[clamav-users] Can ClamAV detect LKM rootkits?

Micah Snyder (micasnyd) micasnyd at cisco.com
Tue Dec 4 11:33:36 EST 2018


Hi Zhuang,

You already mentioned kernel and application types of rootkits, so you probably already understand this - but I wanted to chime in since you specifically mentioned different types of rootkits.

The TL;DR is that ClamAV is not a rootkit detector, and does not inspect and scan the running memory of other processes.  ClamAV may alert on rootkits if signatures are written to detect rootkit-related files. As Al stated, please submit any malware to https://www.clamav.net/reports/malware if you find that ClamAV does not detect it.

With regards to rootkits:

Rootkits are a subcategory of malware that attempt to hide from users, antivirus, and the operating system by altering running processes or threads (kernel or user), or other supporting operating system structures to do things like:
* hide a malicious process or thread,
* hide network traffic from a network analyzer,
* hide files from file listings,
* etc.

A rootkit detector, or a security suite with rootkit detection and/or memory scanning features, may inspect kernel and application memory to find clues that reveal a rootkit. A traditional antivirus scanning software, like ClamAV, is different from a rootkit scanner or rootkit detector.  ClamAV may report that it has found a rootkit when scanning a file associated with a rootkit, but it doesn't have the features to inspect running kernel or user process memory to search for hidden processes or other clues that indicate the presence of a rootkit.

Cheers,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 3, 2018, at 10:32 PM, zhuangxiaohui <zhuangxiaohui at ffcs.cn<mailto:zhuangxiaohui at ffcs.cn>> wrote:

Hey guys,

I've tested two types of rootkits with ClamAV.
Adore-ng(kernel level) & Mafix(application level)

Well, virus implanted by Mafix were completedly detected :
/usr/bin/md5sum: Unix.Malware.Agent-6005569-0 FOUND
/usr/bin/find: Win.Trojan.U-110 FOUND
/usr/bin/pstree: Win.Trojan.Rootkit-5 FOUND
/usr/bin/dir: Unix.Malware.Agent-1393952 FOUND
/bin/ls: Unix.Malware.Agent-1393952 FOUND
/sbin/ifconfig: Unix.Malware.Agent-1696070 FOUND
/sbin/ttyload: Heuristics.Broken.Executable FOUND
/sbin/ttymon: Win.Trojan.Linux-29 FOUND

But when I tested with Adore-ng, nothing was detected.
And then I tested it with ESET(one of anti-virus soft) and was detected.
The virus name detected by ESET was "a variant of Linux/Rootkit.Adore.B
Trojan"

So I wonder can ClamAV detect LKM rootkits?
Or would you mind to tell me where can I find the virus list that ClamAV can
detected?

Thank you,
Zhuang

_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20181204/d45e331f/attachment.html>


More information about the clamav-users mailing list