[clamav-users] Heuristic Scans
Micah Snyder (micasnyd)
micasnyd at cisco.com
Fri May 31 19:54:51 UTC 2019
Heuristic signatures exist for a variety of file types. They are hardcoded into the clamav application. A grep of the source code reveales the following:
~/workspace/clamav-devel • grep -r "Heuristics\." ./libclamav
./libclamav/pe.c: ret = cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/pe.c: ret = cli_append_virus(ctx, "Heuristics.W32.Parite.B");
./libclamav/pe.c: ret = cli_append_virus(ctx, "Heuristics.W32.Kriz");
./libclamav/pe.c: ret = cli_append_virus(ctx, dam ? "Heuristics.W32.Magistr.A.dam" : "Heuristics.W32.Magistr.A");
./libclamav/pe.c: ret = cli_append_virus(ctx, dam ? "Heuristics.W32.Magistr.B.dam" : "Heuristics.W32.Magistr.B");
./libclamav/pe.c: ret = cli_append_virus(ctx, "Heuristics.W32.Polipos.A");
./libclamav/pe.c: ret = cli_append_virus(ctx, "Heuristics.Trojan.Swizzor.Gen");
./libclamav/c++/llvm/utils/TableGen/ARMDecoderEmitter.cpp: // Heuristics. See also doFilter()'s "Heuristics" comment when num of
./libclamav/macho.c: if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Broken.Executable")) \
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Phishing.Email.Cloaked.NumericIP");
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Phishing.Email.Cloaked.Null"); /*fakesite%01%00 at fake.example.com*/
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Phishing.Email.SSL-Spoof");
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Phishing.Email.Cloaked.Username"); /*http://banksite@fake.example.com*/
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net");
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Phishing.URL.Blacklisted");
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net");
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Phishing.Email.SpoofedDomain");
./libclamav/unzip.c: *ret = cli_append_virus(ctx, "Heuristics.Encrypted.Zip");
./libclamav/yc.c: cli_append_virus(ctx, "Heuristics.BoundsCheck");
./libclamav/special.c: return cli_append_virus(ctx, "Heuristics.Worm.Mydoom.M.log");
./libclamav/pdf.c: status = cli_append_virus(pdf->ctx, "Heuristics.Encrypted.PDF");
./libclamav/pdf.c: cli_append_possibly_unwanted(ctx, "Heuristics.PDF.ObfuscatedNameObject");
./libclamav/mbox.c: retcode = cli_append_virus(ctx, "Heuristics.Phishing.Email");
./libclamav/7z_iface.c: found = cli_append_virus(ctx, "Heuristics.Encrypted.7Zip");
./libclamav/7z_iface.c: found = cli_append_virus(ctx, "Heuristics.Encrypted.7Zip");
./libclamav/tiff.c: return cli_append_virus(ctx, "Heuristics.TIFF.OutOfBoundsAccess");
./libclamav/others.c: cli_append_virus(ctx, "Heuristics.Limits.Exceeded");
./libclamav/scanners.c: if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Encrypted.RAR")) {
./libclamav/scanners.c: ret = cli_append_virus(ctx, "Heuristics.XZ.DicSizeLimit");
./libclamav/scanners.c: ret = cli_append_virus(ctx, "Heuristics.OLE2.ContainsMacros");
./libclamav/scanners.c: ret = cli_append_virus(ctx, "Heuristics.Exploit.W32.MS05-002");
./libclamav/scanners.c: ret = cli_append_virus(ctx, "Heuristics.Exploit.W32.MS04-028");
./libclamav/scanners.c: if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Structured.CreditCardNumber")) {
./libclamav/scanners.c: if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Structured.SSN")) {
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
Hope that helps,
Micah
From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of asda adafs via clamav-users <clamav-users at lists.clamav.net>
Reply-To: ClamAV users ML <clamav-users at lists.clamav.net>
Date: Friday, May 31, 2019 at 12:51 PM
To: "clamav-users at lists.clamav.net" <clamav-users at lists.clamav.net>
Cc: asda adafs <ragnarok_sword at hotmail.com>
Subject: [clamav-users] Heuristic Scans
Hi guys,
I dug a little bit in the mailing list and official documentation but didn't get to understand quite well how ClamAV heuristics work
So my questions are:
1. From what I understood, the .ldb are not the rules for heuristics right?
2. Is the heuristic scan only working for email protection? Is it running when I do a normal clamscan?
3. If heuristic rules are not the ones in .ldb files where are they? Can we see them like with the signature db's? With sigtool as well?
Thank you in advance for your help 🙂
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190531/fabd138d/attachment.htm>
More information about the clamav-users
mailing list