[clamav-users] ClamAV to detect exploits for the Equation Editor vulnerability in DOC files
Micah Snyder (micasnyd)
micasnyd at cisco.com
Wed Jan 27 19:47:45 UTC 2021
Hi Chamindra,
Generally speaking we'd like it if you would upload malware which ClamAV fails to alert on by using the `clamsubmit` tool, or via this webpage https://www.clamav.net/reports/malware
These feed into an automated system that will attempt to determine if it thinks they're malicious and then generate content-based logical signatures and/or hash-based signatures for them.
Some heuristic alerts for CVE detection are also baked into ClamAV. These are often for file format issues that may be used to exploit vulnerable software. The "HEUR:Exploit.RTF.CVE-2018-0802.gen" Kaspersky signature sounds like that sort of thing, detecting a Microsoft office document file format issue. This sort of thing is often harder to detect with clamav's content-based signatures and may be a better candidate for a bytecode signature or a hardcoded check for format correctness when parsing the document file. If you want to share your samples with our development team, we could take a look -- but it would be a long while before we can build that detection into a new ClamAV version. To share with the ClamAV development team, you can email me a password protected zip of the files, or upload them to VirusTotal and send me a list of file hashes.
Regards,
Micah
> -----Original Message-----
> From: clamav-users <clamav-users-bounces at lists.clamav.net> On Behalf Of
> Chaminda Indrajith via clamav-users
> Sent: Saturday, January 23, 2021 9:18 AM
> To: 'ClamAV users ML' <clamav-users at lists.clamav.net>
> Cc: Chaminda Indrajith <indrajith at sltidc.lk>; 'G.W. Haywood'
> <clamav at jubileegroup.co.uk>
> Subject: Re: [clamav-users] ClamAV to detect exploits for the Equation Editor
> vulnerability in DOC files
>
> Hi ,
>
> > Mainly, we get these virus via E-mail. ...
>
> Can I assume that it's clamd which scans these emails?
> Yes. Clamd scans the e-mails
>
> > OLE2BlockMacros = "yes"
>
> There are other settings which you might want to investigate. See for
> example the 'Alert...' options in the clamd.conf man page which mostly default
> to 'no'.
>
> I will check the Alert option in Clamd.conf
>
> > mail/clamav-milter.conf not found
>
> If you do not use clamav-milter, what takes the message from the mail server
> and presents it to clamd? Do you have evidence that clamd at least finds
> some threats (of whatever kind) in your incoming mail?
>
> I use MailScanner and MailScanner takes the message from postfix and
> present it to clamd. Yes, I have the evidence that Clamd finds threats, but it
> cannot detect some of the threats
>
>
> > I can put the viruses in a FTP server and share them with you.
>
> Please do. Please provide the files as complete original email messages, not
> just as the attached files (and let me know where I can find them of course. :)
>
> I will share the complete messages that stored by MailScanner and I will share
> the FTP access details separately. Daily I will share the threats that were not
> detected by Clamd
> > Usually, I forward the virus mails to Sanesecurity.
>
> +1
>
> You might want to send them to the ClamAV team too, and perhaps also to
> Securiteinfo - the maintainer of those signatures has occasionally asked on
> this list for samples to be sent to him.
> The ClamAV team is more interested in malware/phishing than spam.
>
> How can I share the threats with ClamAV Team. Can I share the same FTP
> access details
>
> Thanks again for your great explanation and support.
>
> Regards
>
> Chaminda Indrajith
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list