Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] Detect Signed Malicious Binaries Using .CRB File Signature
clamav-users at lists
Oct 14, 2019, 1:34 AM
Post #1 of 3 (162 views)
Permalink
Hi Guys,

I have a multiple signed malwares. I want to create detection using the
certificate that is used to sign them. I came across an old blog from
ClamAV folks.
https://blog.clamav.net/2013/02/authenticode-certificate-chain.html
Where the author creates a signature for the revoked certificate and adds
it to .crtdb to detect the signed malicious binary. Recent versions of
ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file.
In the documentation, I found this

The .crb format supports blacklist rule entries, but these cannot currently
be used as a basis for malware detection. Instead, as currently
implemented, these entries just override .crb rules which would otherwise
whitelist a given sample
https://www.clamav.net/documents/microsoft
-authenticode-signature-verification

My question is, Is there any way to detect signed malicious binaries using
signing certificate properties like the author does in the old blog
mentioned above.

Thank you :) I am new to ClamAV. Please forgive my ignorance.

Have a nice day, you all. :)

Regards,
Irshad Muhammad.
Re: [clamav-users] Detect Signed Malicious Binaries Using .CRB File Signature [ In reply to ]
awillia2 at sourcefire
Oct 14, 2019, 5:57 AM
Post #2 of 3 (161 views)
Permalink
Irshad,

The recent ClamAV 0.102 release introduces (reintroduces?) the ability to
write blacklist .crb rules that cause a matching sample to be detected as
malicious without requiring other signatures to match. Updating the
documentation you highlighted is still on my TODO list, but is true for
previous versions in the recent past. I too have wondered about that blog
post - I haven't checked to see if this functionality existed in the ClamAV
from 2013, but if so it must have been hindered at some point (and likely
went unnoticed, since blacklist .crb rules haven't seen much use).

Hope that helps! Let me know if you have any other questions

-Andrew

Andrew Williams
Malware Research Team
Cisco Talos

On Mon, Oct 14, 2019 at 4:35 AM Irshad via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi Guys,
>
> I have a multiple signed malwares. I want to create detection using the
> certificate that is used to sign them. I came across an old blog from
> ClamAV folks.
> https://blog.clamav.net/2013/02/authenticode-certificate-chain.html
> Where the author creates a signature for the revoked certificate and adds
> it to .crtdb to detect the signed malicious binary. Recent versions of
> ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file.
> In the documentation, I found this
>
> The .crb format supports blacklist rule entries, but these cannot
> currently be used as a basis for malware detection. Instead, as currently
> implemented, these entries just override .crb rules which would otherwise
> whitelist a given sample
> https://www.clamav.net/documents/microsoft
> -authenticode-signature-verification
>
> My question is, Is there any way to detect signed malicious binaries using
> signing certificate properties like the author does in the old blog
> mentioned above.
>
> Thank you :) I am new to ClamAV. Please forgive my ignorance.
>
> Have a nice day, you all. :)
>
> Regards,
> Irshad Muhammad.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: [clamav-users] Detect Signed Malicious Binaries Using .CRB File Signature [ In reply to ]
clamav-users at lists
Oct 14, 2019, 7:31 PM
Post #3 of 3 (161 views)
Permalink
Hi Andrew,
Thank you very much, it helps.

Regards,
Irshad.

On Mon, Oct 14, 2019 at 8:57 PM Andrew Williams <awillia2@sourcefire.com>
wrote:

> Irshad,
>
> The recent ClamAV 0.102 release introduces (reintroduces?) the ability to
> write blacklist .crb rules that cause a matching sample to be detected as
> malicious without requiring other signatures to match. Updating the
> documentation you highlighted is still on my TODO list, but is true for
> previous versions in the recent past. I too have wondered about that blog
> post - I haven't checked to see if this functionality existed in the ClamAV
> from 2013, but if so it must have been hindered at some point (and likely
> went unnoticed, since blacklist .crb rules haven't seen much use).
>
> Hope that helps! Let me know if you have any other questions
>
> -Andrew
>
> Andrew Williams
> Malware Research Team
> Cisco Talos
>
> On Mon, Oct 14, 2019 at 4:35 AM Irshad via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> Hi Guys,
>>
>> I have a multiple signed malwares. I want to create detection using the
>> certificate that is used to sign them. I came across an old blog from
>> ClamAV folks.
>> https://blog.clamav.net/2013/02/authenticode-certificate-chain.html
>> Where the author creates a signature for the revoked certificate and adds
>> it to .crtdb to detect the signed malicious binary. Recent versions of
>> ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file.
>> In the documentation, I found this
>>
>> The .crb format supports blacklist rule entries, but these cannot
>> currently be used as a basis for malware detection. Instead, as currently
>> implemented, these entries just override .crb rules which would otherwise
>> whitelist a given sample
>> https://www.clamav.net/documents/microsoft
>> -authenticode-signature-verification
>>
>> My question is, Is there any way to detect signed malicious binaries
>> using signing certificate properties like the author does in the old blog
>> mentioned above.
>>
>> Thank you :) I am new to ClamAV. Please forgive my ignorance.
>>
>> Have a nice day, you all. :)
>>
>> Regards,
>> Irshad Muhammad.
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal