Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] possible to use clamscan to search for strings in mail?
alex at pgrocks
Mar 6, 2019, 1:39 AM
Post #1 of 3 (214 views)
Permalink
Hi all,

is it worth trying?

We do have a large IMAP ~200GB, and in order to find letters containing
specific "keyword",
grep is not good because of base64 encoding. So the idea is to look
through with antivirus scanner for "virus" inside letters, which is not
a virus but a (not sure, may be) "bytecode signature" = "keyword"

Sounds good? A link to a howto will be appreciated.

Thanks.
Re: [clamav-users] possible to use clamscan to search for strings in mail? [ In reply to ]
webmaster at securiteinfo
Mar 6, 2019, 1:50 AM
Post #2 of 3 (214 views)
Permalink
Hello Alex,


> We do have a large IMAP ~200GB, and in order to find letters
> containing specific "keyword",
> grep is not good because of base64 encoding. So the idea is to look
> through with antivirus scanner for "virus" inside letters, which is
> not a virus but a (not sure, may be) "bytecode signature" = "keyword"
>
> Sounds good? A link to a howto will be appreciated.

Yes it is possible. Please see the official documentation :
https://www.clamav.net/documents/creating-signatures-for-clamav

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] possible to use clamscan to search for strings in mail? [ In reply to ]
alex at pgrocks
Mar 6, 2019, 8:41 AM
Post #3 of 3 (213 views)
Permalink
Great, thanks!

All I had to do was writing an new.ldb rule with hex patterns to
search for:

Sig1;Target:4;(0|1|2|3|4|5|6|7|8|9|10|11|12);e2e5ede0eb;c2c5cdc0cb;fe32
;de32;d7c5cec1cc;f7e5eee1ec;c032;e032;d0b2d0b5d0bdd0b0d0bb;d092d095d09d
d090d09b;d18e32;d0ae32;7576656e616c

and run clamscan:

clamscan -f ~/list -i -d ~/new.ldb

On Wed, 2019-03-06 at 10:50 +0100, Arnaud Jacques wrote:
> Hello Alex,
>
>
> > We do have a large IMAP ~200GB, and in order to find letters
> > containing specific "keyword",
> > grep is not good because of base64 encoding. So the idea is to
> > look
> > through with antivirus scanner for "virus" inside letters, which
> > is
> > not a virus but a (not sure, may be) "bytecode signature" =
> > "keyword"
> >
> > Sounds good? A link to a howto will be appreciated.
>
> Yes it is possible. Please see the official documentation :
> https://www.clamav.net/documents/creating-signatures-for-clamav
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal