Hi Guys,
I have a multiple signed malwares. I want to create detection using the
certificate that is used to sign them. I came across an old blog from
ClamAV folks.
https://blog.clamav.net/2013/02/authenticode-certificate-chain.html
Where the author creates a signature for the revoked certificate and adds
it to .crtdb to detect the signed malicious binary. Recent versions of
ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file.
In the documentation, I found this
The .crb format supports blacklist rule entries, but these cannot currently
be used as a basis for malware detection. Instead, as currently
implemented, these entries just override .crb rules which would otherwise
whitelist a given sample
https://www.clamav.net/documents/microsoft
-authenticode-signature-verification
My question is, Is there any way to detect signed malicious binaries using
signing certificate properties like the author does in the old blog
mentioned above.
Thank you :) I am new to ClamAV. Please forgive my ignorance.
Have a nice day, you all. :)
Regards,
Irshad Muhammad.
I have a multiple signed malwares. I want to create detection using the
certificate that is used to sign them. I came across an old blog from
ClamAV folks.
https://blog.clamav.net/2013/02/authenticode-certificate-chain.html
Where the author creates a signature for the revoked certificate and adds
it to .crtdb to detect the signed malicious binary. Recent versions of
ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file.
In the documentation, I found this
The .crb format supports blacklist rule entries, but these cannot currently
be used as a basis for malware detection. Instead, as currently
implemented, these entries just override .crb rules which would otherwise
whitelist a given sample
https://www.clamav.net/documents/microsoft
-authenticode-signature-verification
My question is, Is there any way to detect signed malicious binaries using
signing certificate properties like the author does in the old blog
mentioned above.
Thank you :) I am new to ClamAV. Please forgive my ignorance.
Have a nice day, you all. :)
Regards,
Irshad Muhammad.