Mailing List Archive

[clamav-users] Scan log parsing
Hello,
I'm completely new to ClamAV
I am setting up ClamAV on one laptop located behind VLAN and I don't have
the option to monitor result.
Still I need to know the result of the scan hence I decided to parse the
log.
My question: what string should I expect if the scan revealed any
suspicious activity ... like 'error' or 'fail' or 'infected' or etc.
Any suggestion what gets into the log in case of infection?

Thanks
Re: [clamav-users] Scan log parsing [ In reply to ]
I think the word “FOUND” is used.


Sent from my ? iPhone

> On Feb 20, 2022, at 20:16, Eliya Voldman via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?
>
> Hello,
> I'm completely new to ClamAV
> I am setting up ClamAV on one laptop located behind VLAN and I don't have the option to monitor result.
> Still I need to know the result of the scan hence I decided to parse the log.
> My question: what string should I expect if the scan revealed any suspicious activity ... like 'error' or 'fail' or 'infected' or etc.
> Any suggestion what gets into the log in case of infection?
>
> Thanks
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scan log parsing [ In reply to ]
Hi there,

On Sun, 20 Feb 2022, Eliya Voldman via clamav-users wrote:

> I'm completely new to ClamAV
> I am setting up ClamAV on one laptop located behind VLAN and I don't have
> the option to monitor result.

Please provide more information. Try to make me less suspicious.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scan log parsing [ In reply to ]
Some more clarification:
The scan will be done daily on a laptop located in VLAN without internet
access. Nevertheless database will be updated daily via another server
hence it'll be up today
Log will be stored locally.
I want to be notified by the end of the day if any infected file was found.
Hence I will 'grep' the log daily and search for string 'FOUND'
Email should notify me
That's my plan
Thanks

On Mon, Feb 21, 2022 at 3:37 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Sun, 20 Feb 2022, Eliya Voldman via clamav-users wrote:
>
> > I'm completely new to ClamAV
> > I am setting up ClamAV on one laptop located behind VLAN and I don't have
> > the option to monitor result.
>
> Please provide more information. Try to make me less suspicious.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--
<https://mail.google.com/mail/u/0/?ui=2&ik=d3981d59f9&view=att&th=136febab6da21f8f&attid=0.0.1&disp=emb&realattid=ii_136d59273e294831&zw&atsh=1>
Eliya Voldman
Re: [clamav-users] Scan log parsing [ In reply to ]
Well I did a test scan and found this line in the log:

C:\Windows\SysWOW64\sechost.dll: Win.Trojan.Pemalform-9786579-0 FOUND
Does it mean that I could/should rely on 'FOUND' or it should be something
'more specific'?
Thanks again ..

On Mon, Feb 21, 2022 at 4:06 AM Eliya Voldman <evoldman@gmail.com> wrote:

> Some more clarification:
> The scan will be done daily on a laptop located in VLAN without internet
> access. Nevertheless database will be updated daily via another server
> hence it'll be up today
> Log will be stored locally.
> I want to be notified by the end of the day if any infected file was
> found.
> Hence I will 'grep' the log daily and search for string 'FOUND'
> Email should notify me
> That's my plan
> Thanks
>
> On Mon, Feb 21, 2022 at 3:37 AM G.W. Haywood via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> Hi there,
>>
>> On Sun, 20 Feb 2022, Eliya Voldman via clamav-users wrote:
>>
>> > I'm completely new to ClamAV
>> > I am setting up ClamAV on one laptop located behind VLAN and I don't
>> have
>> > the option to monitor result.
>>
>> Please provide more information. Try to make me less suspicious.
>>
>> --
>>
>> 73,
>> Ged.
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
> --
>
> <https://mail.google.com/mail/u/0/?ui=2&ik=d3981d59f9&view=att&th=136febab6da21f8f&attid=0.0.1&disp=emb&realattid=ii_136d59273e294831&zw&atsh=1>
> Eliya Voldman
>
>

--
<https://mail.google.com/mail/u/0/?ui=2&ik=d3981d59f9&view=att&th=136febab6da21f8f&attid=0.0.1&disp=emb&realattid=ii_136d59273e294831&zw&atsh=1>
Eliya Voldman
Re: [clamav-users] Scan log parsing [ In reply to ]
Hi there,

On Mon, 21 Feb 2022, Eliya Voldman via clamav-users wrote:

> ... found this line in the log:
>
> C:\Windows\SysWOW64\sechost.dll: Win.Trojan.Pemalform-9786579-0 FOUND

You should take positive action to investigate anything which gives a
result like this. It may mean that the computer has been compromised,
or it could be a false positive. I did a quick search and I didn't
find very much but I don't have all day to spend on it. Be aware that
different suppliers of threat information may call the *same* threats
by different names.

As this seems to be a fairly old signature, if it really is a false
positive, I'd almost have expected that it would have been mentioned
on this list by now. AFAICT it hasn't.

Here's the decoded signature:
8<----------------------------------------------------------------------
$ time sigtool --datadir=/EXPORTS/clamav/databases --find-sigs 'Win.Trojan.Pemalform-9786579-0' | sigtool --decode-sigs
VIRUS NAME: Win.Trojan.Pemalform-9786579-0
TDB: Engine:81-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
!"&)(<>=|%5C%5C.%5CMutex%5C
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
LastRunPercentFragmentation
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: WIDE
+-> DECODED SUBSIGNATURE:
\Registry\Machine\Software\Microsoft\SQMClient
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
ARSDS{Z,
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
)^72>x

real 2m16.854s
user 0m7.074s
sys 0m6.778s
8<----------------------------------------------------------------------

To me, because of all those 'ANY' offsets, it looks possible that this
*could* generate false positives - but I certainly wouldn't claim to be
an expert on the assessment of signature performance and I haven't even
looked at the content of the genuine file nor any malicious versions.

There's a lot of advice Out There. You could for example calculate
the MD5 digest of the file content and search for that (this is one of
the more efficient ways of looking for indicators) or you could submit
the file to the ClamAV team, and to any of a number of Websites which
collect malware, for analysis. You might want to install yet another
scanning tool on the computer to see if it agrees with ClamAV, but if
the threat is real, and the malicious actor is competent, the results
are likely to be unreliable. It might be better to take the file from
the affected computer and scan it elsewhere. There might be readers
on this mailing list who can provide the MD5 of the same file for you
to compare it with that for your file.
The main things to consider are that

(1) all this might be a storm in a teacup if it's a false positive

(2) this computer, apparently on a connection which does not permit
traffic from the Internet, might possibly be compromised

(3) if this computer is on the same firewalled network as other
computers, it might present a threat to those other computers - I'd
advise disconnecting it until you're sure one way or another

(4) if the computer is in fact compromised, my advice would be to wipe
it thoroughly, reinstall all software and data from known good sources
and then monitor it carefully in controlled conditions until it can be
confidently called 'clean' (given the prevalence of Windows malware,
that's quite a tall order for a Windows box at the best of times)

(5) if it's a real compromise you'll want to know how it got there,
and take steps to prevent it from happening again

(6) there are many Websites out there which will lie to you about
things like this, for example they will tell you that absolutely
anything you submit to them is a danger and that you need to pay them
money in order to fix the problem, or perhaps you should download the
version of the file that they provide; be careful what you believe.

> Does it mean that I could/should rely on 'FOUND' or it should be something
> 'more specific'?

A ClamAV scan normally gives the word 'FOUND' in the output which it
produces when something it scans matches a signature or a heuristic.
If that's enough for you to decide on what's been found depends on you
and to some extent on what you're looking at. For example if you have
files which contain the word 'FOUND' in their names, or in the names
of the directories which contain them, then yes, you might need to be
more specific. But we can't really tell you because we don't know
exactly what you're looking at. ClamAV is primarily a toolkit, and
how you use it is primarily up to you.

--
73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scan log parsing [ In reply to ]
Thanks a lot for your exlanation

On Mon, Feb 21, 2022 at 11:27 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Mon, 21 Feb 2022, Eliya Voldman via clamav-users wrote:
>
> > ... found this line in the log:
> >
> > C:\Windows\SysWOW64\sechost.dll: Win.Trojan.Pemalform-9786579-0 FOUND
>
> You should take positive action to investigate anything which gives a
> result like this. It may mean that the computer has been compromised,
> or it could be a false positive. I did a quick search and I didn't
> find very much but I don't have all day to spend on it. Be aware that
> different suppliers of threat information may call the *same* threats
> by different names.
>
> As this seems to be a fairly old signature, if it really is a false
> positive, I'd almost have expected that it would have been mentioned
> on this list by now. AFAICT it hasn't.
>
> Here's the decoded signature:
> 8<----------------------------------------------------------------------
> $ time sigtool --datadir=/EXPORTS/clamav/databases --find-sigs
> 'Win.Trojan.Pemalform-9786579-0' | sigtool --decode-sigs
> VIRUS NAME: Win.Trojan.Pemalform-9786579-0
> TDB: Engine:81-255,Target:1
> LOGICAL EXPRESSION: 0&1&2&3&4
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> !"&)(<>=|%5C%5C.%5CMutex%5C
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> LastRunPercentFragmentation
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> \Registry\Machine\Software\Microsoft\SQMClient
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> ARSDS{Z,
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> )^72>x
>
> real 2m16.854s
> user 0m7.074s
> sys 0m6.778s
> 8<----------------------------------------------------------------------
>
> To me, because of all those 'ANY' offsets, it looks possible that this
> *could* generate false positives - but I certainly wouldn't claim to be
> an expert on the assessment of signature performance and I haven't even
> looked at the content of the genuine file nor any malicious versions.
>
> There's a lot of advice Out There. You could for example calculate
> the MD5 digest of the file content and search for that (this is one of
> the more efficient ways of looking for indicators) or you could submit
> the file to the ClamAV team, and to any of a number of Websites which
> collect malware, for analysis. You might want to install yet another
> scanning tool on the computer to see if it agrees with ClamAV, but if
> the threat is real, and the malicious actor is competent, the results
> are likely to be unreliable. It might be better to take the file from
> the affected computer and scan it elsewhere. There might be readers
> on this mailing list who can provide the MD5 of the same file for you
> to compare it with that for your file.
> The main things to consider are that
>
> (1) all this might be a storm in a teacup if it's a false positive
>
> (2) this computer, apparently on a connection which does not permit
> traffic from the Internet, might possibly be compromised
>
> (3) if this computer is on the same firewalled network as other
> computers, it might present a threat to those other computers - I'd
> advise disconnecting it until you're sure one way or another
>
> (4) if the computer is in fact compromised, my advice would be to wipe
> it thoroughly, reinstall all software and data from known good sources
> and then monitor it carefully in controlled conditions until it can be
> confidently called 'clean' (given the prevalence of Windows malware,
> that's quite a tall order for a Windows box at the best of times)
>
> (5) if it's a real compromise you'll want to know how it got there,
> and take steps to prevent it from happening again
>
> (6) there are many Websites out there which will lie to you about
> things like this, for example they will tell you that absolutely
> anything you submit to them is a danger and that you need to pay them
> money in order to fix the problem, or perhaps you should download the
> version of the file that they provide; be careful what you believe.
>
> > Does it mean that I could/should rely on 'FOUND' or it should be
> something
> > 'more specific'?
>
> A ClamAV scan normally gives the word 'FOUND' in the output which it
> produces when something it scans matches a signature or a heuristic.
> If that's enough for you to decide on what's been found depends on you
> and to some extent on what you're looking at. For example if you have
> files which contain the word 'FOUND' in their names, or in the names
> of the directories which contain them, then yes, you might need to be
> more specific. But we can't really tell you because we don't know
> exactly what you're looking at. ClamAV is primarily a toolkit, and
> how you use it is primarily up to you.
>
> --
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--
<https://mail.google.com/mail/u/0/?ui=2&ik=d3981d59f9&view=att&th=136febab6da21f8f&attid=0.0.1&disp=emb&realattid=ii_136d59273e294831&zw&atsh=1>
Eliya Voldman
Re: [clamav-users] Scan log parsing [ In reply to ]
Hi Ged,
Your response is extremely valuable
Appreciate it
Btw what tool is 'time sigtool'? Should I try it on my Linux machine or
Windows?
Thanks
Eliya

On Mon, Feb 21, 2022 at 11:27 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Mon, 21 Feb 2022, Eliya Voldman via clamav-users wrote:
>
> > ... found this line in the log:
> >
> > C:\Windows\SysWOW64\sechost.dll: Win.Trojan.Pemalform-9786579-0 FOUND
>
> You should take positive action to investigate anything which gives a
> result like this. It may mean that the computer has been compromised,
> or it could be a false positive. I did a quick search and I didn't
> find very much but I don't have all day to spend on it. Be aware that
> different suppliers of threat information may call the *same* threats
> by different names.
>
> As this seems to be a fairly old signature, if it really is a false
> positive, I'd almost have expected that it would have been mentioned
> on this list by now. AFAICT it hasn't.
>
> Here's the decoded signature:
> 8<----------------------------------------------------------------------
> $ time sigtool --datadir=/EXPORTS/clamav/databases --find-sigs
> 'Win.Trojan.Pemalform-9786579-0' | sigtool --decode-sigs
> VIRUS NAME: Win.Trojan.Pemalform-9786579-0
> TDB: Engine:81-255,Target:1
> LOGICAL EXPRESSION: 0&1&2&3&4
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> !"&)(<>=|%5C%5C.%5CMutex%5C
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> LastRunPercentFragmentation
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: WIDE
> +-> DECODED SUBSIGNATURE:
> \Registry\Machine\Software\Microsoft\SQMClient
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> ARSDS{Z,
> * SUBSIG ID 4
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> )^72>x
>
> real 2m16.854s
> user 0m7.074s
> sys 0m6.778s
> 8<----------------------------------------------------------------------
>
> To me, because of all those 'ANY' offsets, it looks possible that this
> *could* generate false positives - but I certainly wouldn't claim to be
> an expert on the assessment of signature performance and I haven't even
> looked at the content of the genuine file nor any malicious versions.
>
> There's a lot of advice Out There. You could for example calculate
> the MD5 digest of the file content and search for that (this is one of
> the more efficient ways of looking for indicators) or you could submit
> the file to the ClamAV team, and to any of a number of Websites which
> collect malware, for analysis. You might want to install yet another
> scanning tool on the computer to see if it agrees with ClamAV, but if
> the threat is real, and the malicious actor is competent, the results
> are likely to be unreliable. It might be better to take the file from
> the affected computer and scan it elsewhere. There might be readers
> on this mailing list who can provide the MD5 of the same file for you
> to compare it with that for your file.
> The main things to consider are that
>
> (1) all this might be a storm in a teacup if it's a false positive
>
> (2) this computer, apparently on a connection which does not permit
> traffic from the Internet, might possibly be compromised
>
> (3) if this computer is on the same firewalled network as other
> computers, it might present a threat to those other computers - I'd
> advise disconnecting it until you're sure one way or another
>
> (4) if the computer is in fact compromised, my advice would be to wipe
> it thoroughly, reinstall all software and data from known good sources
> and then monitor it carefully in controlled conditions until it can be
> confidently called 'clean' (given the prevalence of Windows malware,
> that's quite a tall order for a Windows box at the best of times)
>
> (5) if it's a real compromise you'll want to know how it got there,
> and take steps to prevent it from happening again
>
> (6) there are many Websites out there which will lie to you about
> things like this, for example they will tell you that absolutely
> anything you submit to them is a danger and that you need to pay them
> money in order to fix the problem, or perhaps you should download the
> version of the file that they provide; be careful what you believe.
>
> > Does it mean that I could/should rely on 'FOUND' or it should be
> something
> > 'more specific'?
>
> A ClamAV scan normally gives the word 'FOUND' in the output which it
> produces when something it scans matches a signature or a heuristic.
> If that's enough for you to decide on what's been found depends on you
> and to some extent on what you're looking at. For example if you have
> files which contain the word 'FOUND' in their names, or in the names
> of the directories which contain them, then yes, you might need to be
> more specific. But we can't really tell you because we don't know
> exactly what you're looking at. ClamAV is primarily a toolkit, and
> how you use it is primarily up to you.
>
> --
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--
<https://mail.google.com/mail/u/0/?ui=2&ik=d3981d59f9&view=att&th=136febab6da21f8f&attid=0.0.1&disp=emb&realattid=ii_136d59273e294831&zw&atsh=1>
Eliya Voldman
Re: [clamav-users] Scan log parsing [ In reply to ]
Hi there,

On Tue, 22 Feb 2022, Eliya Voldman via clamav-users wrote:

> Your response is extremely valuable

I'm very glad if it's helped. :)

> Btw what tool is 'time sigtool'? Should I try it on my Linux machine or
> Windows?

That's two tools. One (sigtool) is from the ClamAV suite, and is as
its name suggests a tool for working with signatures. The other one
(time) is a standard Unix/Linux utility which makes time measurements
while a command is running and prints the results. I did that just so
that you could see how long the command takes to run because sometimes
a sigtool command can take quite a while (in this case it was over two
minutes). If you'd copied what I typed, and were not expecting a long
delay, you might wonder while you're waiting if it's doing the things
it's supposed to be doing.

If you're using Windows then the time utility might not be available.
It isn't necessary to use it, as I said it was just for information,
but the sigtool command will probably still take a while to execute.
The computer I was using isn't a particularly quick one, 1.5GHz ARM7
(a Raspberry Pi4B+ with 4GBytes of RAM).

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml