Hi there,
On Thu, 30 Sep 2021, Indranil via clamav-users wrote:
> I have downloaded ClamAV and verified the eicar test using clamscan
> on a Windows VM.
Please tell us exactly what you downloaded, what you installed it on,
and exactly how you installed it. Please also describe how you plan
to approach scanning in general terms - which will probably make it
easier to answer a number of questions which you haven't yet asked.
> It appears that the following detection capabilities are also
> enabled by default: bytecode, scan-mail, phishing-sigs,
> phishing-scan-urls, scan-pe, scan-elf, scan-pdf, scan-html.
The descriptions of capabilities which you have given resemble some
configuration and scanning options which I recognize, but they are
unsubtly different. The relevant options (in the configuration files
on your machine, and given on the command line) are in the official
ClamAV documentation:
https://docs.clamav.net/ For example there is a 'Bytecode' option in clamd.conf, but there is
no 'scan-mail' option that I know of - it is 'ScanMail'. Similarly,
there are 'PhishingSignatures' and 'PhishingScanURLs' options but not
those that you give, 'phishing-sigs' and 'phishing-scan-urls'. It
baffles me that people make such gratuitous changes, it must be very
confusing to newcomers. There are also quite a few other options
which you have not mentioned. There's a scanning daemon and a thing
called a 'milter' (another daemon) which is to scan mail on a mail
server; these are separate subsystems in their own right which may or
may not be installed and which will need to be separately configured.
You have not said whether or not you wish to use a daemon, but that is
one of the more fundamental decisions - see my first paragraph.
> Out of these options, I am able to test scan-pe, scan-elf, scan-pdf
> and scan-html using respective files.
Please explain exactly what you mean by 'test'.
> I have not been able to test the rest of the options such as
> bytecode, scan-mail, phishing-sigs and phishing-scan-urls. Could you
> please help with the method of verifying individual options.
Please read the official documentation at the link which I have given.
It is much easier to confirm that your configuration is as you wish
than to test that the code is doing what you might expect. Simply run
clamconf -n
and you should see the differences between your configuration and the
documented defaults. In any case the expectation is sometimes based
on wishful thinking, so please let us know what you expect from your
tests before you ask us to help you with an exercise which is poorly
defined and might well be open-ended.
> Also, when a threat is detected, does ClamAV report the type of the
> threat i.e. does ClamAV report that Threat1 is a ?bytecode? threat,
> Threat2 is a ?phishing-sigs? threat?
In a way it does, yes. It reports a string like "Something FOUND",
either at the command line or in some log. It may also report other
information such as how much data was scanned and the scan time, and
if you wish you can configure verbose logging, and temorary files to
be retained for later inspection. Be careful because these can use a
lot of storage space. The ClamAV 'sigtool' utility can help you to
investigate what was found.
Here are some examples from a mail server log of things "FOUND":
258 Porcupine.Junk.36046.UNOFFICIAL FOUND
312 YARA.Bank_rule.UNOFFICIAL FOUND
360 Win.Packed.Ratx-9895842-0 FOUND
366 Sanesecurity.Jurlbl.7e72e8.UNOFFICIAL FOUND
17353 YARA.Garbage_Spam_0006_Rule.UNOFFICIAL FOUND
Our mail server uses a milter (not the one available from ClamAV) to
pass incoming mail streams to the 'clamd' scanning daemon and write to
the logs. I have used OS tools to trawl the logs for September 2021.
The counts are the number of times that this particular kind of threat
was found in the incoming mail stream. As you can see, some lines are
marked as "UNOFFICIAL". This means that the threat was detected by a
signature from something other than the official ClamAV database. In
addition to the official signature databases, we use both our own Yara
rules and a number of third-party databases. These greatly extend the
usefulness of ClamAV in our situation. At the time of writing, there
are about 8.8 million signatures in our ClamAV database. Of those,
8.6 million are from the 'official' ClamAV databases and the rest are
'third party' and our own. There are 583 of our own Yara signatures.
As you see from the table, by a very large margin a single one of our
Yara sigs catches more spam than all the rest put together. That's
probably because we know a lot more about our spam profile than anyone
else does. ClamAV is by no means a 'fire and forget' munition, please
be aware that you are (hopefully) embarking on a journey of discovery.
ClamAV does not attempt to repair anything which it finds. It can be
instructed to remove, move or copy a suspect file. Please read the
warnings in the documentation and think *very* carefully before doing
anything like that, because if you aren't careful you will be a bigger
threat to your systems than the threats from which you are trying to
protect them.
> If I am scanning C:\Users\Indranil via clamscan (with recursive option)
> then does ?C:\Users\Indranil\AppData\Local\Microsoft\Outlook? get tested for
> virus only if ?scan-mail? option is on?
It isn't like that at all. ClamAV contains code which recognizes
different types of data. For example, it can tell if a file is an
archive (like a '.zip' file) or if a data stream appears to be a mail
message. ClamAV treats files and data streams in much the same ways.
It can and does scan selectively when it detects such things - certain
signatures only apply to certain kinds of data - which is mainly why I
have asked you to define 'test'. Some things happen in ways which you
might describe as 'behind the scenes', and you need to be very careful
about how you define tests. This probably means that you will need to
know a lot more about ClamAV's behaviour than you do now in order to
be able to test it.
HTH
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml