And...Pdf, Rtf, Doc, Xls, Ppt, Html etc... and I could go on. There are some vulnerabilities that affect applications across platforms. Something to keep in mind.
Might be better to exclude "Win.", rather than chose what to include. - Alain On Wed, Dec 20, 2017 at 9:53 AM, Joel Esler (jesler) <jes...@cisco.com> wrote: > You may want to add “ELF….” To your count. Perhaps even “OSX….” > -- > Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com> > > > > > > > On Dec 20, 2017, at 7:02 AM, Maarten Broekman <maarten.broek...@gmail.com< > mailto:maarten.broek...@gmail.com>> wrote: > > There are far more than 31 signatures that have the potential to impact > Linux systems. There are, in truth, over 23,000 signatures that are able to > detect malware on Linux and Unix systems. Most "Linux" signatures only > contain the word Unix, however. Additionally, keep in mind that these are > only from the ClamAV provided databases. Sanesecurity and the Linux Malware > Detect project add more as well. > > Of the official databases, the signatures break down like this for Unix > signatures: > 1 [bytecode] > 7386 [daily.hdb] > 11640 [daily.hsb] > 67 [daily.ldb] > 11 [daily.ndb] > 141 [main.hdb] > 3445 [main.hsb] > 5 [main.mdb] > 426 [main.ndb] > 2 [daily.ldb] <== These are noted by Al in his previous message. > > Aside from the Win.* signatures, these are the major grouping of the > non-hash signatures: > 1 Unix.Downloader > 28 Unix.Exploit > 1 Unix.Malware > 1 Unix.Packer > 6 Unix.Rootkit > 311 Unix.Tool > 144 Unix.Trojan > 11 Unix.Worm > > Of the hashes, there are about 50 different 'families' of Unix/Linux > related malware of varying specificity: > 3 Unix.Adware.Bundlore > 1 Unix.Adware.Bundloreca > 9 Unix.Adware.Genieo > 1 Unix.Adware.Installmiez > 1 Unix.Adware.Macinst > 1 Unix.Adware.Spigot > 1 Unix.Adware.Xloader > 1 Unix.Downloader.Amcleaner > 1 Unix.Exploit.CVE_2016_8733 > 1 Unix.Exploit.CVE_2016_9032 > 1 Unix.Exploit.CVE_2016_9033 > 1 Unix.Exploit.CVE_2017_1000253 > 1 Unix.Exploit.Gingerbreak > 1 Unix.Exploit.Iosjailbreak > 1 Unix.Exploit.Lacksand > 4 Unix.Exploit.Lotoor > 1 Unix.Exploit.Powershell > 1 Unix.Exploit.Remotesync > 1 Unix.Exploit.Roothack > 1 Unix.Exploit.TALOS_2016_0257 > 21777 Unix.Malware.Agent > 1 Unix.Malware.Generic > 1 Unix.Malware.Setag > 4 Unix.Malware.Tsunami > 1 Unix.Malware.Xorddos > 1 Unix.Spyware.Opinionspy > 1 Unix.Tool.Dnsamp > 6 Unix.Tool.Dofloo > 448 Unix.Tool.EQGRP > 5 Unix.Tool.FakeAV > 1 Unix.Tool.Flood > 1 Unix.Tool.Zusy > 137 Unix.Trojan.Agent > 6 Unix.Trojan.Cornelgen > 7 Unix.Trojan.Ddostf > 13 Unix.Trojan.Dofloo > 1 Unix.Trojan.Dogspectus > 1 Unix.Trojan.Elknot > 1 Unix.Trojan.Elzob > 127 Unix.Trojan.Gafgyt > 3 Unix.Trojan.Hanthie > 3 Unix.Trojan.Mayday > 24 Unix.Trojan.Mirai > 2 Unix.Trojan.Small > 7 Unix.Trojan.Tsunami > 1 Unix.Trojan.Webshell > 1 Unix.Trojan.Zonie > 1 Unix.Virus.Zusy > 1 Unix.Worm.Cheese > 1 Unix.Worm.Darlloz > > My suggestion is, yes. Run ClamAV. But don't rely on just the official > databases. > > --Maarten > > On Wed, Dec 20, 2017 at 4:09 AM, Al Varnell <alvarn...@mac.com<mailto:alva > rn...@mac.com>> wrote: > > FYI, there are 31 ClamAV signatures that contain the word "Linux". There > are currently almost 6.4 million ClamAV signatures in the database. > > All but two are in main.ndb or main.hdb, meaning they are relatively old. > > All but five start with Win.Trojan or Win.Exploit or Win.Tool so I'm not > clear on their relationship to Linux. > > The two most recent ones are: > - Unix.Trojan.Linux_DDoS_93-2 > - Unix.Trojan.Linux_DDoS_93-5364119-0 > > -Al- > > On Wed, Dec 20, 2017 at 12:47 AM, Matus UHLAR - fantomas wrote: > On 19.12.17 12:44, Dan Rawson wrote: > I'm working on running clamav on my Linux workstation - NOT a server > environment. What is the recommended usage in that environment? clamd + > OnAccess? clamscan scheduled from cron?? clamdscan scheduled from cron?? > > I did search through the documentation but didn't see much addressing > "best practices" in a single machine environment. > > I haven't seen a linux malware yet. Well, I've heard that it exists, but > haven't seen it (except hacking suite...) > > what makes you think you need it? > > -Al- > -- > Al Varnell > Mountain View, CA > > > > > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
