[clamav-users] Information regarding Win.Downloader.DDECmdExec-6715271-0
Kris Deugau
kdeugau at vianet.ca
Tue Nov 13 18:13:54 UTC 2018
Dominique Sarrazin wrote:
> Hi everyone,
>
> On October 26^th , ClamAV’s signature database was updated with the
> addition of Win.Downloader.DDECmdExec-6715271-0, for which I cannot find
> any information despite my thorough research.
sigtool --find-sigs [sig name] |sigtool --decode-sigs will at least tell
you what it's matching on, assuming it's an active signature.
I don't seem to have that particular signature on any system I manage,
so either it's third-party or it was dropped at some point.
The closest matches on that sig name that I have are
Win.Downloader.DDEObfuscatedCmdExec-6715127-0 and
Win.Downloader.DDEObfuscatedCmdExec-6715128-0.
> Since that update, ClamAV has reported that many tables in our MySQL are
> susceptible to this vulnerability. I would simply like to know the
> details of this vulnerability and how to identify it in our database.
Scanning the filesystem storage for any DBMS is almost certainly a waste
of time and likely to lead to all kinds of bizarre false positives.
If you really need to scan the content, scan things before inserting, or
do a periodic "retrieve-and-scan" process if you're worried about
zero-day malware that might not have had a signature when it was inserted.
-kgd
More information about the clamav-users
mailing list