[clamav-users] How to find string for a signature?

[Kees Theunissen]

On Sat, 21 Oct 2017, Eric Tykwinski wrote:

>clamscan TA17-293A_\ Advanced\ Persistent\ Threat\ Activity\ Targeting\ Energy\ and\ Other\ Critical\ Infrastructure\ Sectors.eml
>TA17-293A_ Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors.eml: OK
>
>----------- SCAN SUMMARY -----------
>Known viruses: 6320077
>Engine version: 0.99.2
>Scanned directories: 0
>Scanned files: 1
>Infected files: 0
>Data scanned: 0.30 MB
>Data read: 0.10 MB (ratio 3.08:1)
>Time: 11.661 sec (0 m 11 s)
>
>I definitely have that signature in ClamAV as well: PUA.Win.Trojan.Xored-1:3:*:63686172636f6465617428{-5}295e
>
>Perhaps amavisd is different in the way it scans?

The detection of PUAs is configurable.
Look for "PUA" in the clamscan and clamd.conf manpages.

$ clamscan us-cert-message
us-cert-message: OK

----------- SCAN SUMMARY -----------
Known viruses: 6519776
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.30 MB
Data read: 0.10 MB (ratio 3.08:1)
Time: 8.104 sec (0 m 8 s)


$ clamscan --detect-pua us-cert-message
us-cert-message: PUA.Win.Trojan.Xored-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6525318
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.16 MB
Data read: 0.10 MB (ratio 1.68:1)
Time: 7.986 sec (0 m 7 s)



Regards,

Kees Theunissen.

-- 
Kees Theunissen,  System and network manager,   Tel: +31 (0)40-3334724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address:   C.J.Theunissen at differ.nl
postal address:   PO Box 6336, 5600 HH, Eindhoven, the Netherlands
visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands