[clamav-users] Question regarding Metasploit signatures

Manna, Mohammed mohammed.manna at sap.com
Sat Aug 31 06:53:28 EDT 2019


Hi There,

> -----Original Message-----
> From: clamav-users <clamav-users-bounces at lists.clamav.net> On Behalf Of
> G.W. Haywood via clamav-users
> Sent: 31 August 2019 08:39
> To: Manna, Mohammed via clamav-users <clamav-users at lists.clamav.net>
> Cc: G.W. Haywood <clamav at jubileegroup.co.uk>
> Subject: Re: [clamav-users] Question regarding Metasploit signatures
> 
> Hi there,
> 
> On Fri, 30 Aug 2019, Manna, Mohammed via clamav-users wrote:
> 
> > What I can see that ClamAV cannot always successfully detect reverse
> > shell type of files (built using Metasploit msfvenom). And also, if
> > the file is covered using a pseudo extension e.g. test.exe.txt
> >
> > When I was comparing this on virustotal.com ClamAV seems to be
> > missing quite a lot of them. Is there any reason why ClamAV doesn't
> > do a more extensive search?
> 
> ClamAV is by no means perfect, but you haven't told us how you have
> configured it, nor how you are using it, so it's difficult to make any
> particular observations.
> 
> There is a system for reporting failed detections which you can use,
> but to avoid wasted effort it will be as well for you first to check
> that your issue is not simply the expected result of how you have
> configured your ClamAV installation.
> 
> > Reverse shell or bind shell both are sensitive files and I was
> > expecting ClamAV to be detecting them somehow.
> 
> In network security, expecting things to work as intended is sure to
> lead to eventual disappointment.  If instead you expect things to
> fail, and base your behaviour on that expectation, you will likely be
> surprised less often - and suffer fewer system compromises.
> 
> For example, although I scan all mail using ClamAV, I never expect it
> to find anything; but I also block all mail from more than a hundred
> and sixty ISO 3166 country codes, which is partly why ClamAV hasn't
> reported anything malicious in our mail since last September.  That
> doesn't mean that ClamAV wouldn't have found anything if it had been
> given the opportunity to scan it, but it *does* mean that there is a
> much reduced probability of something nasty reaching one of my users.
> Of course, even if it did, it's unlikely to have any serious effect
> because (a) the users are educated and (b) they're using Linux boxes
> which are immune from the vast majority of malicious software.  This
> is called "defence in depth".  There's more, which I won't reveal in
> a public forum.
> 
> > Could someone clarify? Also, if this is mentioned anywhere in the
> > docs, I would be grateful if you please point me to that.
> 
> The 'man' pages for clamscan, clamd.conf and clamsubmit might be good
> places to start.
> 
[[MM]] What you are have said here makes sense. As for my test, I unzipped portable ClamAV on linux, then generated a reverse shell file using Metasploit to scan it with ClamAV. 
I used the latest virus DB and engine from ClamAV.net. It missed detection for any tcp/http reverse shell generation. As a comparison, we run the same test with a different AV provider
on Windows OS. The detection was successful. Hence, my question or curiosity over how ClamAV determines the *true* threat level of a malicious file.
I do agree with your statement on user education and operating system. However, the global userbase cannot be fully educated/converted to mitigate this 😊. My intention was
Just to understand why this is constantly being missed.
> --
> 
> 73,
> Ged.
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


More information about the clamav-users mailing list