[clamav-users] Verifying bytecode, phishing and other type of threats

[G.W. Haywood]

Hi there,

On Fri, 1 Oct 2021, Indranil via clamav-users wrote:

> ...
> 9.  .\clamdscan -m -i 'C:\Users\indra\AppData\'

The '-i' command-line option is specifically for 'clamscan'.  The
'clamdscan' utility will ignore it.

> ... permission denied errors.

Obviously if you want ClamAV to scan something, either it has to have
permission to read it or something else must read it and pass the data
to the ClamAV scanning process.  Here, for example, we run a separate
clamd server, which scans everything passed to it over the LAN by the
mail servers.  If something manages to compromise the clamd server it
isn't a big deal because it can't access anything else on the network.
By the way in more than eighteen years of using ClamAV, that's never
happened here but it's a possibility you always need to consider.

> ... I plan to scan all new file addition in
> C:\Users\<user name>\Downloads, C:\Users\<username>\Desktop,
> C:\Users\<username>\Documents, C:\Users\<username>\AppData and new
> email for all possible threats ...
> ...
> In all my test runs I am getting clean results. But at present I am
> trying to find examples of various threat detection.

You mean sample of malware etc.?

> So eventually from the threat message I want to distinguish a
> malware from phishing from a bytecode etc. Do you have any
> suggestion for me to better visualize (via running test scans)
> threat detection?

When you see something FOUND, either on the command line or in a log,
you can ask ClamAV's 'sigtool' utility to tell you exactly what in the
data caused the report by passing the FOUND string to it.  That will
show you exactly what the signature was looking for.  Other than that
I'm not sure exactly what you want to see.  Most people I think set up
periodic scans, and look in their logs from time to time.  My personal
view is that this is asking for trouble, and I don't scan systems at
all.  I only scan incoming data, which seems to be the sort of thing
which you're planning to do.  In our case the incoming data is in mail
and it's scanned automatically by mail filters.  If anything triggers
detection there then it's stopped in its tracks at that point.  Either
it's automatically reported (because the server has seen sufficiently
similar abuse to recognize it without any doubt) and sent to /archive,
or someone (generally me) will see something brightly coloured on the
Web interface and then can look at the situation and take a view.  We
use a purpose-built Web interface to the mail systems.  This avoids a
huge amount of effort which would otherwise be needed run suspect data
past e.g. Jotti's malware scan, scan logs, report abuse etc. - but (1)
it's only any use if you run mail servers and (2) I don't see how the
effort could be justified for ad-hoc scans of a single Windows box.

> The output from ./clamconf.exe -n shows that I do not have any
> non-default configuration
>
> I have changed anything in clamd.conf. Do you have any suggestion for
> any non-default configuration which can lead to better security?

I take it you mean you have *not* changed anything in clamd.conf - or
at least nothing except commenting the 'Example' line?

To me, the most obvious configuration change to improve security would
be to use any third-party databases that you can get hold of.  You can
tweak things in clamd.conf but you need to be careful.  It's possible
to cause ClamAV to consume excessive resources and you might crash the
system; that, if you're unlucky, could mean you'd need to spend a lot
of time on recovering it.  Running a separate ClamAV server has much
to recommend it.

You haven't asked about other ways of improving security, and to some
extent this list isn't really appropriate for discussing many of them,
but I would strongly advise you not to rely on ClamAV as your only way
of defending against threats of all kinds.  If you do, then the game
is most probably already over.  In the past I have posted my estimates
of detection rates to this list, you may want to look them over.  It's
far more important to maintain good network hygiene than it is to run
a virus scanner.  There are vastly more threats against Windows boxes
than there are against other systems - probably more than all threats
of all kinds against all other systems put together.  That's one of
the main reasons I don't routinely run any Windows boxes.

-- 

73,
Ged.