[clamav-users] Detect Signed Malicious Binaries Using .CRB File Signature
meradumpemail at gmail.com
Mon Oct 14 22:31:57 EDT 2019
Thank you very much, it helps.
On Mon, Oct 14, 2019 at 8:57 PM Andrew Williams <awillia2 at sourcefire.com>
> The recent ClamAV 0.102 release introduces (reintroduces?) the ability to
> write blacklist .crb rules that cause a matching sample to be detected as
> malicious without requiring other signatures to match. Updating the
> documentation you highlighted is still on my TODO list, but is true for
> previous versions in the recent past. I too have wondered about that blog
> post - I haven't checked to see if this functionality existed in the ClamAV
> from 2013, but if so it must have been hindered at some point (and likely
> went unnoticed, since blacklist .crb rules haven't seen much use).
> Hope that helps! Let me know if you have any other questions
> Andrew Williams
> Malware Research Team
> Cisco Talos
> On Mon, Oct 14, 2019 at 4:35 AM Irshad via clamav-users <
> clamav-users at lists.clamav.net> wrote:
>> Hi Guys,
>> I have a multiple signed malwares. I want to create detection using the
>> certificate that is used to sign them. I came across an old blog from
>> ClamAV folks.
>> Where the author creates a signature for the revoked certificate and adds
>> it to .crtdb to detect the signed malicious binary. Recent versions of
>> ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file.
>> In the documentation, I found this
>> The .crb format supports blacklist rule entries, but these cannot
>> currently be used as a basis for malware detection. Instead, as currently
>> implemented, these entries just override .crb rules which would otherwise
>> whitelist a given sample
>> My question is, Is there any way to detect signed malicious binaries
>> using signing certificate properties like the author does in the old blog
>> mentioned above.
>> Thank you :) I am new to ClamAV. Please forgive my ignorance.
>> Have a nice day, you all. :)
>> Irshad Muhammad.
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> Help us build a comprehensive ClamAV guide:
> clamav-users mailing list
> clamav-users at lists.clamav.net
> Help us build a comprehensive ClamAV guide:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the clamav-users