Re: [clamav-users] signature for cve2017-11882

Sat, 27 Mar 2021 10:57:33 -0700 

Hi there,

On Sat, 27 Mar 2021, Jigar via clamav-users wrote:


In the first week of March 2021, multiple users had received email
with xlsx attachment having exploit for CVE-2017-11882. The clamav
could not detect it but other antivirus like eScan and ESET could
detect it as malware threat.


Signatures exist for at least some exploits of CVE-2017-11882.  Looking
at the signatures in my current ClamAV database:

$ grep -as CVE-2017-11882 * | cut -d';' -f1
MiscreantPunch099-Low.ldb:MiscreantPunch.RTF.EvilRTF.CVE-2017-11882.M2
MiscreantPunch099-Low.ldb:MiscreantPunch.RTF.EvilRTF.CVE-2017-11882.M3
MiscreantPunch099-Low.ldb:MisreantPunch.EvilDoc.CVE-2017-11882.M9
MiscreantPunch099-Low.ldb:MiscreantPunch.EvilDoc.CVE-2017-11882.M10
MiscreantPunch099-Low.ldb:MiscreantPunch.EvilDoc.RTF-CVE-2017-11882.Template.180412.M2
porcupine.hsb:58cbe7516369d9e79660bda6e576cffd:2738688:Porcupine.Win32.Exploit.CVE-2017-11882.C.99928:73
porcupine.hsb:5cc0bfe9a8528b1deb2dcaa7691b1794:2621952:Porcupine.Win32.Exploit.CVE-2017-11882.C.100063:73
porcupine.hsb:140aade63d9cd5cb747845101df9ff85:2395136:Porcupine.Win32.Exploit.CVE-2017-11882.C.100065:73
porcupine.hsb:0db8aceb5fdf7f22bc31682726c5b071:883200:Porcupine.Win32.Exploit.CVE-2017-11882.C.99936:73
porcupine.hsb:652fa43a2f71cab80126efc843a98d84:84891:Porcupine.Win32.Exploit.CVE-2017-11882.C.99924:73

This is a rather old CVE, what databases do you use for your ClamAV
installation?  Perhaps what you have seen recently is a new threat
which has been engineered to avoid some of the existing signatures.


We also need guidance:

1. How to identify the correct file to generate the generic signature,
especially if files with different name but same exploit has been sent.


I do not understand the question, but ClamAV looks at a stream of data
or at the contents of files.  Except for the purposes of reporting to
you the results of scanning the files, the names of those files are of
no significance to ClamAV.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to