[Clamav-devel] ClamAV scanning

Andrew Camilleri andrew.camilleri at gmail.com
Sat Nov 8 12:41:54 EST 2014


Hi Shawn!

Many thanks for replying. I see what you are saying and I agree with you to
a certain extent. Here is my thinking process. My understanding is that the
job of an AV is to detect malware, and this usually involves pattern
matching. Yes you are right, the malware needs to run, but really that is a
different concern, the OS concern, whereas the concern of an AV is
detection/matching. It is a little alarming to me the fact that I can
easily hide a virus by simply changing a single byte; with the right
context (in our case perhaps through a trivial transformation down the
stack) a virus can come back to life. Do you see my point? Again I am no
expert in this, but McAffee seems to agree with what I am saying. Besides
separation of concerns, you can also argue for robustness; virus writers
have tried all sort of complex schemes to hide their artefacts and this
feels like a legitimate way of achieving that.
So if I understand correctly, ClamAV tries to guess the type of the file?
What happens if it can't tell what it is?
Sorry to drive this point further, I really appreciate all the hard work
people put in this project! But I really need to understand how this works
in detail....

regards,

Andrew



On 7 November 2014 18:41, Shawn Webb <swebb at sourcefire.com> wrote:

> Hey Andrew,
>
> The reason why ClamAV failed to detect Zeus when you changed the first byte
> is because of file magic. When you changed the first byte, you changed the
> type of file ClamAV recognizes it as. In fact, if it's a PE file, then
> changing that first byte will cause Windows to not even execute the file.
> It could be that the 32nd byte carried no significance and therefore ClamAV
> was still able to detect the file as Zeus. So, when you change random data,
> you're changing the behavior of the applications that utilize that data,
> which is completely expected.
>
> Thanks,
>
> Shawn
>
> On Fri, Nov 7, 2014 at 12:11 PM, Andrew Camilleri <
> andrew.camilleri at gmail.com> wrote:
>
> > Hi Brandon,
> >
> > Many thanks for your reply. I totally agree with you on EICAR, but this
> > should not happen with Zeus. EICAR was only included as a test case i.e.
> to
> > make sure that static signatures are being checked...
> >
> > Andrew
> >
> > On 7 November 2014 17:06, Brandon Perry <bperry.volatile at gmail.com>
> wrote:
> >
> > > EICAR should only ever be detected as is. It is specially made for
> > testing
> > > AV, and AV has no use for detecting variations of it.
> > >
> > > On Fri, Nov 7, 2014 at 11:02 AM, Andrew Camilleri <
> > > andrew.camilleri at gmail.com> wrote:
> > >
> > > > Hi!
> > > >
> > > > I am totally new to ClamAV, so please excuse my ignorance.
> > > > I am looking at how AV scanning is done in general, but also
> > specifically
> > > > in ClamAV. I came across this
> > > > <
> > >
> https://www.mail-archive.com/clamav-devel@lists.clamav.net/msg03096.html
> > >
> > > > post, so I got that bit covered and won't repeat questions.
> > > > I am working on a WAF and we will use ClamAV for scanning traffic. I
> am
> > > > investigating the tolerance in correct classification with respect to
> > > > changes in malware binaries. To conduct my experiments I picked up
> the
> > > > EICAR "virus" and an actual virus, Zeus, from here
> > > > <https://github.com/Visgean/Zeus>. I noticed that if I change a
> single
> > > > character in EICAR, ClamAV will fail to detect it; I assume that this
> > is
> > > > due to a static signature (correct me if I am wrong) associated with
> > this
> > > > test virus; this seems like a perfectly good result to me. Next thing
> > was
> > > > to scan Zeus (after a simple git clone) and it picks up a few trojans
> > > from
> > > > the ready built binaries. I then changed the first byte of
> client32.bin
> > > > (one of the files that was marked as a trojan) and scanned it. The
> > result
> > > > was the ClamAV did not recognize the trojan from this simple change.
> I
> > > then
> > > > changed another byte, the 32nd one to be precise, and scanned it. The
> > > > result was that ClamAV correctly classifies the binary as a Trojan. I
> > > was a
> > > > little surprised that a change in the first byte would "hide" the
> > trojan
> > > > from scanning, especially since the first two bytes are completely
> > > useless
> > > > <http://en.wikipedia.org/wiki/Mark_Zbikowski> in terms of running a
> > > > windows
> > > > binary. My only explanation is that with the change, the file fails
> > some
> > > > integrity check that ClamAV does, to make sure that the binary is
> > > runnable;
> > > > I am assuming that there isnt a static signature here, otherwise it
> > would
> > > > not have been picked up with any change. I also did this test with
> > > zsb.exe
> > > > in the repo and I got the same results. Finally I performed the same
> > > tests
> > > > against McAffee and all these changes had no effect i.e. the trojans
> > > where
> > > > always correctly classified. In the case of deltas to EICAR however,
> > > McAfee
> > > > did not recognize the "virus".
> > > > Could you please help me to understand the meaning of these results?
> > > Also,
> > > > is it possible to view the signature of a virus in the signature
> > > database?
> > > > I looked at the doc, but I couldn't find how to do this; but I may
> have
> > > > missed it and in that case sorry to ask this!
> > > >
> > > > Andrew
> > > > _______________________________________________
> > > > http://lurker.clamav.net/list/clamav-devel.html
> > > > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > >
> > >
> > >
> > > --
> > > http://volatile-minds.blogspot.com -- blog
> > > http://www.volatileminds.net -- website
> > > _______________________________________________
> > > http://lurker.clamav.net/list/clamav-devel.html
> > > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>


More information about the clamav-devel mailing list