[clamav-users] using clamav to detect unwanted data exfiltration programs (e.g., Dropbox)?

Paul Kosinski clamav-users at iment.com
Thu Feb 15 23:03:09 UTC 2018 

Perhaps it would be more effective simply to block access (in the
firewall) to sites like Dropbox. In any case, it might improve "legal
security" to add such blocking to the firewall, or perhaps your local
DNS forwarding server.

P.S. Note that site blocking works even for encrypted connections, if
direct (although not for encrypted VPNs).


On Thu, 15 Feb 2018 15:34:17 -0500
James Ralston <ralston at pobox.com> wrote:

> Has anyone experimented with using clamav to detect PUAs (potentially
> unwanted executables) beyond what clamav already can detect? If so, do
> you have any advice?
> 
> For legal reasons, we prohibit cloud-based file storage technologies
> like Dropbox. On our Windows systems, we can prohibit Dropbox via
> AppLocker, but for Linux, it's not so easy.
> 
> Since we regularly scan our systems with clamav anyway, creating
> clamav signatures to detect Dropbox scripts and executables seems like
> a reasonable approach.
> 
> Looking for the "dropbox_client_start" symbol seems like it will
> detect the nautilus extension:
> 
> $ dd if=libnautilus-dropbox.so bs=1c skip=5412 count=22 2>/dev/null |
> od -a 0000000 nul   d   r   o   p   b   o   x   _   c   l   i   e
> n   t   _ 0000020   s   t   a   r   t nul
> 0000026
> 
> So, to create a signature out of that:
> 
> PUA.Elf.Dropbox.A:6:*:0064726f70626f785f636c69656e745f737461727400
> 
> For the /usr/bin/dropbox Python script, looking for the
> opener.addheaders string followed closely by the
> DropboxLinuxDownloader string seems like a good strategy:
> 
> $ tail -n +213 dropbox | head -4
> def download_file_chunk(url, buf):
>     opener = urllib2.build_opener()
>     opener.addheaders = [('User-Agent',
> "DropboxLinuxDownloader/2015.10.28")] sock = opener.open(url)
> 
> PUA.Script.Dropbox.A:7:*:6f70656e65722e61646468656164657273{12-32}64726f70626f786c696e7578646f776e6c6f61646572
> 
> But while we can create one-off signatures for these
> scripts/executables, it strikes me that it may make more sense to
> create a new PUA category for them. E.g.:
> 
>     DataEx
> 
>     Data exfiltration tools, like cloud-based file storage
>     technologies, can seamlessly move local data to cloud-based
>     services. If local data is sensitive or restricted, this can be
>     undesirable, or legally prohibited.
> 
> There will be more of these unwanted scripts/executables than just
> Dropbox; that's just the example de jour.
> 
> Thoughts?

More information about the clamav-users mailing list