Is there any chance that they will add a way of people giving a description of why they think that it is malware? Because with an AV product this is really a very important necessity to have so it would be nice if it at least was given as an option. And encouraged of people as well of course. This would then be more useful to users and developers.
On Thu, 28 Jun 2018 at 20:49, Nikita Yerenkov-Scott <yerenkov.sc...@gmail.com> wrote: > > Dear Maarten, > > Thank you very much for your response, it has been very useful to > myself and others. Could you please update your AskUbuntu answer with > this information. As that is what the question was getting at. > > Thanks, > > Nikita > > On Thu, 28 Jun 2018 at 15:33, Maarten Broekman > <maarten.broek...@gmail.com> wrote: > > > > As the use of sigtool was the only thing not covered explicitly in the > > signature creation documentation (signatures.pdf), that was the only thing > > left to fill in. The documentation covers everything else needed to create > > your own signatures, including the accepted naming conventions and a > > description of what they imply (section 3.10 Signature names ... ClamAV > > uses the following prefixes for signature names ...) > > > > Beyond that, it is an exercise for the end-user to determine if something > > detected is actually malicious or if it's a false positive, and the way to > > do that is to understand what the signature is looking for and where it is > > in the impacted file. As I mentioned, the only thing that doesn't work with > > is hashes. The best you can do for those is look up the hash in various > > online scanners and get a sense for what other engines are detecting them > > as and looking up the virus names as well. > > > > If these two things (the existing documentation and the use of sigtool), do > > not answer the question then the question needs to be rephrased so it is > > clearer as to the intent of the question. The 'why' someone thought > > something is malicious should be clear from the virus signature. If it's > > not, and you disagree with the detection, it should be reported as a false > > positive so the signature can be improved / clarified / etc. > > > > Looking at Win.Exploit.Unicode_Mixed-1 in particular, I would say that it's > > not a great sig for exactly the reason you question it. It's unclear (to > > me) what about that sequence is malicious though it's probably something > > that is common to mixed unicode script exploitation (but again, that's a > > guess). From the name of the virus, it's expecting it on Windows systems > > (or on something that Windows systems can access) and there's likely an > > exploit related to mixing unicode characters and non-unicode characters > > that matches that signature. A quick Google search for "Windows mixed > > unicode exploit" brings up 133,000 results of pages talking about building > > exploits to take advantage of Unicode processing issues in Windows. > > > > If you're seeing that in tcpdump output on your IDS, then it's likely a > > case of either one of your systems pulling that data from an exploited > > remote system (like a web server). > > > > The OP was, however, asking if there are "plans to regulate the signature > > names so that they are more regular and people actually know what they > > mean"...and that IS in the signature writing documentation. Or, at least, > > the guidelines are presented there which the ClamAV folks try to follow and > > recommend to others. If you are pulling from other third-party sources, > > they probably have their own naming conventions. The OP is also correct > > that the list of names in the documentation is woefully incomplete even for > > the signatures that ClamAV writes. But seeing as ClamAV is open-source and > > pretty much anyone can write signatures for it without approval from the > > ClamAV authors, there is zero chance of "regulation" of signature names. > > > > The best you can do is break down the name, look at the signature > > definition, and Google. And sigtool will, at the very least, tell you what > > ClamAV is seeing as malicious even if it doesn't tell you why the signature > > author thought it was malicious to begin with. > > > > --Maarten > > > > > > On Thu, Jun 28, 2018 at 8:58 AM Tilman Schmidt <tschm...@cardtech.de> wrote: > >> > >> IMHO that doesn't answer the question. > >> > >> When I see a message like: > >> > >> /path/to/file: Win.Exploit.Unicode_Mixed-1 FOUND > >> > >> sigtool can only tell me how that signature is defined, ie. what content > >> it considers malicious. > >> > >> In order to decide on an appropriate course of action I'd like to know > >> what the perceived threat is, ie. *why* someone thought that a file > >> matching that particular signature would be malicious. > >> That's not something sigtool can provide. > >> > >> > >> Am 28.06.2018 um 13:22 schrieb Maarten Broekman: > >> > Answered > >> > > >> > TL;Dr > >> > > >> > Use sigtool to find and decode the signature. > >> > > >> > Sent from a tiny keyboard > >> > > >> >> On Jun 28, 2018, at 06:57, Nikita Yerenkov-Scott > >> >> <yerenkov.sc...@gmail.com> wrote: > >> >> > >> >> Hello, > >> >> > >> >> A question on this matter exists on this Linux site: > >> >> https://askubuntu.com/questions/571342/clamav-virus-detections-documentation > >> >> However it never received an answer. So I am wondering if there is an > >> >> answer to that now or how things work? And if there are any plans to > >> >> regulate the signature names so that they are more regular and people > >> >> actually know what they mean. This would be highly useful especially > >> >> to those wanting to remove any trouble the viruses may or may not have > >> >> caused after ClamAV quarantines them. > >> >> > >> >> > >> >> Thanks, > >> >> > >> >> Nikita Yerenkov-Scott > >> >> _______________________________________________ > >> >> clamav-users mailing list > >> >> clamav-users@lists.clamav.net > >> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > >> >> > >> >> > >> >> Help us build a comprehensive ClamAV guide: > >> >> https://github.com/vrtadmin/clamav-faq > >> >> > >> >> http://www.clamav.net/contact.html#ml > >> > _______________________________________________ > >> > clamav-users mailing list > >> > clamav-users@lists.clamav.net > >> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > >> > > >> > > >> > Help us build a comprehensive ClamAV guide: > >> > https://github.com/vrtadmin/clamav-faq > >> > > >> > http://www.clamav.net/contact.html#ml > >> > > >> > >> -- > >> Tilman Schmidt > >> Head of System and Network Engineering > >> > >> Tel. 0221 / 95 64 95 .417 > >> Fax 0221 / 95 64 95 .999 > >> e-Mail tschm...@cardtech.de > >> > >> cardtech > >> Card & POS Service GmbH > >> Richard-Byrd-Straße 37 > >> 50829 Köln > >> www.cardtech.de > >> > >> AG Köln, HRB 20164 > >> Geschäftsführer: Dr. Dietrich Gottwald, Christof Kohns, Jens Mahlke > >> _______________________________________________ > >> clamav-users mailing list > >> clamav-users@lists.clamav.net > >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > >> > >> > >> Help us build a comprehensive ClamAV guide: > >> https://github.com/vrtadmin/clamav-faq > >> > >> http://www.clamav.net/contact.html#ml > > > > _______________________________________________ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml -- The world is filled with Totoros. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
