There are far more than 31 signatures that have the potential to impact
Linux systems. There are, in truth, over 23,000 signatures that are able to
detect malware on Linux and Unix systems. Most "Linux" signatures only
contain the word Unix, however. Additionally, keep in mind that these are
only from the ClamAV provided databases. Sanesecurity and the Linux Malware
Detect project add more as well.
Of the official databases, the signatures break down like this for Unix
signatures:
1 [bytecode]
7386 [daily.hdb]
11640 [daily.hsb]
67 [daily.ldb]
11 [daily.ndb]
141 [main.hdb]
3445 [main.hsb]
5 [main.mdb]
426 [main.ndb]
2 [daily.ldb] <== These are noted by Al in his previous message.
Aside from the Win.* signatures, these are the major grouping of the
non-hash signatures:
1 Unix.Downloader
28 Unix.Exploit
1 Unix.Malware
1 Unix.Packer
6 Unix.Rootkit
311 Unix.Tool
144 Unix.Trojan
11 Unix.Worm
Of the hashes, there are about 50 different 'families' of Unix/Linux
related malware of varying specificity:
3 Unix.Adware.Bundlore
1 Unix.Adware.Bundloreca
9 Unix.Adware.Genieo
1 Unix.Adware.Installmiez
1 Unix.Adware.Macinst
1 Unix.Adware.Spigot
1 Unix.Adware.Xloader
1 Unix.Downloader.Amcleaner
1 Unix.Exploit.CVE_2016_8733
1 Unix.Exploit.CVE_2016_9032
1 Unix.Exploit.CVE_2016_9033
1 Unix.Exploit.CVE_2017_1000253
1 Unix.Exploit.Gingerbreak
1 Unix.Exploit.Iosjailbreak
1 Unix.Exploit.Lacksand
4 Unix.Exploit.Lotoor
1 Unix.Exploit.Powershell
1 Unix.Exploit.Remotesync
1 Unix.Exploit.Roothack
1 Unix.Exploit.TALOS_2016_0257
21777 Unix.Malware.Agent
1 Unix.Malware.Generic
1 Unix.Malware.Setag
4 Unix.Malware.Tsunami
1 Unix.Malware.Xorddos
1 Unix.Spyware.Opinionspy
1 Unix.Tool.Dnsamp
6 Unix.Tool.Dofloo
448 Unix.Tool.EQGRP
5 Unix.Tool.FakeAV
1 Unix.Tool.Flood
1 Unix.Tool.Zusy
137 Unix.Trojan.Agent
6 Unix.Trojan.Cornelgen
7 Unix.Trojan.Ddostf
13 Unix.Trojan.Dofloo
1 Unix.Trojan.Dogspectus
1 Unix.Trojan.Elknot
1 Unix.Trojan.Elzob
127 Unix.Trojan.Gafgyt
3 Unix.Trojan.Hanthie
3 Unix.Trojan.Mayday
24 Unix.Trojan.Mirai
2 Unix.Trojan.Small
7 Unix.Trojan.Tsunami
1 Unix.Trojan.Webshell
1 Unix.Trojan.Zonie
1 Unix.Virus.Zusy
1 Unix.Worm.Cheese
1 Unix.Worm.Darlloz
My suggestion is, yes. Run ClamAV. But don't rely on just the official
databases.
--Maarten
On Wed, Dec 20, 2017 at 4:09 AM, Al Varnell <alvarn...@mac.com> wrote:
> FYI, there are 31 ClamAV signatures that contain the word "Linux". There
> are currently almost 6.4 million ClamAV signatures in the database.
>
> All but two are in main.ndb or main.hdb, meaning they are relatively old.
>
> All but five start with Win.Trojan or Win.Exploit or Win.Tool so I'm not
> clear on their relationship to Linux.
>
> The two most recent ones are:
> - Unix.Trojan.Linux_DDoS_93-2
> - Unix.Trojan.Linux_DDoS_93-5364119-0
>
> -Al-
>
> On Wed, Dec 20, 2017 at 12:47 AM, Matus UHLAR - fantomas wrote:
> > On 19.12.17 12:44, Dan Rawson wrote:
> >> I'm working on running clamav on my Linux workstation - NOT a server
> environment. What is the recommended usage in that environment? clamd +
> OnAccess? clamscan scheduled from cron?? clamdscan scheduled from cron??
> >>
> >> I did search through the documentation but didn't see much addressing
> "best practices" in a single machine environment.
> >
> > I haven't seen a linux malware yet. Well, I've heard that it exists, but
> > haven't seen it (except hacking suite...)
> >
> > what makes you think you need it?
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
