[Clamav-devel] ClamAV scanning

Andrew Camilleri andrew.camilleri at gmail.com
Fri Nov 7 12:11:44 EST 2014


Hi Brandon,

Many thanks for your reply. I totally agree with you on EICAR, but this
should not happen with Zeus. EICAR was only included as a test case i.e. to
make sure that static signatures are being checked...

Andrew

On 7 November 2014 17:06, Brandon Perry <bperry.volatile at gmail.com> wrote:

> EICAR should only ever be detected as is. It is specially made for testing
> AV, and AV has no use for detecting variations of it.
>
> On Fri, Nov 7, 2014 at 11:02 AM, Andrew Camilleri <
> andrew.camilleri at gmail.com> wrote:
>
> > Hi!
> >
> > I am totally new to ClamAV, so please excuse my ignorance.
> > I am looking at how AV scanning is done in general, but also specifically
> > in ClamAV. I came across this
> > <
> https://www.mail-archive.com/clamav-devel@lists.clamav.net/msg03096.html>
> > post, so I got that bit covered and won't repeat questions.
> > I am working on a WAF and we will use ClamAV for scanning traffic. I am
> > investigating the tolerance in correct classification with respect to
> > changes in malware binaries. To conduct my experiments I picked up the
> > EICAR "virus" and an actual virus, Zeus, from here
> > <https://github.com/Visgean/Zeus>. I noticed that if I change a single
> > character in EICAR, ClamAV will fail to detect it; I assume that this is
> > due to a static signature (correct me if I am wrong) associated with this
> > test virus; this seems like a perfectly good result to me. Next thing was
> > to scan Zeus (after a simple git clone) and it picks up a few trojans
> from
> > the ready built binaries. I then changed the first byte of client32.bin
> > (one of the files that was marked as a trojan) and scanned it. The result
> > was the ClamAV did not recognize the trojan from this simple change. I
> then
> > changed another byte, the 32nd one to be precise, and scanned it. The
> > result was that ClamAV correctly classifies the binary as a Trojan. I
> was a
> > little surprised that a change in the first byte would "hide" the trojan
> > from scanning, especially since the first two bytes are completely
> useless
> > <http://en.wikipedia.org/wiki/Mark_Zbikowski> in terms of running a
> > windows
> > binary. My only explanation is that with the change, the file fails some
> > integrity check that ClamAV does, to make sure that the binary is
> runnable;
> > I am assuming that there isnt a static signature here, otherwise it would
> > not have been picked up with any change. I also did this test with
> zsb.exe
> > in the repo and I got the same results. Finally I performed the same
> tests
> > against McAffee and all these changes had no effect i.e. the trojans
> where
> > always correctly classified. In the case of deltas to EICAR however,
> McAfee
> > did not recognize the "virus".
> > Could you please help me to understand the meaning of these results?
> Also,
> > is it possible to view the signature of a virus in the signature
> database?
> > I looked at the doc, but I couldn't find how to do this; but I may have
> > missed it and in that case sorry to ask this!
> >
> > Andrew
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >
> > http://www.clamav.net/contact.html#ml
> >
>
>
>
> --
> http://volatile-minds.blogspot.com -- blog
> http://www.volatileminds.net -- website
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>


More information about the clamav-devel mailing list