Hi Guys, 

I have a multiple signed malwares. I want to create detection using the certificate that is used to sign them. I came across an old blog from ClamAV folks. 
https://blog.clamav.net/2013/02/authenticode-certificate-chain.html
Where the author creates a signature for the revoked certificate and adds it to .crtdb to detect the signed malicious binary. Recent versions of ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file.
In the documentation, I found this  

The .crb format supports blacklist rule entries, but these cannot currently be used as a basis for malware detection. Instead, as currently implemented, these entries just override .crb rules which would otherwise whitelist a given sample
https://www.clamav.net/documents/microsoft-authenticode-signature-verification 

My question is, Is there any way to detect signed malicious binaries using signing certificate properties like the author does in the old blog mentioned above.

Thank you :) I am new to ClamAV. Please forgive my ignorance. 

Have a nice day, you all. :)

Regards, 
Irshad Muhammad.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml