[clamav-users] Block all "EXE/SRC" or MS-EXE/DLL file
Steve Basford
steveb_clamav at sanesecurity.com
Fri Feb 14 09:01:41 UTC 2014
> Need to write an anti virus that uses the NIST NSRL database and operate
> it
> as a white list based AV. The db contains some 100 million hashes of known
> good binary files. I tried to crowd fund to do this but no one was
> interested.
Disclaimer:
use at own risk, sold (for free) as seen/0 day warranty, do not use
on production systems etc...
Download this:
https://www.dropbox.com/s/dixgff1oteisy0d/unique.7z
It contains two files.
sanewhitelist.fp: 577,808 whitelist NIST hashes (exe/gz/msi/com/cab only)
sanestopexe.ndb : block exe only (need to add others)
clamscan --database=sanestopexe.ndb --database=sanewhitelist.fp *.exe
In order words:
Sanesecurity.POC.EXEBLOCK will detect ALL EXE's unless it's in the
sanewhitelist.fp database.
Just a POC ;)
Cheers,
Steve
Sanesecurity
More information about the clamav-users
mailing list