[clamav-users] Detect Signed Malicious Binaries Using .CRB File Signature

Andrew Williams awillia2 at sourcefire.com
Mon Oct 14 08:57:13 EDT 2019


The recent ClamAV 0.102 release introduces (reintroduces?) the ability to
write blacklist .crb rules that cause a matching sample to be detected as
malicious without requiring other signatures to match.  Updating the
documentation you highlighted is still on my TODO list, but is true for
previous versions in the recent past.  I too have wondered about that blog
post - I haven't checked to see if this functionality existed in the ClamAV
from 2013, but if so it must have been hindered at some point (and likely
went unnoticed, since blacklist .crb rules haven't seen much use).

Hope that helps!  Let me know if you have any other questions


Andrew Williams
Malware Research Team
Cisco Talos

On Mon, Oct 14, 2019 at 4:35 AM Irshad via clamav-users <
clamav-users at lists.clamav.net> wrote:

> Hi Guys,
> I have a multiple signed malwares. I want to create detection using the
> certificate that is used to sign them. I came across an old blog from
> ClamAV folks.
> https://blog.clamav.net/2013/02/authenticode-certificate-chain.html
> Where the author creates a signature for the revoked certificate and adds
> it to .crtdb to detect the signed malicious binary. Recent versions of
> ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file.
> In the documentation, I found this
> The .crb format supports blacklist rule entries, but these cannot
> currently be used as a basis for malware detection. Instead, as currently
> implemented, these entries just override .crb rules which would otherwise
> whitelist a given sample
> https://www.clamav.net/documents/microsoft
> -authenticode-signature-verification
> My question is, Is there any way to detect signed malicious binaries using
> signing certificate properties like the author does in the old blog
> mentioned above.
> Thank you :) I am new to ClamAV. Please forgive my ignorance.
> Have a nice day, you all. :)
> Regards,
> Irshad Muhammad.
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20191014/b210c8b1/attachment.html>

More information about the clamav-users mailing list