[clamav-users] Detect Signed Malicious Binaries Using .CRB File Signature

Irshad meradumpemail at gmail.com
Mon Oct 14 04:34:24 EDT 2019


Hi Guys,

I have a multiple signed malwares. I want to create detection using the
certificate that is used to sign them. I came across an old blog from
ClamAV folks.
https://blog.clamav.net/2013/02/authenticode-certificate-chain.html
Where the author creates a signature for the revoked certificate and adds
it to .crtdb to detect the signed malicious binary. Recent versions of
ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file.
In the documentation, I found this

The .crb format supports blacklist rule entries, but these cannot currently
be used as a basis for malware detection. Instead, as currently
implemented, these entries just override .crb rules which would otherwise
whitelist a given sample
https://www.clamav.net/documents/microsoft
-authenticode-signature-verification

My question is, Is there any way to detect signed malicious binaries using
signing certificate properties like the author does in the old blog
mentioned above.

Thank you :) I am new to ClamAV. Please forgive my ignorance.

Have a nice day, you all. :)

Regards,
Irshad Muhammad.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20191014/2ae5e50a/attachment.html>


More information about the clamav-users mailing list