[clamav-users] Information regarding Win.Downloader.DDECmdExec-6715271-0

Kris Deugau kdeugau at vianet.ca
Tue Nov 13 18:13:54 UTC 2018


Dominique Sarrazin wrote:
> Hi everyone,
> 
> On October 26^th , ClamAV’s signature database was updated with the 
> addition of Win.Downloader.DDECmdExec-6715271-0, for which I cannot find 
> any information despite my thorough research.

sigtool --find-sigs [sig name] |sigtool --decode-sigs will at least tell 
you what it's matching on, assuming it's an active signature.

I don't seem to have that particular signature on any system I manage, 
so either it's third-party or it was dropped at some point.

The closest matches on that sig name that I have are 
Win.Downloader.DDEObfuscatedCmdExec-6715127-0 and 
Win.Downloader.DDEObfuscatedCmdExec-6715128-0.

> Since that update, ClamAV has reported that many tables in our MySQL are 
> susceptible to this vulnerability. I would simply like to know the 
> details of this vulnerability and how to identify it in our database.

Scanning the filesystem storage for any DBMS is almost certainly a waste 
of time and likely to lead to all kinds of bizarre false positives.

If you really need to scan the content, scan things before inserting, or 
do a periodic "retrieve-and-scan" process if you're worried about 
zero-day malware that might not have had a signature when it was inserted.

-kgd



More information about the clamav-users mailing list