[Clamav-devel] ClamAV scanning

Shawn Webb swebb at sourcefire.com
Fri Nov 7 13:41:05 EST 2014


Hey Andrew,

The reason why ClamAV failed to detect Zeus when you changed the first byte
is because of file magic. When you changed the first byte, you changed the
type of file ClamAV recognizes it as. In fact, if it's a PE file, then
changing that first byte will cause Windows to not even execute the file.
It could be that the 32nd byte carried no significance and therefore ClamAV
was still able to detect the file as Zeus. So, when you change random data,
you're changing the behavior of the applications that utilize that data,
which is completely expected.

Thanks,

Shawn

On Fri, Nov 7, 2014 at 12:11 PM, Andrew Camilleri <
andrew.camilleri at gmail.com> wrote:

> Hi Brandon,
>
> Many thanks for your reply. I totally agree with you on EICAR, but this
> should not happen with Zeus. EICAR was only included as a test case i.e. to
> make sure that static signatures are being checked...
>
> Andrew
>
> On 7 November 2014 17:06, Brandon Perry <bperry.volatile at gmail.com> wrote:
>
> > EICAR should only ever be detected as is. It is specially made for
> testing
> > AV, and AV has no use for detecting variations of it.
> >
> > On Fri, Nov 7, 2014 at 11:02 AM, Andrew Camilleri <
> > andrew.camilleri at gmail.com> wrote:
> >
> > > Hi!
> > >
> > > I am totally new to ClamAV, so please excuse my ignorance.
> > > I am looking at how AV scanning is done in general, but also
> specifically
> > > in ClamAV. I came across this
> > > <
> > https://www.mail-archive.com/clamav-devel@lists.clamav.net/msg03096.html
> >
> > > post, so I got that bit covered and won't repeat questions.
> > > I am working on a WAF and we will use ClamAV for scanning traffic. I am
> > > investigating the tolerance in correct classification with respect to
> > > changes in malware binaries. To conduct my experiments I picked up the
> > > EICAR "virus" and an actual virus, Zeus, from here
> > > <https://github.com/Visgean/Zeus>. I noticed that if I change a single
> > > character in EICAR, ClamAV will fail to detect it; I assume that this
> is
> > > due to a static signature (correct me if I am wrong) associated with
> this
> > > test virus; this seems like a perfectly good result to me. Next thing
> was
> > > to scan Zeus (after a simple git clone) and it picks up a few trojans
> > from
> > > the ready built binaries. I then changed the first byte of client32.bin
> > > (one of the files that was marked as a trojan) and scanned it. The
> result
> > > was the ClamAV did not recognize the trojan from this simple change. I
> > then
> > > changed another byte, the 32nd one to be precise, and scanned it. The
> > > result was that ClamAV correctly classifies the binary as a Trojan. I
> > was a
> > > little surprised that a change in the first byte would "hide" the
> trojan
> > > from scanning, especially since the first two bytes are completely
> > useless
> > > <http://en.wikipedia.org/wiki/Mark_Zbikowski> in terms of running a
> > > windows
> > > binary. My only explanation is that with the change, the file fails
> some
> > > integrity check that ClamAV does, to make sure that the binary is
> > runnable;
> > > I am assuming that there isnt a static signature here, otherwise it
> would
> > > not have been picked up with any change. I also did this test with
> > zsb.exe
> > > in the repo and I got the same results. Finally I performed the same
> > tests
> > > against McAffee and all these changes had no effect i.e. the trojans
> > where
> > > always correctly classified. In the case of deltas to EICAR however,
> > McAfee
> > > did not recognize the "virus".
> > > Could you please help me to understand the meaning of these results?
> > Also,
> > > is it possible to view the signature of a virus in the signature
> > database?
> > > I looked at the doc, but I couldn't find how to do this; but I may have
> > > missed it and in that case sorry to ask this!
> > >
> > > Andrew
> > > _______________________________________________
> > > http://lurker.clamav.net/list/clamav-devel.html
> > > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> >
> >
> >
> > --
> > http://volatile-minds.blogspot.com -- blog
> > http://www.volatileminds.net -- website
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>


More information about the clamav-devel mailing list