Mailing List Archive

Run clamscan against the file? Or if you want to see what is published each release, you should subscribe to the clamav-virusdb list.

Sent from my ? iPad

> On May 5, 2019, at 19:40, Sunhux G via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi
>
> How can I check if a a specific malware (by providing a name/hash)
> has been included in the current version of Clam DB & when it's
> added?
>
> In particular, I'm looking at:
> the ransomware, dubbed “Sodinokibi” & the botnet dubbed “Muhstik”.
>
> If they are not in, how can I add their hashes into my Clam DB (running
> on Solaris 10)??
>
> Thanks
> Sun
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

<https://www.clamav.net/documents/file-hash-signatures <https://www.clamav.net/documents/file-hash-signatures>>

On Sun, May 05, 2019 at 04:39 PM, Sunhux G via clamav-users wrote:
> how can I add their hashes into my Clam DB (running
> on Solaris 10)??


-Al-
--
Al Varnell
Mountain View, CA

> https://www.clamav.net/documents/file-hash-signatures

Need to clarify further based on the example in above link:
so if I have the MD5 hash but not the malicious file itself, I'd add the MD5
value into a line in test.hdb & then run
clamscan -d test.hdb / (ie scan for the MD5 in the entire server??)

But what I need is to find out if the MD5 hash is already incorporated
in our ClamDB (or is there a way for to trace back past virus-db releases)
assuming I have not subscribed to one??

Sun

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

If you have the hash value then it shouldn't be that difficult to find the actual file and check it as Joel mentioned.

In addition to the hash value you will need the file size to build a proper signature.

To check if it is already in daily or main you will need to unpack them by running, for example, sigtool -u <PathTo-daily.cld>. Then open daily.hdb in a text editor and search for the hash.

Sent from my iPad

-Al-

On May 5, 2019, at 20:43, Sunhux G <sunhux@gmail.com> wrote:

>> https://www.clamav.net/documents/file-hash-signatures
>
> Need to clarify further based on the example in above link:
> so if I have the MD5 hash but not the malicious file itself, I'd add the MD5
> value into a line in test.hdb & then run
> clamscan -d test.hdb / (ie scan for the MD5 in the entire server??)
>
> But what I need is to find out if the MD5 hash is already incorporated
> in our ClamDB (or is there a way for to trace back past virus-db releases)
> assuming I have not subscribed to one??
>
> Sun


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Thanks.

Where can I download a copy of sigtool (that's pre-compiled) for
Solaris 10 and RHEL7? Was combing clamav site but can't locate it.
Appreciate a full URL to download it.

As for actual file, it's too dangerous as they're ransomware/malware,
so wouldn't want to get a copy of it.

Sun

On 5/6/19, Al Varnell via clamav-users <clamav-users@lists.clamav.net> wrote:
> If you have the hash value then it shouldn't be that difficult to find the
> actual file and check it as Joel mentioned.
>
> In addition to the hash value you will need the file size to build a proper
> signature.
>
> To check if it is already in daily or main you will need to unpack them by
> running, for example, sigtool -u <PathTo-daily.cld>. Then open daily.hdb in
> a text editor and search for the hash.
>
> Sent from my iPad
>
> -Al-
>
> On May 5, 2019, at 20:43, Sunhux G <sunhux@gmail.com> wrote:
>
>>> https://www.clamav.net/documents/file-hash-signatures
>>
>> Need to clarify further based on the example in above link:
>> so if I have the MD5 hash but not the malicious file itself, I'd add the
>> MD5
>> value into a line in test.hdb & then run
>> clamscan -d test.hdb / (ie scan for the MD5 in the entire server??)
>>
>> But what I need is to find out if the MD5 hash is already incorporated
>> in our ClamDB (or is there a way for to trace back past virus-db
>> releases)
>> assuming I have not subscribed to one??
>>
>> Sun
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On May 5, 2019, at 23:24, Sunhux G via clamav-users <clamav-users@lists.clamav.net> wrote:
> Where can I download a copy of sigtool (that's pre-compiled) for
> Solaris 10 and RHEL7? Was combing clamav site but can't locate it.
> Appreciate a full URL to download it.

It's built into your ClamAV installation in clamav/bin.

> As for actual file, it's too dangerous as they're ransomware/malware,
> so wouldn't want to get a copy of it.

It's only dangerous if launched. The file itself just sitting on a drive is harmless and you only need it log enough to perform one scan to get the answer to your original question. I thought the whole purpose of your questions were based on being able to identify that this malware was on your drive so you wouldn’t become infected.

Honestly, I have to say, based on all the questions you are asking, you don't have sufficient knowledge yet of basic anti-malware operations to be undertaking this level of investigation.

If this is a well known malware in the wild, there is an extremely high probability that there is a signature in the ClamAV database already, and it may well not be in the form of a hash. IMHO, you need to trust that the professionals at Talos/ClamAV are on top of these things and better use your time and energies.

-Al-

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml