[clamav-users] clamscan dumpcerts

Micah Snyder (micasnyd) micasnyd at cisco.com
Tue Jan 15 17:16:55 EST 2019


Hi Yas Man,

Right now, clamscan/clamd only parses PE Authenticode signatures when looking for false positives, which means a signature has to match before the sigs will be printed.

One of our malware researchers is in the process of updating this code. The plan is to change it so that the Authenticode signature is always checked / verified if a binary is signed so we can alert on files that match blacklisted signing certificates.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Jan 14, 2019, at 1:23 PM, Yas Man <clamav at outlook.com<mailto:clamav at outlook.com>> wrote:

Hello,

I am trying to dump the certificates of a signed PE, but noting is being dumped, the output is simply the scan summary. I went through the list archive but I was not able to find a relevant topic. I also tried dumping the certificate of legitimate files and the results were the same, although running sigtool --print-certs successfully prints the authenticode.

I went through the signatures manual and the authenticode blog post and I can't figure out what am I doing wrong.  I am running ClamAV version 0.100.2.

Thanks.
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190115/7419a55e/attachment.html>


More information about the clamav-users mailing list