[clamav-users] ssdeep and ClamAV

Dessalvi, Matteo M.Dessalvi at gsi.de
Thu Dec 13 04:52:09 EST 2018


Hi all.

I was wondering if there is the possibility of creating a signature DB using hashes extracted from SSDeep
(ref: https://ssdeep-project.github.io/ssdeep/index.html).

We are from time to time pestered by spam email with fake invoices as attachments, like the ones reported here:

https://www.virustotal.com/#/file/c7263a3bc477a376a40f703bbf250033499f8dc84bb08e9c976bd4914c823690/details
https://www.virustotal.com/#/file/908a15a9200d7676af884b8a90e5c913c44b1991712339ad86050cf53f7a2637/details

Indeed, one of this file is now recognized as 'Doc.Malware.Generic-6779191-0' but it took some time before this signature ended
in the ClamAV DBs and in the mean time some of these email slipped through the users. Before someone ask: yes, we are using 
Sanesecurity signatures too and recently I am starting to use the Sanesecurity.Badmacro DB too but so far it did not help.

What is interesting for me is that VT reported the same SSDeep hashes for both files, which I believe means that these macro 
viruses are mostly the same. Looking into ClamAV documentation I believe there's no easy way to integrate hashes from
SSDeep into the AV engine itself. Anyone has considered this possibility or is this unfeasible/useless?

Best regards,
Matteo



More information about the clamav-users mailing list