Dear Maarten, Thank you very much for your response, it has been very useful to myself and others. Could you please update your AskUbuntu answer with this information. As that is what the question was getting at.
Thanks, Nikita On Thu, 28 Jun 2018 at 15:33, Maarten Broekman <maarten.broek...@gmail.com> wrote: > > As the use of sigtool was the only thing not covered explicitly in the > signature creation documentation (signatures.pdf), that was the only thing > left to fill in. The documentation covers everything else needed to create > your own signatures, including the accepted naming conventions and a > description of what they imply (section 3.10 Signature names ... ClamAV uses > the following prefixes for signature names ...) > > Beyond that, it is an exercise for the end-user to determine if something > detected is actually malicious or if it's a false positive, and the way to do > that is to understand what the signature is looking for and where it is in > the impacted file. As I mentioned, the only thing that doesn't work with is > hashes. The best you can do for those is look up the hash in various online > scanners and get a sense for what other engines are detecting them as and > looking up the virus names as well. > > If these two things (the existing documentation and the use of sigtool), do > not answer the question then the question needs to be rephrased so it is > clearer as to the intent of the question. The 'why' someone thought something > is malicious should be clear from the virus signature. If it's not, and you > disagree with the detection, it should be reported as a false positive so the > signature can be improved / clarified / etc. > > Looking at Win.Exploit.Unicode_Mixed-1 in particular, I would say that it's > not a great sig for exactly the reason you question it. It's unclear (to me) > what about that sequence is malicious though it's probably something that is > common to mixed unicode script exploitation (but again, that's a guess). From > the name of the virus, it's expecting it on Windows systems (or on something > that Windows systems can access) and there's likely an exploit related to > mixing unicode characters and non-unicode characters that matches that > signature. A quick Google search for "Windows mixed unicode exploit" brings > up 133,000 results of pages talking about building exploits to take advantage > of Unicode processing issues in Windows. > > If you're seeing that in tcpdump output on your IDS, then it's likely a case > of either one of your systems pulling that data from an exploited remote > system (like a web server). > > The OP was, however, asking if there are "plans to regulate the signature > names so that they are more regular and people actually know what they > mean"...and that IS in the signature writing documentation. Or, at least, the > guidelines are presented there which the ClamAV folks try to follow and > recommend to others. If you are pulling from other third-party sources, they > probably have their own naming conventions. The OP is also correct that the > list of names in the documentation is woefully incomplete even for the > signatures that ClamAV writes. But seeing as ClamAV is open-source and pretty > much anyone can write signatures for it without approval from the ClamAV > authors, there is zero chance of "regulation" of signature names. > > The best you can do is break down the name, look at the signature definition, > and Google. And sigtool will, at the very least, tell you what ClamAV is > seeing as malicious even if it doesn't tell you why the signature author > thought it was malicious to begin with. > > --Maarten > > > On Thu, Jun 28, 2018 at 8:58 AM Tilman Schmidt <tschm...@cardtech.de> wrote: >> >> IMHO that doesn't answer the question. >> >> When I see a message like: >> >> /path/to/file: Win.Exploit.Unicode_Mixed-1 FOUND >> >> sigtool can only tell me how that signature is defined, ie. what content >> it considers malicious. >> >> In order to decide on an appropriate course of action I'd like to know >> what the perceived threat is, ie. *why* someone thought that a file >> matching that particular signature would be malicious. >> That's not something sigtool can provide. >> >> >> Am 28.06.2018 um 13:22 schrieb Maarten Broekman: >> > Answered >> > >> > TL;Dr >> > >> > Use sigtool to find and decode the signature. >> > >> > Sent from a tiny keyboard >> > >> >> On Jun 28, 2018, at 06:57, Nikita Yerenkov-Scott >> >> <yerenkov.sc...@gmail.com> wrote: >> >> >> >> Hello, >> >> >> >> A question on this matter exists on this Linux site: >> >> https://askubuntu.com/questions/571342/clamav-virus-detections-documentation >> >> However it never received an answer. So I am wondering if there is an >> >> answer to that now or how things work? And if there are any plans to >> >> regulate the signature names so that they are more regular and people >> >> actually know what they mean. This would be highly useful especially >> >> to those wanting to remove any trouble the viruses may or may not have >> >> caused after ClamAV quarantines them. >> >> >> >> >> >> Thanks, >> >> >> >> Nikita Yerenkov-Scott >> >> _______________________________________________ >> >> clamav-users mailing list >> >> clamav-users@lists.clamav.net >> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> >> >> >> Help us build a comprehensive ClamAV guide: >> >> https://github.com/vrtadmin/clamav-faq >> >> >> >> http://www.clamav.net/contact.html#ml >> > _______________________________________________ >> > clamav-users mailing list >> > clamav-users@lists.clamav.net >> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> > >> > >> > Help us build a comprehensive ClamAV guide: >> > https://github.com/vrtadmin/clamav-faq >> > >> > http://www.clamav.net/contact.html#ml >> > >> >> -- >> Tilman Schmidt >> Head of System and Network Engineering >> >> Tel. 0221 / 95 64 95 .417 >> Fax 0221 / 95 64 95 .999 >> e-Mail tschm...@cardtech.de >> >> cardtech >> Card & POS Service GmbH >> Richard-Byrd-Straße 37 >> 50829 Köln >> www.cardtech.de >> >> AG Köln, HRB 20164 >> Geschäftsführer: Dr. Dietrich Gottwald, Christof Kohns, Jens Mahlke >> _______________________________________________ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
