[clamav-users] Recommended workstation usage?

Dan Rawson drawson1 at earthlink.net
Wed Dec 20 13:05:26 UTC 2017 

Maarten -

Great summary, thanks!

Dan

On 12/20/2017 07:02 AM, Maarten Broekman wrote:
> There are far more than 31 signatures that have the potential to impact
> Linux systems. There are, in truth, over 23,000 signatures that are able to
> detect malware on Linux and Unix systems. Most "Linux" signatures only
> contain the word Unix, however. Additionally, keep in mind that these are
> only from the ClamAV provided databases. Sanesecurity and the Linux Malware
> Detect project add more as well.
>
> Of the official databases, the signatures break down like this for Unix
> signatures:
>        1 [bytecode]
>     7386 [daily.hdb]
>    11640 [daily.hsb]
>       67 [daily.ldb]
>       11 [daily.ndb]
>      141 [main.hdb]
>     3445 [main.hsb]
>        5 [main.mdb]
>      426 [main.ndb]
>        2 [daily.ldb] <== These are noted by Al in his previous message.
>
> Aside from the Win.* signatures, these are the major grouping of the
> non-hash signatures:
>        1 Unix.Downloader
>       28 Unix.Exploit
>        1 Unix.Malware
>        1 Unix.Packer
>        6 Unix.Rootkit
>      311 Unix.Tool
>      144 Unix.Trojan
>       11 Unix.Worm
>
> Of the hashes, there are about 50 different 'families' of Unix/Linux
> related malware of varying specificity:
>        3 Unix.Adware.Bundlore
>        1 Unix.Adware.Bundloreca
>        9 Unix.Adware.Genieo
>        1 Unix.Adware.Installmiez
>        1 Unix.Adware.Macinst
>        1 Unix.Adware.Spigot
>        1 Unix.Adware.Xloader
>        1 Unix.Downloader.Amcleaner
>        1 Unix.Exploit.CVE_2016_8733
>        1 Unix.Exploit.CVE_2016_9032
>        1 Unix.Exploit.CVE_2016_9033
>        1 Unix.Exploit.CVE_2017_1000253
>        1 Unix.Exploit.Gingerbreak
>        1 Unix.Exploit.Iosjailbreak
>        1 Unix.Exploit.Lacksand
>        4 Unix.Exploit.Lotoor
>        1 Unix.Exploit.Powershell
>        1 Unix.Exploit.Remotesync
>        1 Unix.Exploit.Roothack
>        1 Unix.Exploit.TALOS_2016_0257
>    21777 Unix.Malware.Agent
>        1 Unix.Malware.Generic
>        1 Unix.Malware.Setag
>        4 Unix.Malware.Tsunami
>        1 Unix.Malware.Xorddos
>        1 Unix.Spyware.Opinionspy
>        1 Unix.Tool.Dnsamp
>        6 Unix.Tool.Dofloo
>      448 Unix.Tool.EQGRP
>        5 Unix.Tool.FakeAV
>        1 Unix.Tool.Flood
>        1 Unix.Tool.Zusy
>      137 Unix.Trojan.Agent
>        6 Unix.Trojan.Cornelgen
>        7 Unix.Trojan.Ddostf
>       13 Unix.Trojan.Dofloo
>        1 Unix.Trojan.Dogspectus
>        1 Unix.Trojan.Elknot
>        1 Unix.Trojan.Elzob
>      127 Unix.Trojan.Gafgyt
>        3 Unix.Trojan.Hanthie
>        3 Unix.Trojan.Mayday
>       24 Unix.Trojan.Mirai
>        2 Unix.Trojan.Small
>        7 Unix.Trojan.Tsunami
>        1 Unix.Trojan.Webshell
>        1 Unix.Trojan.Zonie
>        1 Unix.Virus.Zusy
>        1 Unix.Worm.Cheese
>        1 Unix.Worm.Darlloz
>
> My suggestion is, yes. Run ClamAV. But don't rely on just the official
> databases.
>
> --Maarten
>
> On Wed, Dec 20, 2017 at 4:09 AM, Al Varnell <alvarnell at mac.com> wrote:
>
>> FYI, there are 31 ClamAV signatures that contain the word "Linux". There
>> are currently almost 6.4 million ClamAV signatures in the database.
>>
>> All but two are in main.ndb or main.hdb, meaning they are relatively old.
>>
>> All but five start with Win.Trojan or Win.Exploit or Win.Tool so I'm not
>> clear on their relationship to Linux.
>>
>> The two most recent ones are:
>> - Unix.Trojan.Linux_DDoS_93-2
>> - Unix.Trojan.Linux_DDoS_93-5364119-0
>>
>> -Al-
>>
>> On Wed, Dec 20, 2017 at 12:47 AM, Matus UHLAR - fantomas wrote:
>>> On 19.12.17 12:44, Dan Rawson wrote:
>>>> I'm working on running clamav on my Linux workstation - NOT a server
>> environment.  What is the recommended usage in that environment?  clamd +
>> OnAccess?  clamscan scheduled from cron?? clamdscan scheduled from cron??
>>>> I did search through the documentation but didn't see much addressing
>> "best practices" in a single machine environment.
>>> I haven't seen a linux malware yet. Well, I've heard that it exists, but
>>> haven't seen it (except hacking suite...)
>>>
>>> what makes you think you need it?
>> -Al-
>> --
>> Al Varnell
>> Mountain View, CA
>>
>>
>>
>>
>>
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

More information about the clamav-users mailing list