MHi there,
On Fri, 11 Sep 2020, Wirth Ervin via clamav-users wrote:
I was looking after "Does ClamAV catch WannaCry malware?" on Google,
but I haven't found any significant answer about this.
The answer to your question is probably "yes, with qualifications".
One of those qualifications is that you haven't said how the malware
might be delivered to the systems which you're concerned about. If
ClamAV doesn't get to see the malware before it gets onto the systems
then it won't be able to do anything about it. At least on Windows,
ClamAV has no way to catch things on the fly and it behaves a bit like
the free version of a MalwareBytes product. You need to scan anything
which might be suspect before you put it on the potentially vulnerable
computer. If you're going to surf random Websites using a vulnerable
OS or browser, ClamAV isn't going to offer any security at all.
About the time that WannaCry was really active, I came across several
USB sticks in a drawer in a workshop on a client's premises. Any one
of them could have taken down the CNC plasma cutter, for which they'd
recently paid eighty grand. It was still running Windows XP, and its
manufacturer had neither installed anti-virus software nor changed the
firewall settings from the XP defaults. About the best I could do was
try to educate their staff, firewall the machine (jobs were sent to it
by Windows 7 workstations on the LAN), keep on top of the backups, and
sweep the workshop now and then for threats like those USB sticks. It
was a long way from ideal but it seems to have been enough.
If we ass-u-me that systems thesedays are either patched or protected
by other means, the WannaCry malware shouldn't now be a big worry to
anyone. There are more serious, active threats around. If you're
unfortunate enough to be dealing with a manufacturer like the one that
supplied that plasma cutter, or if you have legacy software preventing
upgrades to a supported version of Windows, you probably have a never-
ending task. People will sometimes run a vulnerable Windows OS in a
virtual machine, and take periodic snapshots to give them a fallback
position in case of the almost inevitable. It isn't a complete answer
but it can help you sleep more easily.
Asking "Does ClamAV catch WannaCry malware?" is a rather like asking
"Do the police catch criminals?". There are many different criminals
and the police don't catch all of them. There can be many different
versions of any particular malware (sometimes they're referred to as
different "strains" of the same basic malware) and one of the things
that malware authors spend a lot of time on is hiding their product,
in more-and-more-creative ways, from the things designed to detect it.
Granted some of these people are script kiddies and don't make much of
an impact, but some of them are *really* good at what they do, so you
can't take anything for granted.
Here's a one-line command I just typed, output on the line below it:
$ grep -a -s -i wannacry databases/* | wc -l
550
A signature takes up one line in the signature database. The above
command used 'grep' to do a case-insensitive search for the string
'wannacry' in all the files in the ClamAV database directory on my
clamd server, and count the lines containing that string. I use a
number of third-party signature databases from several sources, so
from the above command I don't see information about which databases
contain which signatures. For a handle on that I can count the lines
per database:
$ grep -a -s -i wannacry databases/* | cut -d':' -f1 | uniq -c
13 daily.cld
537 malwarehash.hsb
So I see thirteen signatures in the 'official' ClaAV database, and 537
in the 'malwarehash' database from Sanesecurity. This tells me there
are many signatures somehow linked to the same basic WannaCry malware,
and presumably that means there's no particular limit to the ways in
which the malware might be hidden. No real surprise, miscreants have
been modifying their malware ever since their first arrest. But it
doesn't end there: there's no particular reason why a signature which
aims to match WannaCry will have a label which means anything at all
to the casual observer. Let me now look for 'ransom' in *just* the
official 'main' and 'daily' databases:
$ grep -i ransom databases/main* databases/daily* | wc -l
24184
Hmmmmmm. There are orders of magnitude more singatures which mention
'ransom' than there are which mention 'WannaCry'. Is there a reason
that you asked about WannaCry in particular?
I am using Windows 7 (on notebook) and 10 (on PC). When there was
the worldwide peak of WannaCry, it was interesting to see it mostly
affected older Windows versions, like 7 (at my workplace).
The vulnerabilities exploited by WannaCry were patched in Windows 7
and other supported systems several months before it hit the fan. IT
security at your workplace appears to have been questionable at best.
Let's hope it's better now, but I wouldn't put my own money on it.
Speaking of money...
I was thinking to pick ClamAV, since I've seen that some popular AV
softwares like Malwarebytes (the first one detected WannaCry) put
the Malware/Ransomware protection to their Premium package.
have you estimated how much your systems are worth to you?
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
