[clamav-users] How can we consume .ldb files in ClamAV Ubuntu?

Thu Jan 7 13:36:50 UTC 2021

Hello, thank you for your answer.
I understand your point, i guess i should simply trust the project
repository.

I was asked to check whether i could integrate informations coming from

https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-clam.ldb

with a pre existing clamav installation but i have limited access to the
internet so i could not easily add another  CustomerDatabase entry.
So i asked on the ML if that was gonna became part of the standard
repository.
I thought that Red Eye could provide the best signatures to identify binary
stuff they got leaked.

Yes, i was trying to compare the ldb file content with
sigtool --unpack content  of daily.cvd and main.cvd

regards
Luca

Il giorno gio 7 gen 2021 alle ore 14:47 G.W. Haywood via clamav-users <
clamav-users at lists.clamav.net> ha scritto:

> Hi there,
>
> On Wed, 6 Jan 2021, Luca Sironi via clamav-users wrote:
>
> > How can i crosscheck a .ldb file like the one published from Red Eye
> > with the content of the cvd files i download from clamav?
>
> Please define "crosscheck".  If you mean that you want to check that
> two different types of signature store produced by two (or likely
> more) different signature writers contain the same signatures for some
> malware or other, then be aware that both the names of the signatures
> and the signatures themselves are chosen by the writers.  There is no
> reason to suppose that two different people will choose the same text
> for the things that they put in their signature stores, so no reason
> why the signatures themselves should be the same, and no reason why
> the names of the signatures should even vaguely resemble each other.
> The signatures may not even use the same methods of comparison with
> the malware.  Some signatures will look for things in mail, some for
> things in files.  There's more, see the documentation about writing
> signatures on the ClamAV Website.
>
> If you want to check whether the same malware is detected by two or
> more different sets of signatures, then scan a sample of the malware
> with one or other of the signature sets loaded.
>
> > I tried to unpack those with sigtool but the syntax of the cvd is
> > much more clear a signature, a name.
>
> Your problem is not clear.  What did you do?  Please show the exact
> commands, the resulting output if it is reasonably concise, and why
> you didn't like the result.  Did you try simply looking at the files
> with a pager?
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

-- 
http://www.sironi.tk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210107/9102e798/attachment.htm>