[clamav-users] Can ClamAV detect LKM rootkits?

Al Varnell alvarnell at mac.com
Mon Dec 3 23:23:50 EST 2018


ClamAV will detect all forms of malware on all platforms that it is aware of. Thousands of samples of existing malware are received by them daily from a variety of sources, none more valuable than users like you.

Please submit Adore-ng to <http://www.clamav.net/reports/malware>.

Sent from my iPad

-Al-

On Dec 3, 2018, at 19:32, zhuangxiaohui wrote:
> Hey guys,
> 
> I've tested two types of rootkits with ClamAV.
> Adore-ng(kernel level) & Mafix(application level)
> 
> Well, virus implanted by Mafix were completedly detected :
> /usr/bin/md5sum: Unix.Malware.Agent-6005569-0 FOUND
> /usr/bin/find: Win.Trojan.U-110 FOUND
> /usr/bin/pstree: Win.Trojan.Rootkit-5 FOUND
> /usr/bin/dir: Unix.Malware.Agent-1393952 FOUND
> /bin/ls: Unix.Malware.Agent-1393952 FOUND
> /sbin/ifconfig: Unix.Malware.Agent-1696070 FOUND
> /sbin/ttyload: Heuristics.Broken.Executable FOUND
> /sbin/ttymon: Win.Trojan.Linux-29 FOUND
> 
> But when I tested with Adore-ng, nothing was detected. 
> And then I tested it with ESET(one of anti-virus soft) and was detected.
> The virus name detected by ESET was "a variant of Linux/Rootkit.Adore.B
> Trojan"
> 
> So I wonder can ClamAV detect LKM rootkits?
> Or would you mind to tell me where can I find the virus list that ClamAV can
> detected?
> 
> Thank you,
> Zhuang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20181203/14521b18/attachment.html>


More information about the clamav-users mailing list