Hi There, > -----Original Message----- > From: clamav-users <clamav-users-boun...@lists.clamav.net> On Behalf Of > G.W. Haywood via clamav-users > Sent: 31 August 2019 08:39 > To: Manna, Mohammed via clamav-users <clamav-users@lists.clamav.net> > Cc: G.W. Haywood <cla...@jubileegroup.co.uk> > Subject: Re: [clamav-users] Question regarding Metasploit signatures > > Hi there, > > On Fri, 30 Aug 2019, Manna, Mohammed via clamav-users wrote: > > > What I can see that ClamAV cannot always successfully detect reverse > > shell type of files (built using Metasploit msfvenom). And also, if > > the file is covered using a pseudo extension e.g. test.exe.txt > > > > When I was comparing this on virustotal.com ClamAV seems to be > > missing quite a lot of them. Is there any reason why ClamAV doesn't > > do a more extensive search? > > ClamAV is by no means perfect, but you haven't told us how you have > configured it, nor how you are using it, so it's difficult to make any > particular observations. > > There is a system for reporting failed detections which you can use, > but to avoid wasted effort it will be as well for you first to check > that your issue is not simply the expected result of how you have > configured your ClamAV installation. > > > Reverse shell or bind shell both are sensitive files and I was > > expecting ClamAV to be detecting them somehow. > > In network security, expecting things to work as intended is sure to > lead to eventual disappointment. If instead you expect things to > fail, and base your behaviour on that expectation, you will likely be > surprised less often - and suffer fewer system compromises. > > For example, although I scan all mail using ClamAV, I never expect it > to find anything; but I also block all mail from more than a hundred > and sixty ISO 3166 country codes, which is partly why ClamAV hasn't > reported anything malicious in our mail since last September. That > doesn't mean that ClamAV wouldn't have found anything if it had been > given the opportunity to scan it, but it *does* mean that there is a > much reduced probability of something nasty reaching one of my users. > Of course, even if it did, it's unlikely to have any serious effect > because (a) the users are educated and (b) they're using Linux boxes > which are immune from the vast majority of malicious software. This > is called "defence in depth". There's more, which I won't reveal in > a public forum. > > > Could someone clarify? Also, if this is mentioned anywhere in the > > docs, I would be grateful if you please point me to that. > > The 'man' pages for clamscan, clamd.conf and clamsubmit might be good > places to start. > [[MM]] What you are have said here makes sense. As for my test, I unzipped portable ClamAV on linux, then generated a reverse shell file using Metasploit to scan it with ClamAV. I used the latest virus DB and engine from ClamAV.net. It missed detection for any tcp/http reverse shell generation. As a comparison, we run the same test with a different AV provider on Windows OS. The detection was successful. Hence, my question or curiosity over how ClamAV determines the *true* threat level of a malicious file. I do agree with your statement on user education and operating system. However, the global userbase cannot be fully educated/converted to mitigate this 😊. My intention was Just to understand why this is constantly being missed. > -- > > 73, > Ged. > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
