Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] Way to access .cvd file
clamav-users at lists
Aug 30, 2020, 8:27 PM
Post #1 of 7 (265 views)
Permalink
Hey folks,
I am studying the ClamAV recently and I am trying to see how the database works. So, is there anyway to see how's the data looks like in the .cvd file? Or how can I open the .cvd file in plantext?
Thanks
Jack
Re: [clamav-users] Way to access .cvd file [ In reply to ]
webmaster at securiteinfo
Aug 30, 2020, 9:24 PM
Post #2 of 7 (265 views)
Permalink
Hello Jack,

sigtool --unpack-current=daily


Le 31/08/2020 à 05:27, Gao Hui via clamav-users a écrit :
> Hey folks,
> I am studying the ClamAV recently and I am trying to see how the
> database works. So, is there anyway to see how's the data looks like in
> the .cvd file? Or how can I open the .cvd file in plantext?
> Thanks
> Jack
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Way to access .cvd file [ In reply to ]
clamav-users at lists
Aug 30, 2020, 11:41 PM
Post #3 of 7 (264 views)
Permalink
Hi everyone,

This is a good question. I was curious what kind of signatures has
safebrowsing.cvd.
I've also used something like "sigtool --unpack=safebrowsing.cvd -u
somefile"

Looking inside of "somefile" i see something like:
S2:F:0001a4b9be5221cffadca82be04f8909357495f2d7fa6e038e5443444d581be8
S2:F:00042c895c912fd567afa35450cfe5d321d0d68eb3833156925c4e27d2c29aa2
S2:F:0006d4dcb0d939d725e676a9e68aaeb303e04478e6861d2a77469d1b6a0a0f7d

So basically i cannot run something like : "sigtool
--find-sigs=signature | sigtool --decode-sigs" to see the exact code of
the signature because the name are the same, in this case "S2".

I am missing something ?
There is way to see this or those are somehow encrypted ? I see that
during the unpacking another file called safebrowsing.info is created
and this one holds a signature inside.

---
Best regards,
Iulian Stan


On 2020-08-31 07:24, Arnaud Jacques wrote:
> Hello Jack,
>
> sigtool --unpack-current=daily
>
>
> Le 31/08/2020 à 05:27, Gao Hui via clamav-users a écrit :
>> Hey folks,
>> I am studying the ClamAV recently and I am trying to see how the
>> database works. So, is there anyway to see how's the data looks like
>> in the .cvd file? Or how can I open the .cvd file in plantext?
>> Thanks
>> Jack
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
> --
> Cordialement / Best regards,
>
> Arnaud Jacques
> Gérant de SecuriteInfo.com
>
> Téléphone : +33-(0)3.60.47.09.81
> E-mail : aj@securiteinfo.com
> Site web : https://www.securiteinfo.com
> Facebook :
> https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> Signatures for ClamAV antivirus : http://ow.ly/LqfdL
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Way to access .cvd file [ In reply to ]
clamav-users at lists
Aug 31, 2020, 2:35 AM
Post #4 of 7 (264 views)
Permalink
Hi there,

On Mon, 31 Aug 2020, iulian stan via clamav-users wrote:

> I am missing something ?

http://www.clamav.net/documents/clam-antivirus-user-manual

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Way to access .cvd file [ In reply to ]
clamav-users at lists
Aug 31, 2020, 4:44 AM
Post #5 of 7 (264 views)
Permalink
Dear Ged/all,

Your information did the trick. I couldn't have solved this mystery
without your genius link. To be fair I've presented all the information
and data without looking to manual and i know the commands posted from
the thin air that i was breathing.

Long story short, maybe this info is needed to other novice like me who
don't RTFM.

safebrowsing.cvd is created by google and contains inside a .gbd file.
As manual says ( btw, the correct link is:
https://www.clamav.net/documents/phishsigs) it contains hashed URLs and
not encrypted like i thought in the beginning. Just because is SHA256
you cannot "decode" the original data since there no original data
inside. (it is just a fixed string produced and where the URL/data is
used as seed)
Having all of this said there is no way to use sigtool --decode-sigs to
retrieve the original data(like you do for example in *.ndb)
In the link provided by me it is also written, i quote:
"To see which hash/URL matched, look at the clamscan --debug output, and
look for the following strings: Looking up hash, prefix matched, and
Hash matched. Local whitelisting of .gdb entries can be done by creating
a local.gdb file, and adding a line S:W:<HASH>."

But to be fair, who is actually using clamscan or clamdscan with --debug
activated on production ?



---
humbled and grateful for your great link,
Iulian



On 2020-08-31 12:35, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Mon, 31 Aug 2020, iulian stan via clamav-users wrote:
>
>> I am missing something ?
>
> http://www.clamav.net/documents/clam-antivirus-user-manual
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Way to access .cvd file [ In reply to ]
clamav-users at lists
Aug 31, 2020, 5:11 PM
Post #6 of 7 (264 views)
Permalink
I'm sure you are correct that few, if any, would used --debut routinely, but I would definitely do so if I had a need to whitelist a safebrowsing entry. OTOH, that database is quite dynamic with Google adding and deleting entries multiple times a day, so I would more likely want to take up any sort of FP results with Google directly.

You didn't mention the answer to your other question about the safebrowsing.info file which can be found at <https://www.clamav.net/documents/database-info>.

The format is simply:

name:size:sha256

-Al-

> On Aug 31, 2020, at 04:44, iulian stan via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Dear Ged/all,
>
> Your information did the trick. I couldn't have solved this mystery without your genius link. To be fair I've presented all the information and data without looking to manual and i know the commands posted from the thin air that i was breathing.
>
> Long story short, maybe this info is needed to other novice like me who don't RTFM.
>
> safebrowsing.cvd is created by google and contains inside a .gbd file. As manual says ( btw, the correct link is: https://www.clamav.net/documents/phishsigs) it contains hashed URLs and not encrypted like i thought in the beginning. Just because is SHA256 you cannot "decode" the original data since there no original data inside. (it is just a fixed string produced and where the URL/data is used as seed)
> Having all of this said there is no way to use sigtool --decode-sigs to retrieve the original data(like you do for example in *.ndb)
> In the link provided by me it is also written, i quote:
> "To see which hash/URL matched, look at the clamscan --debug output, and look for the following strings: Looking up hash, prefix matched, and Hash matched. Local whitelisting of .gdb entries can be done by creating a local.gdb file, and adding a line S:W:<HASH>."
>
> But to be fair, who is actually using clamscan or clamdscan with --debug activated on production ?
>
>
>
> ---
> humbled and grateful for your great link,
> Iulian
>
>
>
> On 2020-08-31 12:35, G.W. Haywood via clamav-users wrote:
>> Hi there,
>> On Mon, 31 Aug 2020, iulian stan via clamav-users wrote:
>>> I am missing something ?
>> http://www.clamav.net/documents/clam-antivirus-user-manual
>> --
>> 73,
>> Ged.

Attached Files:

Re: [clamav-users] Way to access .cvd file [ In reply to ]
clamav-users at lists
Sep 1, 2020, 11:16 AM
Post #7 of 7 (258 views)
Permalink
Some additional details, we've had a couple outstanding requests for a long time to print the URL information when phishing heuristics and safebrowsing signatures alert:
- https://bugzilla.clamav.net/show_bug.cgi?id=1600
- https://bugzilla.clamav.net/show_bug.cgi?id=11123

We added output in 0.103 to print the real-URL and display-URL when a phishing heuristic alerts, but have not added a similar feature for safebrowsing detections. I agree that it would be very helpful to know the source of such alerts when they occur. If there are any interested in contributing to the project, this might be a good one to work on.

It's probably also worth mentioning that Cisco-Talos no longer publishes updates to the safebrowsing database. Google changes their terms of service regarding commercial use of the safebrowsing API. Though we never made money off of our use of the safebrowsing API we can no longer provide the data for public use since we don't know how it will be used. Instead, we open-sourced the tool that we used to use to generate the safebrowsing database so that others may use it with their own API in accordance with Google's terms of service. See https://blog.clamav.net/2020/06/the-future-of-clamav-safebrowsing.html for more details.

Regards,
Micah


-----Original Message-----
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Al Varnell via clamav-users
Sent: Monday, August 31, 2020 5:11 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Al Varnell <alvarnell@mac.com>
Subject: Re: [clamav-users] Way to access .cvd file

I'm sure you are correct that few, if any, would used --debut routinely, but I would definitely do so if I had a need to whitelist a safebrowsing entry. OTOH, that database is quite dynamic with Google adding and deleting entries multiple times a day, so I would more likely want to take up any sort of FP results with Google directly.

You didn't mention the answer to your other question about the safebrowsing.info file which can be found at <https://www.clamav.net/documents/database-info>.

The format is simply:

name:size:sha256

-Al-

> On Aug 31, 2020, at 04:44, iulian stan via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Dear Ged/all,
>
> Your information did the trick. I couldn't have solved this mystery without your genius link. To be fair I've presented all the information and data without looking to manual and i know the commands posted from the thin air that i was breathing.
>
> Long story short, maybe this info is needed to other novice like me who don't RTFM.
>
> safebrowsing.cvd is created by google and contains inside a .gbd file.
> As manual says ( btw, the correct link is:
> https://www.clamav.net/documents/phishsigs) it contains hashed URLs and not encrypted like i thought in the beginning. Just because is SHA256 you cannot "decode" the original data since there no original data inside. (it is just a fixed string produced and where the URL/data is used as seed) Having all of this said there is no way to use sigtool --decode-sigs to retrieve the original data(like you do for example in *.ndb) In the link provided by me it is also written, i quote:
> "To see which hash/URL matched, look at the clamscan --debug output, and look for the following strings: Looking up hash, prefix matched, and Hash matched. Local whitelisting of .gdb entries can be done by creating a local.gdb file, and adding a line S:W:<HASH>."
>
> But to be fair, who is actually using clamscan or clamdscan with --debug activated on production ?
>
>
>
> ---
> humbled and grateful for your great link, Iulian
>
>
>
> On 2020-08-31 12:35, G.W. Haywood via clamav-users wrote:
>> Hi there,
>> On Mon, 31 Aug 2020, iulian stan via clamav-users wrote:
>>> I am missing something ?
>> http://www.clamav.net/documents/clam-antivirus-user-manual
>> --
>> 73,
>> Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal