Mailing List Archive

I'm a macOS user, so cannot give you a definitive answer, but at the time it was so common that I can't imagine that all necessary signatures for the original and all subsequent variants were added years ago.

I'm also under the impression that most versions of Windows OS have been patched to prevent it, including some that were End Of Life.

And kill switch domains were obtained for all but the most recent version, making those unable to encrypt or spread.

-Al-

> On Sep 11, 2020, at 04:08, Wirth Ervin via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>
> Dear ClamAV Users,
>
> I was looking after "Does ClamAV catch WannaCry malware?" on Google,
> but I haven't found any significant answer about this.
>
> Could you answer?
>
> Thank you,
> Ervin Wirth

I am using Windows 7 (on notebook) and 10 (on PC).
When there was the worldwide peak of WannaCry,
it was interesting to see it mostly affected older Windows versions,
like 7 (at my workplace).

I was thinking to pick ClamAV, since I've seen that some popular AV
softwares like Malwarebytes (the first one detected WannaCry)
put the Malware/Ransomware protection to their Premium package.

On 9/11/2020 2:14 PM, Al Varnell via clamav-users wrote:
> I'm a macOS user, so cannot give you a definitive answer, but at the
> time it was so common that I can't imagine that all necessary
> signatures for the original and all subsequent variants were added
> years ago.
>
> I'm also under the impression that most versions of Windows OS have
> been patched to prevent it, including some that were End Of Life.
>
> And kill switch domains were obtained for all but the most recent
> version, making those unable to encrypt or spread.
>
> -Al-
>
>> On Sep 11, 2020, at 04:08, Wirth Ervin via clamav-users
>> <clamav-users@lists.clamav.net
>> <mailto:clamav-users@lists.clamav.net>> wrote:
>>
>> Dear ClamAV Users,
>>
>> I was looking after "Does ClamAV catch WannaCry malware?" on Google,
>> but I haven't found any significant answer about this.
>>
>> Could you answer?
>>
>> Thank you,
>> Ervin Wirth
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

MHi there,

On Fri, 11 Sep 2020, Wirth Ervin via clamav-users wrote:

> I was looking after "Does ClamAV catch WannaCry malware?" on Google,
> but I haven't found any significant answer about this.

The answer to your question is probably "yes, with qualifications".

One of those qualifications is that you haven't said how the malware
might be delivered to the systems which you're concerned about. If
ClamAV doesn't get to see the malware before it gets onto the systems
then it won't be able to do anything about it. At least on Windows,
ClamAV has no way to catch things on the fly and it behaves a bit like
the free version of a MalwareBytes product. You need to scan anything
which might be suspect before you put it on the potentially vulnerable
computer. If you're going to surf random Websites using a vulnerable
OS or browser, ClamAV isn't going to offer any security at all.

About the time that WannaCry was really active, I came across several
USB sticks in a drawer in a workshop on a client's premises. Any one
of them could have taken down the CNC plasma cutter, for which they'd
recently paid eighty grand. It was still running Windows XP, and its
manufacturer had neither installed anti-virus software nor changed the
firewall settings from the XP defaults. About the best I could do was
try to educate their staff, firewall the machine (jobs were sent to it
by Windows 7 workstations on the LAN), keep on top of the backups, and
sweep the workshop now and then for threats like those USB sticks. It
was a long way from ideal but it seems to have been enough.

If we ass-u-me that systems thesedays are either patched or protected
by other means, the WannaCry malware shouldn't now be a big worry to
anyone. There are more serious, active threats around. If you're
unfortunate enough to be dealing with a manufacturer like the one that
supplied that plasma cutter, or if you have legacy software preventing
upgrades to a supported version of Windows, you probably have a never-
ending task. People will sometimes run a vulnerable Windows OS in a
virtual machine, and take periodic snapshots to give them a fallback
position in case of the almost inevitable. It isn't a complete answer
but it can help you sleep more easily.

Asking "Does ClamAV catch WannaCry malware?" is a rather like asking
"Do the police catch criminals?". There are many different criminals
and the police don't catch all of them. There can be many different
versions of any particular malware (sometimes they're referred to as
different "strains" of the same basic malware) and one of the things
that malware authors spend a lot of time on is hiding their product,
in more-and-more-creative ways, from the things designed to detect it.
Granted some of these people are script kiddies and don't make much of
an impact, but some of them are *really* good at what they do, so you
can't take anything for granted.

Here's a one-line command I just typed, output on the line below it:

$ grep -a -s -i wannacry databases/* | wc -l
550

A signature takes up one line in the signature database. The above
command used 'grep' to do a case-insensitive search for the string
'wannacry' in all the files in the ClamAV database directory on my
clamd server, and count the lines containing that string. I use a
number of third-party signature databases from several sources, so
from the above command I don't see information about which databases
contain which signatures. For a handle on that I can count the lines
per database:

$ grep -a -s -i wannacry databases/* | cut -d':' -f1 | uniq -c
13 daily.cld
537 malwarehash.hsb

So I see thirteen signatures in the 'official' ClaAV database, and 537
in the 'malwarehash' database from Sanesecurity. This tells me there
are many signatures somehow linked to the same basic WannaCry malware,
and presumably that means there's no particular limit to the ways in
which the malware might be hidden. No real surprise, miscreants have
been modifying their malware ever since their first arrest. But it
doesn't end there: there's no particular reason why a signature which
aims to match WannaCry will have a label which means anything at all
to the casual observer. Let me now look for 'ransom' in *just* the
official 'main' and 'daily' databases:

$ grep -i ransom databases/main* databases/daily* | wc -l
24184

Hmmmmmm. There are orders of magnitude more singatures which mention
'ransom' than there are which mention 'WannaCry'. Is there a reason
that you asked about WannaCry in particular?

> I am using Windows 7 (on notebook) and 10 (on PC). When there was
> the worldwide peak of WannaCry, it was interesting to see it mostly
> affected older Windows versions, like 7 (at my workplace).

The vulnerabilities exploited by WannaCry were patched in Windows 7
and other supported systems several months before it hit the fan. IT
security at your workplace appears to have been questionable at best.
Let's hope it's better now, but I wouldn't put my own money on it.

Speaking of money...

> I was thinking to pick ClamAV, since I've seen that some popular AV
> softwares like Malwarebytes (the first one detected WannaCry) put
> the Malware/Ransomware protection to their Premium package.

have you estimated how much your systems are worth to you?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 11.09.2020 13:08, Wirth Ervin via clamav-users wrote:
>
> Dear ClamAV Users,
>
> I was looking after "Does ClamAV catch WannaCry malware?" on Google,
> but I haven't found any significant answer about this.
>
> Could you answer?
>
> Thank you,
> Ervin Wirth


ClamAV might detect signatures of WannaCry malware, but would not be
able to protect against it,
as it comes from outside;  the OS must be patched against it;

Thank you for the professional answer, the numbers can count something.
According to your answer, I assume that PC setup/configuration count
like 80 %, and AV is like 20 % against threats.

> Then ClamAV’s On-Access Scanner will still function, scanning and
> alerting on files normally in real time. However, it will be unable to
> block access attempts on malicious files. We call this |notify-only| mode.
/Source: https://www.clamav.net/documents/on-access-scanning/


Since you sounds professional:
- Could you advise a real-time protecting software against
malware/ransom/virus etc.?  (open-source or even commercial)

Thank you again,
Ervin




On 9/11/2020 5:05 PM, G.W. Haywood via clamav-users wrote:
> MHi there,
>
> On Fri, 11 Sep 2020, Wirth Ervin via clamav-users wrote:
>
>> I was looking after "Does ClamAV catch WannaCry malware?" on Google,
>> but I haven't found any significant answer about this.
>
> The answer to your question is probably "yes, with qualifications".
>
> One of those qualifications is that you haven't said how the malware
> might be delivered to the systems which you're concerned about. If
> ClamAV doesn't get to see the malware before it gets onto the systems
> then it won't be able to do anything about it.  At least on Windows,
> ClamAV has no way to catch things on the fly and it behaves a bit like
> the free version of a MalwareBytes product.  You need to scan anything
> which might be suspect before you put it on the potentially vulnerable
> computer.  If you're going to surf random Websites using a vulnerable
> OS or browser, ClamAV isn't going to offer any security at all.
>
> About the time that WannaCry was really active, I came across several
> USB sticks in a drawer in a workshop on a client's premises.  Any one
> of them could have taken down the CNC plasma cutter, for which they'd
> recently paid eighty grand.  It was still running Windows XP, and its
> manufacturer had neither installed anti-virus software nor changed the
> firewall settings from the XP defaults.  About the best I could do was
> try to educate their staff, firewall the machine (jobs were sent to it
> by Windows 7 workstations on the LAN), keep on top of the backups, and
> sweep the workshop now and then for threats like those USB sticks.  It
> was a long way from ideal but it seems to have been enough.
>
> If we ass-u-me that systems thesedays are either patched or protected
> by other means, the WannaCry malware shouldn't now be a big worry to
> anyone.  There are more serious, active threats around.  If you're
> unfortunate enough to be dealing with a manufacturer like the one that
> supplied that plasma cutter, or if you have legacy software preventing
> upgrades to a supported version of Windows, you probably have a never-
> ending task.  People will sometimes run a vulnerable Windows OS in a
> virtual machine, and take periodic snapshots to give them a fallback
> position in case of the almost inevitable.  It isn't a complete answer
> but it can help you sleep more easily.
>
> Asking "Does ClamAV catch WannaCry malware?" is a rather like asking
> "Do the police catch criminals?".  There are many different criminals
> and the police don't catch all of them.  There can be many different
> versions of any particular malware (sometimes they're referred to as
> different "strains" of the same basic malware) and one of the things
> that malware authors spend a lot of time on is hiding their product,
> in more-and-more-creative ways, from the things designed to detect it.
> Granted some of these people are script kiddies and don't make much of
> an impact, but some of them are *really* good at what they do, so you
> can't take anything for granted.
>
> Here's a one-line command I just typed, output on the line below it:
>
> $ grep -a -s -i wannacry databases/* | wc -l
> 550
>
> A signature takes up one line in the signature database.  The above
> command used 'grep' to do a case-insensitive search for the string
> 'wannacry' in all the files in the ClamAV database directory on my
> clamd server, and count the lines containing that string.  I use a
> number of third-party signature databases from several sources, so
> from the above command I don't see information about which databases
> contain which signatures.  For a handle on that I can count the lines
> per database:
>
> $ grep -a -s -i wannacry databases/* | cut -d':' -f1 | uniq -c
>      13 daily.cld
>     537 malwarehash.hsb
>
> So I see thirteen signatures in the 'official' ClaAV database, and 537
> in the 'malwarehash' database from Sanesecurity.  This tells me there
> are many signatures somehow linked to the same basic WannaCry malware,
> and presumably that means there's no particular limit to the ways in
> which the malware might be hidden.  No real surprise, miscreants have
> been modifying their malware ever since their first arrest.  But it
> doesn't end there: there's no particular reason why a signature which
> aims to match WannaCry will have a label which means anything at all
> to the casual observer.  Let me now look for 'ransom' in *just* the
> official 'main' and 'daily' databases:
>
> $ grep -i ransom databases/main* databases/daily* | wc -l
> 24184
>
> Hmmmmmm.  There are orders of magnitude more singatures which mention
> 'ransom' than there are which mention 'WannaCry'.  Is there a reason
> that you asked about WannaCry in particular?
>
>> I am using Windows 7 (on notebook) and 10 (on PC).  When there was
>> the worldwide peak of WannaCry, it was interesting to see it mostly
>> affected older Windows versions, like 7 (at my workplace).
>
> The vulnerabilities exploited by WannaCry were patched in Windows 7
> and other supported systems several months before it hit the fan. IT
> security at your workplace appears to have been questionable at best.
> Let's hope it's better now, but I wouldn't put my own money on it.
>
> Speaking of money...
>
>> I was thinking to pick ClamAV, since I've seen that some popular AV
>> softwares like Malwarebytes (the first one detected WannaCry) put
>> the Malware/Ransomware protection to their Premium package.
>
> have you estimated how much your systems are worth to you?
>

Hi there,

On Fri, 11 Sep 2020, Wirth Ervin via clamav-users wrote:

> According to your answer, I assume that PC setup/configuration count
> like 80 %, and AV is like 20 % against threats.

I wonder if you caught the meaning when I wrote
>> "If we ass-u-me that systems thesedays are ..."

We say here that to "assume" makes an "ass" out of "u" and "me". :)

It's impossible to put firm numbers on the relative contributions of
the many techniques which are used to prevent compromises by malware
without having a good understanding of the particular systems which
are being assessed, the way they're being used, the environments to
which they are exposed and the threats which they face as a result.
Even with all that information it's still difficult. But I believe
that many people engage in wishful thinking when it comes to AV and I
would never like to over-estimate the value of AV products. They're
often only as good as the user using them - sometimes not even that.
When a new threat appears, most of them completley fail to protect
against it, and for those that manage to it's often only by accident.
So if you rely 100% on AV products for protection you're going to be
disappointed, sooner or later. You need a multi-layered approach.

My feeling is that you first need to become familiar with the ways
that malware will attack systems. Perhaps surprisingly there aren't
many of those. Then you need to be familiar with the techniques that
are available for defence. There aren't many of those either. Then
you can look at the tools, packages and services which employ those
techniques and offer (or claim to offer) some kind of protection. As
a result of the abysmal failings of a few software companies (so few
that they can be counted on your fingers) there is now a huge global
industry devoted to producing such things, and the choices are quite
bewildering. There's even a small global industry producing _fake_
packages which - instead of protecting you from malware - install it.
Obviously you need to be sceptical or even cynical in your research.

> - Could you advise a real-time protecting software against
> malware/ransom/virus etc.? (open-source or even commercial)

You haven't said for which operating system, and using which software
packages. If it's Windows 7 then as it's now End Of Life my advice is
to stop using it for anything which exposes it to the Internet unless
you can obtain Microsoft's extended support. In more recent Windows
versions Microsoft has improved its own offering a great deal when you
compare it with their original approach - basically "now that you've
installed Windows, you must immediately install an anti-virus package
to protect it". Compared with ClamAV, Microsoft's offering does some
things which ClamAV doesn't do and doesn't do some things which ClamAV
does. So together, the two could make a good starting combination BUT
you need to do your homework so please re-read my previous paragraphs.
It isn't really appropriate for me to say more than that on this list.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml