[clamav-users] Question regarding Metasploit signatures

G.W. Haywood clamav at jubileegroup.co.uk
Sat Aug 31 03:38:53 EDT 2019


Hi there,

On Fri, 30 Aug 2019, Manna, Mohammed via clamav-users wrote:

> What I can see that ClamAV cannot always successfully detect reverse
> shell type of files (built using Metasploit msfvenom). And also, if
> the file is covered using a pseudo extension e.g. test.exe.txt
> 
> When I was comparing this on virustotal.com ClamAV seems to be
> missing quite a lot of them. Is there any reason why ClamAV doesn't
> do a more extensive search?

ClamAV is by no means perfect, but you haven't told us how you have
configured it, nor how you are using it, so it's difficult to make any
particular observations.

There is a system for reporting failed detections which you can use,
but to avoid wasted effort it will be as well for you first to check
that your issue is not simply the expected result of how you have
configured your ClamAV installation.

> Reverse shell or bind shell both are sensitive files and I was
> expecting ClamAV to be detecting them somehow.

In network security, expecting things to work as intended is sure to
lead to eventual disappointment.  If instead you expect things to
fail, and base your behaviour on that expectation, you will likely be
surprised less often - and suffer fewer system compromises.

For example, although I scan all mail using ClamAV, I never expect it
to find anything; but I also block all mail from more than a hundred
and sixty ISO 3166 country codes, which is partly why ClamAV hasn't
reported anything malicious in our mail since last September.  That
doesn't mean that ClamAV wouldn't have found anything if it had been
given the opportunity to scan it, but it *does* mean that there is a
much reduced probability of something nasty reaching one of my users.
Of course, even if it did, it's unlikely to have any serious effect
because (a) the users are educated and (b) they're using Linux boxes
which are immune from the vast majority of malicious software.  This
is called "defence in depth".  There's more, which I won't reveal in
a public forum.

> Could someone clarify? Also, if this is mentioned anywhere in the
> docs, I would be grateful if you please point me to that.

The 'man' pages for clamscan, clamd.conf and clamsubmit might be good
places to start.

-- 

73,
Ged.


More information about the clamav-users mailing list