[clamav-users] Recommended workstation usage?

Joel Esler (jesler) jesler at cisco.com
Wed Dec 20 14:53:12 UTC 2017 

You may want to add “ELF….” To your count.  Perhaps even “OSX….”
--
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>






On Dec 20, 2017, at 7:02 AM, Maarten Broekman <maarten.broekman at gmail.com<mailto:maarten.broekman at gmail.com>> wrote:

There are far more than 31 signatures that have the potential to impact
Linux systems. There are, in truth, over 23,000 signatures that are able to
detect malware on Linux and Unix systems. Most "Linux" signatures only
contain the word Unix, however. Additionally, keep in mind that these are
only from the ClamAV provided databases. Sanesecurity and the Linux Malware
Detect project add more as well.

Of the official databases, the signatures break down like this for Unix
signatures:
     1 [bytecode]
  7386 [daily.hdb]
 11640 [daily.hsb]
    67 [daily.ldb]
    11 [daily.ndb]
   141 [main.hdb]
  3445 [main.hsb]
     5 [main.mdb]
   426 [main.ndb]
     2 [daily.ldb] <== These are noted by Al in his previous message.

Aside from the Win.* signatures, these are the major grouping of the
non-hash signatures:
     1 Unix.Downloader
    28 Unix.Exploit
     1 Unix.Malware
     1 Unix.Packer
     6 Unix.Rootkit
   311 Unix.Tool
   144 Unix.Trojan
    11 Unix.Worm

Of the hashes, there are about 50 different 'families' of Unix/Linux
related malware of varying specificity:
     3 Unix.Adware.Bundlore
     1 Unix.Adware.Bundloreca
     9 Unix.Adware.Genieo
     1 Unix.Adware.Installmiez
     1 Unix.Adware.Macinst
     1 Unix.Adware.Spigot
     1 Unix.Adware.Xloader
     1 Unix.Downloader.Amcleaner
     1 Unix.Exploit.CVE_2016_8733
     1 Unix.Exploit.CVE_2016_9032
     1 Unix.Exploit.CVE_2016_9033
     1 Unix.Exploit.CVE_2017_1000253
     1 Unix.Exploit.Gingerbreak
     1 Unix.Exploit.Iosjailbreak
     1 Unix.Exploit.Lacksand
     4 Unix.Exploit.Lotoor
     1 Unix.Exploit.Powershell
     1 Unix.Exploit.Remotesync
     1 Unix.Exploit.Roothack
     1 Unix.Exploit.TALOS_2016_0257
 21777 Unix.Malware.Agent
     1 Unix.Malware.Generic
     1 Unix.Malware.Setag
     4 Unix.Malware.Tsunami
     1 Unix.Malware.Xorddos
     1 Unix.Spyware.Opinionspy
     1 Unix.Tool.Dnsamp
     6 Unix.Tool.Dofloo
   448 Unix.Tool.EQGRP
     5 Unix.Tool.FakeAV
     1 Unix.Tool.Flood
     1 Unix.Tool.Zusy
   137 Unix.Trojan.Agent
     6 Unix.Trojan.Cornelgen
     7 Unix.Trojan.Ddostf
    13 Unix.Trojan.Dofloo
     1 Unix.Trojan.Dogspectus
     1 Unix.Trojan.Elknot
     1 Unix.Trojan.Elzob
   127 Unix.Trojan.Gafgyt
     3 Unix.Trojan.Hanthie
     3 Unix.Trojan.Mayday
    24 Unix.Trojan.Mirai
     2 Unix.Trojan.Small
     7 Unix.Trojan.Tsunami
     1 Unix.Trojan.Webshell
     1 Unix.Trojan.Zonie
     1 Unix.Virus.Zusy
     1 Unix.Worm.Cheese
     1 Unix.Worm.Darlloz

My suggestion is, yes. Run ClamAV. But don't rely on just the official
databases.

--Maarten

On Wed, Dec 20, 2017 at 4:09 AM, Al Varnell <alvarnell at mac.com<mailto:alvarnell at mac.com>> wrote:

FYI, there are 31 ClamAV signatures that contain the word "Linux". There
are currently almost 6.4 million ClamAV signatures in the database.

All but two are in main.ndb or main.hdb, meaning they are relatively old.

All but five start with Win.Trojan or Win.Exploit or Win.Tool so I'm not
clear on their relationship to Linux.

The two most recent ones are:
- Unix.Trojan.Linux_DDoS_93-2
- Unix.Trojan.Linux_DDoS_93-5364119-0

-Al-

On Wed, Dec 20, 2017 at 12:47 AM, Matus UHLAR - fantomas wrote:
On 19.12.17 12:44, Dan Rawson wrote:
I'm working on running clamav on my Linux workstation - NOT a server
environment.  What is the recommended usage in that environment?  clamd +
OnAccess?  clamscan scheduled from cron?? clamdscan scheduled from cron??

I did search through the documentation but didn't see much addressing
"best practices" in a single machine environment.

I haven't seen a linux malware yet. Well, I've heard that it exists, but
haven't seen it (except hacking suite...)

what makes you think you need it?

-Al-
--
Al Varnell
Mountain View, CA





_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list