[clamav-users] ransomware

Frans de Boer frans at fransdb.nl
Sat Oct 3 21:18:13 UTC 2020 

On 2020-10-01 01:03, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Wed, 30 Sep 2020, Mat via clamav-users wrote:
>
>> Does clamav support remove ransomware?
>
> No.
>
> It does have options to remove or move files which it considers to be
> 'infected' but you would need to be sure that you understand the risks
> of doing something like that before doing it automatically.  I can't
> imagine any circumstances under which I would recommend it, not least
> because some methods used by ClamAV to look for suspicious files are
> prone to accidental 'false positives'.  These can and do happen when a
> signature is added to a database, at any time, without warning, and
> could easily identify an essential system file falsely as malicious.
> If you look in the archives for this list you will find examples.
>
I concur with the above posting. Clamav was original (AFAIK) meant to be 
a virus scanner within a mail system. That grew into a more wider 
spectrum called "malware" scanner. As such it is still a basic scanner 
designed to check files for malware, before they are used (using 
clamonac) or even stored on your system. There is an option to block 
access to the file in question if it is flagged as having malware.

Scanning a running system use to be doable in the distance past, until 
malware incorporated techniques to avoid detecting. That is the reason 
why you should always boot from a CD or other uncompromised device when 
you try a system wide scan, including boot sectors etc.
Also, ransomware is usually only present prior to "locking" files. After 
that it normally deletes itself from the system in order to make 
recovering the used key a difficult exercise.

So, the lesson is: practice save online discipline. Privately and 
business wise.

--- Frans

-- 
A: Yes, just like that                            A: Ja, net zo
Q: Oh, Just like reading a book backwards         Q: Oh, net als een boek achterstevoren lezen
A: Because it upsets the natural flow of a story  A: Omdat het de natuurlijke gang uit het verhaal haalt
Q: Why is top-posting annoying?                   Q: Waarom is Top-posting zo irritant?

More information about the clamav-users mailing list