[Clamav-devel] ClamAV scanning

Andrew Camilleri andrew.camilleri at gmail.com
Fri Nov 7 12:02:37 EST 2014


Hi!

I am totally new to ClamAV, so please excuse my ignorance.
I am looking at how AV scanning is done in general, but also specifically
in ClamAV. I came across this
<https://www.mail-archive.com/clamav-devel@lists.clamav.net/msg03096.html>
post, so I got that bit covered and won't repeat questions.
I am working on a WAF and we will use ClamAV for scanning traffic. I am
investigating the tolerance in correct classification with respect to
changes in malware binaries. To conduct my experiments I picked up the
EICAR "virus" and an actual virus, Zeus, from here
<https://github.com/Visgean/Zeus>. I noticed that if I change a single
character in EICAR, ClamAV will fail to detect it; I assume that this is
due to a static signature (correct me if I am wrong) associated with this
test virus; this seems like a perfectly good result to me. Next thing was
to scan Zeus (after a simple git clone) and it picks up a few trojans from
the ready built binaries. I then changed the first byte of client32.bin
(one of the files that was marked as a trojan) and scanned it. The result
was the ClamAV did not recognize the trojan from this simple change. I then
changed another byte, the 32nd one to be precise, and scanned it. The
result was that ClamAV correctly classifies the binary as a Trojan. I was a
little surprised that a change in the first byte would "hide" the trojan
from scanning, especially since the first two bytes are completely useless
<http://en.wikipedia.org/wiki/Mark_Zbikowski> in terms of running a windows
binary. My only explanation is that with the change, the file fails some
integrity check that ClamAV does, to make sure that the binary is runnable;
I am assuming that there isnt a static signature here, otherwise it would
not have been picked up with any change. I also did this test with zsb.exe
in the repo and I got the same results. Finally I performed the same tests
against McAffee and all these changes had no effect i.e. the trojans where
always correctly classified. In the case of deltas to EICAR however, McAfee
did not recognize the "virus".
Could you please help me to understand the meaning of these results? Also,
is it possible to view the signature of a virus in the signature database?
I looked at the doc, but I couldn't find how to do this; but I may have
missed it and in that case sorry to ask this!

Andrew



More information about the clamav-devel mailing list