[Clamav-devel] ClamAV scanning
bperry.volatile at gmail.com
Fri Nov 7 12:06:47 EST 2014
EICAR should only ever be detected as is. It is specially made for testing
AV, and AV has no use for detecting variations of it.
On Fri, Nov 7, 2014 at 11:02 AM, Andrew Camilleri <
andrew.camilleri at gmail.com> wrote:
> I am totally new to ClamAV, so please excuse my ignorance.
> I am looking at how AV scanning is done in general, but also specifically
> in ClamAV. I came across this
> post, so I got that bit covered and won't repeat questions.
> I am working on a WAF and we will use ClamAV for scanning traffic. I am
> investigating the tolerance in correct classification with respect to
> changes in malware binaries. To conduct my experiments I picked up the
> EICAR "virus" and an actual virus, Zeus, from here
> <https://github.com/Visgean/Zeus>. I noticed that if I change a single
> character in EICAR, ClamAV will fail to detect it; I assume that this is
> due to a static signature (correct me if I am wrong) associated with this
> test virus; this seems like a perfectly good result to me. Next thing was
> to scan Zeus (after a simple git clone) and it picks up a few trojans from
> the ready built binaries. I then changed the first byte of client32.bin
> (one of the files that was marked as a trojan) and scanned it. The result
> was the ClamAV did not recognize the trojan from this simple change. I then
> changed another byte, the 32nd one to be precise, and scanned it. The
> result was that ClamAV correctly classifies the binary as a Trojan. I was a
> little surprised that a change in the first byte would "hide" the trojan
> from scanning, especially since the first two bytes are completely useless
> <http://en.wikipedia.org/wiki/Mark_Zbikowski> in terms of running a
> binary. My only explanation is that with the change, the file fails some
> integrity check that ClamAV does, to make sure that the binary is runnable;
> I am assuming that there isnt a static signature here, otherwise it would
> not have been picked up with any change. I also did this test with zsb.exe
> in the repo and I got the same results. Finally I performed the same tests
> against McAffee and all these changes had no effect i.e. the trojans where
> always correctly classified. In the case of deltas to EICAR however, McAfee
> did not recognize the "virus".
> Could you please help me to understand the meaning of these results? Also,
> is it possible to view the signature of a virus in the signature database?
> I looked at the doc, but I couldn't find how to do this; but I may have
> missed it and in that case sorry to ask this!
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
More information about the clamav-devel