[clamav-users] Recommended workstation usage?

Alain Zidouemba azidouemba at sourcefire.com
Wed Dec 20 15:59:39 UTC 2017 

And...Pdf, Rtf, Doc, Xls, Ppt, Html etc... and I could go on. There are
some vulnerabilities that affect applications across platforms. Something
to keep in mind.

Might be better to exclude "Win.", rather than chose what to include.

- Alain

On Wed, Dec 20, 2017 at 9:53 AM, Joel Esler (jesler) <jesler at cisco.com>
wrote:

> You may want to add “ELF….” To your count.  Perhaps even “OSX….”
> --
> Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>
>
>
>
>
>
>
> On Dec 20, 2017, at 7:02 AM, Maarten Broekman <maarten.broekman at gmail.com<
> mailto:maarten.broekman at gmail.com>> wrote:
>
> There are far more than 31 signatures that have the potential to impact
> Linux systems. There are, in truth, over 23,000 signatures that are able to
> detect malware on Linux and Unix systems. Most "Linux" signatures only
> contain the word Unix, however. Additionally, keep in mind that these are
> only from the ClamAV provided databases. Sanesecurity and the Linux Malware
> Detect project add more as well.
>
> Of the official databases, the signatures break down like this for Unix
> signatures:
>      1 [bytecode]
>   7386 [daily.hdb]
>  11640 [daily.hsb]
>     67 [daily.ldb]
>     11 [daily.ndb]
>    141 [main.hdb]
>   3445 [main.hsb]
>      5 [main.mdb]
>    426 [main.ndb]
>      2 [daily.ldb] <== These are noted by Al in his previous message.
>
> Aside from the Win.* signatures, these are the major grouping of the
> non-hash signatures:
>      1 Unix.Downloader
>     28 Unix.Exploit
>      1 Unix.Malware
>      1 Unix.Packer
>      6 Unix.Rootkit
>    311 Unix.Tool
>    144 Unix.Trojan
>     11 Unix.Worm
>
> Of the hashes, there are about 50 different 'families' of Unix/Linux
> related malware of varying specificity:
>      3 Unix.Adware.Bundlore
>      1 Unix.Adware.Bundloreca
>      9 Unix.Adware.Genieo
>      1 Unix.Adware.Installmiez
>      1 Unix.Adware.Macinst
>      1 Unix.Adware.Spigot
>      1 Unix.Adware.Xloader
>      1 Unix.Downloader.Amcleaner
>      1 Unix.Exploit.CVE_2016_8733
>      1 Unix.Exploit.CVE_2016_9032
>      1 Unix.Exploit.CVE_2016_9033
>      1 Unix.Exploit.CVE_2017_1000253
>      1 Unix.Exploit.Gingerbreak
>      1 Unix.Exploit.Iosjailbreak
>      1 Unix.Exploit.Lacksand
>      4 Unix.Exploit.Lotoor
>      1 Unix.Exploit.Powershell
>      1 Unix.Exploit.Remotesync
>      1 Unix.Exploit.Roothack
>      1 Unix.Exploit.TALOS_2016_0257
>  21777 Unix.Malware.Agent
>      1 Unix.Malware.Generic
>      1 Unix.Malware.Setag
>      4 Unix.Malware.Tsunami
>      1 Unix.Malware.Xorddos
>      1 Unix.Spyware.Opinionspy
>      1 Unix.Tool.Dnsamp
>      6 Unix.Tool.Dofloo
>    448 Unix.Tool.EQGRP
>      5 Unix.Tool.FakeAV
>      1 Unix.Tool.Flood
>      1 Unix.Tool.Zusy
>    137 Unix.Trojan.Agent
>      6 Unix.Trojan.Cornelgen
>      7 Unix.Trojan.Ddostf
>     13 Unix.Trojan.Dofloo
>      1 Unix.Trojan.Dogspectus
>      1 Unix.Trojan.Elknot
>      1 Unix.Trojan.Elzob
>    127 Unix.Trojan.Gafgyt
>      3 Unix.Trojan.Hanthie
>      3 Unix.Trojan.Mayday
>     24 Unix.Trojan.Mirai
>      2 Unix.Trojan.Small
>      7 Unix.Trojan.Tsunami
>      1 Unix.Trojan.Webshell
>      1 Unix.Trojan.Zonie
>      1 Unix.Virus.Zusy
>      1 Unix.Worm.Cheese
>      1 Unix.Worm.Darlloz
>
> My suggestion is, yes. Run ClamAV. But don't rely on just the official
> databases.
>
> --Maarten
>
> On Wed, Dec 20, 2017 at 4:09 AM, Al Varnell <alvarnell at mac.com<mailto:alva
> rnell at mac.com>> wrote:
>
> FYI, there are 31 ClamAV signatures that contain the word "Linux". There
> are currently almost 6.4 million ClamAV signatures in the database.
>
> All but two are in main.ndb or main.hdb, meaning they are relatively old.
>
> All but five start with Win.Trojan or Win.Exploit or Win.Tool so I'm not
> clear on their relationship to Linux.
>
> The two most recent ones are:
> - Unix.Trojan.Linux_DDoS_93-2
> - Unix.Trojan.Linux_DDoS_93-5364119-0
>
> -Al-
>
> On Wed, Dec 20, 2017 at 12:47 AM, Matus UHLAR - fantomas wrote:
> On 19.12.17 12:44, Dan Rawson wrote:
> I'm working on running clamav on my Linux workstation - NOT a server
> environment.  What is the recommended usage in that environment?  clamd +
> OnAccess?  clamscan scheduled from cron?? clamdscan scheduled from cron??
>
> I did search through the documentation but didn't see much addressing
> "best practices" in a single machine environment.
>
> I haven't seen a linux malware yet. Well, I've heard that it exists, but
> haven't seen it (except hacking suite...)
>
> what makes you think you need it?
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

More information about the clamav-users mailing list