[clamav-users] ClamAV vs WannaCry

[Wirth Ervin]

Thank you for the professional answer, the numbers can count something.
According to your answer, I assume that PC setup/configuration count 
like 80 %, and AV is like 20 % against threats.

> Then ClamAV’s On-Access Scanner will still function, scanning and 
> alerting on files normally in real time. However, it will be unable to 
> block access attempts on malicious files. We call this |notify-only| mode.
/Source: https://www.clamav.net/documents/on-access-scanning/


Since you sounds professional:
- Could you advise a real-time protecting software against 
malware/ransom/virus etc.?  (open-source or even commercial)

Thank you again,
Ervin




On 9/11/2020 5:05 PM, G.W. Haywood via clamav-users wrote:
> MHi there,
>
> On Fri, 11 Sep 2020, Wirth Ervin via clamav-users wrote:
>
>> I was looking after "Does ClamAV catch WannaCry malware?" on Google,
>> but I haven't found any significant answer about this.
>
> The answer to your question is probably "yes, with qualifications".
>
> One of those qualifications is that you haven't said how the malware
> might be delivered to the systems which you're concerned about. If
> ClamAV doesn't get to see the malware before it gets onto the systems
> then it won't be able to do anything about it.  At least on Windows,
> ClamAV has no way to catch things on the fly and it behaves a bit like
> the free version of a MalwareBytes product.  You need to scan anything
> which might be suspect before you put it on the potentially vulnerable
> computer.  If you're going to surf random Websites using a vulnerable
> OS or browser, ClamAV isn't going to offer any security at all.
>
> About the time that WannaCry was really active, I came across several
> USB sticks in a drawer in a workshop on a client's premises.  Any one
> of them could have taken down the CNC plasma cutter, for which they'd
> recently paid eighty grand.  It was still running Windows XP, and its
> manufacturer had neither installed anti-virus software nor changed the
> firewall settings from the XP defaults.  About the best I could do was
> try to educate their staff, firewall the machine (jobs were sent to it
> by Windows 7 workstations on the LAN), keep on top of the backups, and
> sweep the workshop now and then for threats like those USB sticks.  It
> was a long way from ideal but it seems to have been enough.
>
> If we ass-u-me that systems thesedays are either patched or protected
> by other means, the WannaCry malware shouldn't now be a big worry to
> anyone.  There are more serious, active threats around.  If you're
> unfortunate enough to be dealing with a manufacturer like the one that
> supplied that plasma cutter, or if you have legacy software preventing
> upgrades to a supported version of Windows, you probably have a never-
> ending task.  People will sometimes run a vulnerable Windows OS in a
> virtual machine, and take periodic snapshots to give them a fallback
> position in case of the almost inevitable.  It isn't a complete answer
> but it can help you sleep more easily.
>
> Asking "Does ClamAV catch WannaCry malware?" is a rather like asking
> "Do the police catch criminals?".  There are many different criminals
> and the police don't catch all of them.  There can be many different
> versions of any particular malware (sometimes they're referred to as
> different "strains" of the same basic malware) and one of the things
> that malware authors spend a lot of time on is hiding their product,
> in more-and-more-creative ways, from the things designed to detect it.
> Granted some of these people are script kiddies and don't make much of
> an impact, but some of them are *really* good at what they do, so you
> can't take anything for granted.
>
> Here's a one-line command I just typed, output on the line below it:
>
> $ grep -a -s -i wannacry databases/* | wc -l
> 550
>
> A signature takes up one line in the signature database.  The above
> command used 'grep' to do a case-insensitive search for the string
> 'wannacry' in all the files in the ClamAV database directory on my
> clamd server, and count the lines containing that string.  I use a
> number of third-party signature databases from several sources, so
> from the above command I don't see information about which databases
> contain which signatures.  For a handle on that I can count the lines
> per database:
>
> $ grep -a -s -i wannacry databases/* | cut -d':' -f1 | uniq -c
>      13 daily.cld
>     537 malwarehash.hsb
>
> So I see thirteen signatures in the 'official' ClaAV database, and 537
> in the 'malwarehash' database from Sanesecurity.  This tells me there
> are many signatures somehow linked to the same basic WannaCry malware,
> and presumably that means there's no particular limit to the ways in
> which the malware might be hidden.  No real surprise, miscreants have
> been modifying their malware ever since their first arrest.  But it
> doesn't end there: there's no particular reason why a signature which
> aims to match WannaCry will have a label which means anything at all
> to the casual observer.  Let me now look for 'ransom' in *just* the
> official 'main' and 'daily' databases:
>
> $ grep -i ransom databases/main* databases/daily* | wc -l
> 24184
>
> Hmmmmmm.  There are orders of magnitude more singatures which mention
> 'ransom' than there are which mention 'WannaCry'.  Is there a reason
> that you asked about WannaCry in particular?
>
>> I am using Windows 7 (on notebook) and 10 (on PC).  When there was
>> the worldwide peak of WannaCry, it was interesting to see it mostly
>> affected older Windows versions, like 7 (at my workplace).
>
> The vulnerabilities exploited by WannaCry were patched in Windows 7
> and other supported systems several months before it hit the fan. IT
> security at your workplace appears to have been questionable at best.
> Let's hope it's better now, but I wouldn't put my own money on it.
>
> Speaking of money...
>
>> I was thinking to pick ClamAV, since I've seen that some popular AV
>> softwares like Malwarebytes (the first one detected WannaCry) put
>> the Malware/Ransomware protection to their Premium package.
>
> have you estimated how much your systems are worth to you?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200911/89591c6b/attachment.htm>