This shows you the differences between two versions of the page.
create_your_own_anti-virus_signatures_with_clamav [2009/07/05 23:44] adam |
create_your_own_anti-virus_signatures_with_clamav [2016/11/25 22:38] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== Create Your Own Anti-Virus Signatures with ClamAV ===== | ||
- | I use [[http:// | ||
- | |||
- | Even though viral email attachments aren't the major attack vector for Windows PCs that they were a few years ago, a few times recently I've found the need to block viral emails which the major AV engines weren' | ||
- | |||
- | Enter ClamAV. ClamAV is an anti-virus toolkit for [[http:// | ||
- | |||
- | The first thing you need is something which you want to detect. It might be a virus, some other piece of malware or maybe just a nuisance application installer. It helps if you're not running Windows so you don't infect yourself with whatever it is you are trying to detect and running the following commands will be easy for you. If you have an email with your attachment or file in, you need to save the attachment to your PC. If it's still on the mail server, either download the mail and save the file or if you have shell access to the server, copy the entire mail file itself to your PC which is easy if you're using maildirs. If you use mboxes you need to take a copy of the mail somehow so it's in a file of it's own (look at csplit for example). | ||
- | |||
- | If you have a file containing the email rather than having saved the attachment from within your mail client, you need to split the text and attachment parts out from each other. The following script does this for you. You need Perl and the MIME:: | ||
- | |||
- | # | ||
- | use MIME:: | ||
- | $file = $ARGV[0]; | ||
- | my $parser = new MIME:: | ||
- | mkdir("/ | ||
- | $parser-& | ||
- | $parser-& | ||
- | $entity = $parser-& | ||
- | $entity-& | ||
- | |||
- | Save it as strip-attach.pl or something and make it executable. Then run it with an argument of the file to strip such as: | ||
- | |||
- | strip-attach.pl testfile | ||
- | |||
- | The output will give you the paths to the text portion and the attachment portion of the email. If you saved the email attachment to your PC from your mail client, you can start to pay attention now. | ||
- | |||
- | What you now have is the file you want to block. If it's zipped, compressed or in any other kind of container then unzip it or extract it as ClamAV can see inside these archives if you configured it to do so and you have the right tools installed (like unzip under Linux for example). | ||
- | |||
- | Next create a signature of the file using ClamAV' | ||
- | |||
- | cat testfile | sigtool --hex-dump | head -c 2048 > customsig.ndb | ||
- | |||
- | In this case, testfile is your undesirable file and we have taken a signature of the first 2KB, otherwise the signature would be huge and therefore scanning would be inefficient. We have saved the generated signature in customsig.ndb. In theory, you need to take a signature of a unique portion of the file. You can also take a signature from an off-set within the file, it doesn' | ||
- | |||
- | You should edit customsig.ndb and prefix the content with the appropriate Name, Type and Offset in the following format: | ||
- | |||
- | Name: | ||
- | |||
- | Such as: | ||
- | |||
- | Trojan.Win32.Emold.A: | ||
- | |||
- | Name is the virus name. Type is one of the following: | ||
- | * 0 = any file | ||
- | * 1 = Portable Executable (ie Windows exe) | ||
- | * 2 = OLE2 component (e.g. a VBA script) | ||
- | * 3 = HTML (normalised) | ||
- | * 4 = Mail file | ||
- | * 5 = Graphics | ||
- | * 6 = ELF | ||
- | * 7 = ASCII text file (normalised) | ||
- | |||
- | Offset is either * or an offset in bytes from the beginning of the file to where the hex string occurs. This is best left as * unless you know your where in the file your hex string occurs. Read the Clamav documentation if this is the case. | ||
- | |||
- | For most purposes, a type of 0 (or 1 for a Windows exe), and an offset of * will suffice. | ||
- | |||
- | Either name the virus yourself if it's just a file you don't want on your network or it's a new virus, or take a look at what other AV engines call a virus by submitting your suspicious file to somewhere like [[http:// | ||
- | |||
- | My good friend and malware expert [[http:// | ||
- | |||
- | Now, test the signature against your suspect file: | ||
- | |||
- | clamscan -d customsig.ndb testfile | ||
- | |||
- | It's pretty inefficient to store one virus signature per file, so if you're going to be doing this frequently or you want your signature to used as part of regular operations, you may as well start keeping your own virus db file as part of ClamAV itself. Simply copy your customsig.ndb to the directory used by ClamAV' | ||
- | |||
- | clamscan testfile | ||
- | |||
- | And that's it. Add each new signature line into the customsig.ndb file you put in ClamAV' | ||
- | |||
- | Having created sigs for files which the commercial AV engines weren' | ||
- | |||
- | I did exactly that and was quite pleased to get an email a few weeks later which said a signature for the file I submitted had been included in a ClamAV update, although the same file had been submitted by several other people. | ||
- | |||
- | Most people suggest advocacy or documentation as ways non-programmers can help a project, it just goes to show that there are many more ways to help a Free Software project than you might think if you're not a programmer. | ||
- | |||
- | So, why would you want to use ClamAV? If you run mail servers then you should be using it already, regardless of whether you run a proprietary AV engine. ClamAV is free and plugs easily into most Unix style mail servers, either directly or though something like Amavis. ClamAV is pretty good at catching phishing emails too, which is something I've not seen much of from the major AV vendors. Details on dealing with phishing sigs are [[http:// | ||
- | |||
- | A few years ago I worked at a college where Windows permissions were sufficiently lax that the students were able to install MSN Messenger (now known as Windows Live Messenger) on the PCs which were supposed to be for educational purposes only, as certain applications they needed to run required access to write to parts of the registry so they couldn' | ||
- | |||
- | Note that ClamAV is not an in memory, on-access, real-time background virus scanner, it won't detect viruses in files as you open or execute them. You need to manually scan files to detect viruses, it's not intended as a replacement for a desktop AV, it's intended for gateway services like web and mail filtering or scheduled scanning. | ||
- | |||
- | Do I need to tell you any more? Go geddit tiger. |