[clamav-users] ClamAV - Emotet - Malware not detected

iulian stan iulian at sphere.ro
Wed Sep 16 09:39:47 UTC 2020 

Hi Cyril, 

How did you transmitted the virus ? Via email? As attachments ? It was
compress or uncompressed ? 

I know you might not agree with me but my suggestion is to block from
MTA sending executable file. (exe,bat,pif,scr,dll, etc). Most of the
MTAs are anyway directly rejecting when such attachment is seen. For
example google: https://support.google.com/mail/answer/6590?hl=en. I am
doing the same on my email systems. I know is proffered to know the
exact type of virus and rejecting it but now-days most of the executable
sent via email ( or even links posted in email) are viruses. 

If you are talking about compressed files you have multiple choice to do
this as well: 

1) use complicated MTA rules to unzip/untar/unrar/etc the archive and
check if executable is inside. 

2) use foxhole unoficial clamav signatures (might not cover all the
situations) 

3) write your own signatures like this. Please check before the manual:
https://www.clamav.net/documents/extended-signature-format 

Archived_BAT:*:*:(?i)\.bat$:*:*:*:*:*:*
Archived_COM:*:*:(?i)\.com$:*:*:*:*:*:*
Archived_EXE:*:*:(?i)\.exe$:*:*:*:*:*:* 

Hope that is usefull

---
Best regards,
Iulian 

On 2020-09-16 11:43, SG/SNUM/UNI/DETN/GMCD emis par AECK Cyril -
SG/SNUM/UNI/DETN/GMCD via clamav-users wrote:

> Hello,
> 
> Today, we transmitted a significant amount of Emotet files that were undetected by ClamAV,
> (verification done under VirusTotal).
> 
> Is there a reason why the Emotet detection rate is very low for ClamAV?
> 
> Thank you in advance.
> 
> Best regards,
> 
> ---
> Cyril AECK
> 
> Service du numérique - SNum
> UNI/DETN
> Messagerie & conférences à distance
> 
> Tel.  04 74 27 52 13
> Port. 06 63 16 23 32 
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200916/92577d56/attachment.htm>

More information about the clamav-users mailing list