Adam Sweet's Wiki

User Tools

Site Tools

Trace:
create_your_own_anti-virus_signatures_with_clamav

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
create_your_own_anti-virus_signatures_with_clamav [2009/07/05 23:42]
adam created 		create_your_own_anti-virus_signatures_with_clamav [2009/07/05 23:44]
adam
Line 23: Line 23:
 Save it as strip-attach.pl or something and make it executable. Then run it with an argument of the file to strip such as: Save it as strip-attach.pl or something and make it executable. Then run it with an argument of the file to strip such as:
  
-strip-attach.pl <mail file>+  strip-attach.pl testfile
  
 The output will give you the paths to the text portion and the attachment portion of the email. If you saved the email attachment to your PC from your mail client, you can start to pay attention now. The output will give you the paths to the text portion and the attachment portion of the email. If you saved the email attachment to your PC from your mail client, you can start to pay attention now.
Line 59: Line 59:
 Either name the virus yourself if it's just a file you don't want on your network or it's a new virus, or take a look at what other AV engines call a virus by submitting your suspicious file to somewhere like [[http://www.virustotal.com/]]. ClamAV has it's own virus naming conventions as detailed in the docs. Either name the virus yourself if it's just a file you don't want on your network or it's a new virus, or take a look at what other AV engines call a virus by submitting your suspicious file to somewhere like [[http://www.virustotal.com/]]. ClamAV has it's own virus naming conventions as detailed in the docs.
  
-My good friend and malware expert [[http://barbie.missbarbell.co.uk/|Barbie]] until recently of Message Labs and [[http://birmingham.pm.org/|Birmingham Perl Mongers]] gave a talk at [[http://www.lugradio.org/|LugRadio]] [[http://lugradio.org/live/UK2008/|Live UK 2008]] where he explained that the people that are first to identify a new virus are the people who name it, though different AV vendors often use the different names and the name which is popularised in the press is the one that sticks. If you detect a virus before anybody else, then name it as you like and then find a way of making sure everybody uses your chosen name. Fun and profit awaits you :)+My good friend and malware expert [[http://barbie.missbarbell.co.uk/|Barbie]] until recently of Message Labs and [[http://birmingham.pm.org/|Birmingham Perl Mongers]] gave a talk at [[http://www.lugradio.org/|LugRadio]] [[http://lugradio.org/live/UK2008/|Live UK 2008]] where he explained that the people that are first to identify a new virus are the people who name it, though different AV vendors often use the different names and the name which is popularised in the press is the one that sticks. If you detect a virus before anybody else, then name it as you like and then find a way of making sure everybody uses your chosen name. Fun and profit awaits you :-)
  
 Now, test the signature against your suspect file: Now, test the signature against your suspect file:
  
-clamscan -d customsig.ndb testfile+  clamscan -d customsig.ndb testfile
  
 It's pretty inefficient to store one virus signature per file, so if you're going to be doing this frequently or you want your signature to used as part of regular operations, you may as well start keeping your own virus db file as part of ClamAV itself. Simply copy your customsig.ndb to the directory used by ClamAV's own signatures. On most Linux boxes that's /var/lib/clamav/, though it might be something like /usr/local/share/clamav/ on FreeBSD or if you compiled ClamAV yourself. So restart ClamAV and run a regular scan without having to specify your custom sig: It's pretty inefficient to store one virus signature per file, so if you're going to be doing this frequently or you want your signature to used as part of regular operations, you may as well start keeping your own virus db file as part of ClamAV itself. Simply copy your customsig.ndb to the directory used by ClamAV's own signatures. On most Linux boxes that's /var/lib/clamav/, though it might be something like /usr/local/share/clamav/ on FreeBSD or if you compiled ClamAV yourself. So restart ClamAV and run a regular scan without having to specify your custom sig:
  
-clamscan testfile+  clamscan testfile
  
 And that's it. Add each new signature line into the customsig.ndb file you put in ClamAV's signatures directory but be sure to test it first from a standalone sig file so you know it works as expected without affecting the operation of the main ClamAV installation. And that's it. Add each new signature line into the customsig.ndb file you put in ClamAV's signatures directory but be sure to test it first from a standalone sig file so you know it works as expected without affecting the operation of the main ClamAV installation.
create_your_own_anti-virus_signatures_with_clamav.txt ยท Last modified: 2016/11/25 22:38 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki