Hi Cyril,
How did you transmitted the virus ? Via email? As attachments ? It was compress or uncompressed ?
I know you might not agree with me but my suggestion is to block from MTA sending executable file. (exe,bat,pif,scr,dll, etc). Most of the MTAs are anyway directly rejecting when such attachment is seen. For example google: https://support.google.com/mail/answer/6590?hl=en. I am doing the same on my email systems. I know is proffered to know the exact type of virus and rejecting it but now-days most of the executable sent via email ( or even links posted in email) are viruses.
If you are talking about compressed files you have multiple choice to do this as well:
1) use complicated MTA rules to unzip/untar/unrar/etc the archive and check if executable is inside.
2) use foxhole unoficial clamav signatures (might not cover all the situations)
3) write your own signatures like this. Please check before the manual: https://www.clamav.net/documents/extended-signature-format
Archived_BAT:*:*:(?i)\.bat$:*:*:*:*:*:*
Archived_COM:*:*:(?i)\.com$:*:*:*:*:*:*
Archived_EXE:*:*:(?i)\.exe$:*:*:*:*:*:*
Hope that is usefull
Hello,
Today, we transmitted a significant amount of Emotet files that were undetected by ClamAV,
(verification done under VirusTotal).
Is there a reason why the Emotet detection rate is very low for ClamAV?
Thank you in advance.
Best regards,---
Cyril AECK
Service du numérique - SNum
UNI/DETN
Messagerie & conférences à distance
Tel. 04 74 27 52 13
Port. 06 63 16 23 32
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml