[clamav-users] WSF viruses, and other issues
steveb_clamav at sanesecurity.com
Mon Oct 24 14:49:36 EDT 2016
phish.ndb, rogue.ndb for most malware,
See foxhole sigs for other levels of detection.
As well as .js, .wsf and .hta malware, now
seeing and detecting .lnk malware with an auto downloading PowerShell
command, which is nasty.
On 24 October 2016 17:57:52 "John T. Bryan" <john at johnbryan.us> wrote:
> Ive been running ClamAV now for some years as the virus-checking plug-in on
> my main multi-client mail server. For a long time, I was very pleased with
> it and how easily I was able to integrate it into the custom software back
> when I first switched to it.
> Lately, however, ClamAV never seems to catch any of the viruses that are
> coming at my server. My custom-built spam-checking software is
> inadvertently catching the majority of them after ClamAV has passed them. I
> have noticed two primary patterns to the viruses that are coming through
> these days:
> * ZIP files containing a WSF (Windows Script File) and possibly some small
> distractor files
> As for the WSF files, my primary issue there is that ClamAV seems to refuse
> to check them at all; I have added literally hundreds of signatures for
> these to my local signatures file but ClamAV still does not identify them as
> viruses afterwards.
> mostly just by altering the names of variables in the script and similar
> obvious non-semantic alterations. The obfuscation is almost certainly being
> done by automated processes of some sort. As a result, even multiple copies
> of the same script produce different signatures due to the non-semantic
> changes in the script. I have added literally thousands of these to my
> signature files but, of course, I rarely see the same obfuscated version
> again and virtually none of them are getting caught.
> The only malware that is being consistently caught these days is stuff
> identified by the heuristics as OLE documents containing macros and spoofed
> domains; I have had about a dozen of those in the last 30 days. Alas, the
> spoofed domains checking produces almost as many false positives as real
> I dutifully send a copy of each new false negative that shows up on my
> server off to your evaluation team. I have no idea if youre even looking
> at them but I do send them. Hopefully thats helping.
> As a programmer myself, I understand the difficulty in identifying an
> obfuscated script, but is anything being done to address this? And what can
> be done about the WSF files that arent being checked at all? Not that I
> expect it will matter much; the ones I have examined by hand appear to be
> Help us build a comprehensive ClamAV guide:
More information about the clamav-users