[clamav-users] ssdeep and ClamAV
Dessalvi, Matteo
M.Dessalvi at gsi.de
Thu Dec 13 09:52:09 UTC 2018
Hi all.
I was wondering if there is the possibility of creating a signature DB using hashes extracted from SSDeep
(ref: https://ssdeep-project.github.io/ssdeep/index.html).
We are from time to time pestered by spam email with fake invoices as attachments, like the ones reported here:
https://www.virustotal.com/#/file/c7263a3bc477a376a40f703bbf250033499f8dc84bb08e9c976bd4914c823690/details
https://www.virustotal.com/#/file/908a15a9200d7676af884b8a90e5c913c44b1991712339ad86050cf53f7a2637/details
Indeed, one of this file is now recognized as 'Doc.Malware.Generic-6779191-0' but it took some time before this signature ended
in the ClamAV DBs and in the mean time some of these email slipped through the users. Before someone ask: yes, we are using
Sanesecurity signatures too and recently I am starting to use the Sanesecurity.Badmacro DB too but so far it did not help.
What is interesting for me is that VT reported the same SSDeep hashes for both files, which I believe means that these macro
viruses are mostly the same. Looking into ClamAV documentation I believe there's no easy way to integrate hashes from
SSDeep into the AV engine itself. Anyone has considered this possibility or is this unfeasible/useless?
Best regards,
Matteo
More information about the clamav-users
mailing list