamAV team too, and perhaps also to
Securiteinfo - the maintainer of those signatures has occasionally asked on
this list for samples to be sent to him.
The ClamAV team is more interested in malware/phishing than spam.

How can I share the threats with ClamAV Team. Can I share the same FTP
access details

Thanks again for your great explanation and support.

Regards

Chaminda Indrajith


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello again,

On Sat, 23 Jan 2021, Chaminda Indrajith via clamav-users wrote:

> ... I have the evidence that Clamd finds threats, but it cannot
> detect some of the threats

As I said this is not unusual. From my experience I would say that of
all the threats that I see, ClamAV will typically detect a few tens %.
It's possible with some effort to 'tune' detection to your particular
mail profile but it's really a moving target. If you have something
like a repeat offender sending lots of malicious mail it's usually
easy to educate ClamAV to block it.

> I will share the complete messages that stored by MailScanner and I will
> share the FTP access details separately. ...

I will let you have a private email address to send the access details.
Do not worry if messages to the private address are rejected, filtering
of our mail is extremely unforgiving.

> How can I share the threats with ClamAV Team. Can I share the same FTP
> access details

The best ways are either to use the 'clamsubmit' utility or the Web
page which I mentioned in one of my earlier replies. The ClamAV team
will be unlikely to make effective use of your FTP server - it would
be too time-consuming for them to use a different method of collecting
samples from each and every ClamAV user.

> Thanks again for your great explanation and support.

I'm glad it's useful!

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Chamindra,

Generally speaking we'd like it if you would upload malware which ClamAV fails to alert on by using the `clamsubmit` tool, or via this webpage https://www.clamav.net/reports/malware
These feed into an automated system that will attempt to determine if it thinks they're malicious and then generate content-based logical signatures and/or hash-based signatures for them.

Some heuristic alerts for CVE detection are also baked into ClamAV. These are often for file format issues that may be used to exploit vulnerable software. The "HEUR:Exploit.RTF.CVE-2018-0802.gen" Kaspersky signature sounds like that sort of thing, detecting a Microsoft office document file format issue. This sort of thing is often harder to detect with clamav's content-based signatures and may be a better candidate for a bytecode signature or a hardcoded check for format correctness when parsing the document file. If you want to share your samples with our development team, we could take a look -- but it would be a long while before we can build that detection into a new ClamAV version. To share with the ClamAV development team, you can email me a password protected zip of the files, or upload them to VirusTotal and send me a list of file hashes.

Regards,
Micah

> -----Original Message-----
> From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of
> Chaminda Indrajith via clamav-users
> Sent: Saturday, January 23, 2021 9:18 AM
> To: 'ClamAV users ML' <clamav-users@lists.clamav.net>
> Cc: Chaminda Indrajith <indrajith@sltidc.lk>; 'G.W. Haywood'
> <clamav@jubileegroup.co.uk>
> Subject: Re: [clamav-users] ClamAV to detect exploits for the Equation Editor
> vulnerability in DOC files
>
> Hi ,
>
> > Mainly, we get these virus via E-mail. ...
>
> Can I assume that it's clamd which scans these emails?
> Yes. Clamd scans the e-mails
>
> > OLE2BlockMacros = "yes"
>
> There are other settings which you might want to investigate. See for
> example the 'Alert...' options in the clamd.conf man page which mostly default
> to 'no'.
>
> I will check the Alert option in Clamd.conf
>
> > mail/clamav-milter.conf not found
>
> If you do not use clamav-milter, what takes the message from the mail server
> and presents it to clamd? Do you have evidence that clamd at least finds
> some threats (of whatever kind) in your incoming mail?
>
> I use MailScanner and MailScanner takes the message from postfix and
> present it to clamd. Yes, I have the evidence that Clamd finds threats, but it
> cannot detect some of the threats
>
>
> > I can put the viruses in a FTP server and share them with you.
>
> Please do. Please provide the files as complete original email messages, not
> just as the attached files (and let me know where I can find them of course. :)
>
> I will share the complete messages that stored by MailScanner and I will share
> the FTP access details separately. Daily I will share the threats that were not
> detected by Clamd
> > Usually, I forward the virus mails to Sanesecurity.
>
> +1
>
> You might want to send them to the ClamAV team too, and perhaps also to
> Securiteinfo - the maintainer of those signatures has occasionally asked on
> this list for samples to be sent to him.
> The ClamAV team is more interested in malware/phishing than spam.
>
> How can I share the threats with ClamAV Team. Can I share the same FTP
> access details
>
> Thanks again for your great explanation and support.
>
> Regards
>
> Chaminda Indrajith
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml