Re: [clamav-users] Recommended workstation usage?

Dan Rawson Wed, 20 Dec 2017 05:06:03 -0800

Maarten -

Great summary, thanks!


Dan

On 12/20/2017 07:02 AM, Maarten Broekman wrote:

There are far more than 31 signatures that have the potential to impact
Linux systems. There are, in truth, over 23,000 signatures that are able to
detect malware on Linux and Unix systems. Most "Linux" signatures only
contain the word Unix, however. Additionally, keep in mind that these are
only from the ClamAV provided databases. Sanesecurity and the Linux Malware
Detect project add more as well.

Of the official databases, the signatures break down like this for Unix
signatures:
       1 [bytecode]
    7386 [daily.hdb]
   11640 [daily.hsb]
      67 [daily.ldb]
      11 [daily.ndb]
     141 [main.hdb]
    3445 [main.hsb]
       5 [main.mdb]
     426 [main.ndb]
       2 [daily.ldb] <== These are noted by Al in his previous message.

Aside from the Win.* signatures, these are the major grouping of the
non-hash signatures:
       1 Unix.Downloader
      28 Unix.Exploit
       1 Unix.Malware
       1 Unix.Packer
       6 Unix.Rootkit
     311 Unix.Tool
     144 Unix.Trojan
      11 Unix.Worm

Of the hashes, there are about 50 different 'families' of Unix/Linux
related malware of varying specificity:
       3 Unix.Adware.Bundlore
       1 Unix.Adware.Bundloreca
       9 Unix.Adware.Genieo
       1 Unix.Adware.Installmiez
       1 Unix.Adware.Macinst
       1 Unix.Adware.Spigot
       1 Unix.Adware.Xloader
       1 Unix.Downloader.Amcleaner
       1 Unix.Exploit.CVE_2016_8733
       1 Unix.Exploit.CVE_2016_9032
       1 Unix.Exploit.CVE_2016_9033
       1 Unix.Exploit.CVE_2017_1000253
       1 Unix.Exploit.Gingerbreak
       1 Unix.Exploit.Iosjailbreak
       1 Unix.Exploit.Lacksand
       4 Unix.Exploit.Lotoor
       1 Unix.Exploit.Powershell
       1 Unix.Exploit.Remotesync
       1 Unix.Exploit.Roothack
       1 Unix.Exploit.TALOS_2016_0257
   21777 Unix.Malware.Agent
       1 Unix.Malware.Generic
       1 Unix.Malware.Setag
       4 Unix.Malware.Tsunami
       1 Unix.Malware.Xorddos
       1 Unix.Spyware.Opinionspy
       1 Unix.Tool.Dnsamp
       6 Unix.Tool.Dofloo
     448 Unix.Tool.EQGRP
       5 Unix.Tool.FakeAV
       1 Unix.Tool.Flood
       1 Unix.Tool.Zusy
     137 Unix.Trojan.Agent
       6 Unix.Trojan.Cornelgen
       7 Unix.Trojan.Ddostf
      13 Unix.Trojan.Dofloo
       1 Unix.Trojan.Dogspectus
       1 Unix.Trojan.Elknot
       1 Unix.Trojan.Elzob
     127 Unix.Trojan.Gafgyt
       3 Unix.Trojan.Hanthie
       3 Unix.Trojan.Mayday
      24 Unix.Trojan.Mirai
       2 Unix.Trojan.Small
       7 Unix.Trojan.Tsunami
       1 Unix.Trojan.Webshell
       1 Unix.Trojan.Zonie
       1 Unix.Virus.Zusy
       1 Unix.Worm.Cheese
       1 Unix.Worm.Darlloz

My suggestion is, yes. Run ClamAV. But don't rely on just the official
databases.

--Maarten

On Wed, Dec 20, 2017 at 4:09 AM, Al Varnell <alvarn...@mac.com> wrote:

FYI, there are 31 ClamAV signatures that contain the word "Linux". There
are currently almost 6.4 million ClamAV signatures in the database.

All but two are in main.ndb or main.hdb, meaning they are relatively old.

All but five start with Win.Trojan or Win.Exploit or Win.Tool so I'm not
clear on their relationship to Linux.

The two most recent ones are:
- Unix.Trojan.Linux_DDoS_93-2
- Unix.Trojan.Linux_DDoS_93-5364119-0

-Al-

On Wed, Dec 20, 2017 at 12:47 AM, Matus UHLAR - fantomas wrote:

On 19.12.17 12:44, Dan Rawson wrote:

I'm working on running clamav on my Linux workstation - NOT a server

environment.  What is the recommended usage in that environment?  clamd +
OnAccess?  clamscan scheduled from cron?? clamdscan scheduled from cron??

I did search through the documentation but didn't see much addressing

"best practices" in a single machine environment.

I haven't seen a linux malware yet. Well, I've heard that it exists, but
haven't seen it (except hacking suite...)

what makes you think you need it?

-Al-
--
Al Varnell
Mountain View, CA





_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Recommended workstation usage?

Reply via email to