[clamav-users] Detect Signed Malicious Binaries Using .CRB File Signature

Irshad meradumpemail at gmail.com
Mon Oct 14 22:31:57 EDT 2019


Hi Andrew,
Thank you very much, it helps.

Regards,
Irshad.

On Mon, Oct 14, 2019 at 8:57 PM Andrew Williams <awillia2 at sourcefire.com>
wrote:

> Irshad,
>
> The recent ClamAV 0.102 release introduces (reintroduces?) the ability to
> write blacklist .crb rules that cause a matching sample to be detected as
> malicious without requiring other signatures to match.  Updating the
> documentation you highlighted is still on my TODO list, but is true for
> previous versions in the recent past.  I too have wondered about that blog
> post - I haven't checked to see if this functionality existed in the ClamAV
> from 2013, but if so it must have been hindered at some point (and likely
> went unnoticed, since blacklist .crb rules haven't seen much use).
>
> Hope that helps!  Let me know if you have any other questions
>
> -Andrew
>
> Andrew Williams
> Malware Research Team
> Cisco Talos
>
> On Mon, Oct 14, 2019 at 4:35 AM Irshad via clamav-users <
> clamav-users at lists.clamav.net> wrote:
>
>> Hi Guys,
>>
>> I have a multiple signed malwares. I want to create detection using the
>> certificate that is used to sign them. I came across an old blog from
>> ClamAV folks.
>> https://blog.clamav.net/2013/02/authenticode-certificate-chain.html
>> Where the author creates a signature for the revoked certificate and adds
>> it to .crtdb to detect the signed malicious binary. Recent versions of
>> ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file.
>> In the documentation, I found this
>>
>> The .crb format supports blacklist rule entries, but these cannot
>> currently be used as a basis for malware detection. Instead, as currently
>> implemented, these entries just override .crb rules which would otherwise
>> whitelist a given sample
>> https://www.clamav.net/documents/microsoft
>> -authenticode-signature-verification
>>
>> My question is, Is there any way to detect signed malicious binaries
>> using signing certificate properties like the author does in the old blog
>> mentioned above.
>>
>> Thank you :) I am new to ClamAV. Please forgive my ignorance.
>>
>> Have a nice day, you all. :)
>>
>> Regards,
>> Irshad Muhammad.
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20191015/4a76c420/attachment.html>


More information about the clamav-users mailing list