US-CERT alerts often contain a "consolidated rule set for malware associated with" the relevant activity. See e.g.: https://www.us-cert.gov/ncas/alerts/TA18-074A
Yara rules are listed, so that they can be copied and pasted into a file to be saved in /var/lib/clamav in order for clamscan to use it. Doing so results in the following: LibClamAV Warning: load_oneyara[verify]: wide modifier [w] is not supported for regex subsigs LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.z_webshell bookmarks-2017-02-27.json: YARA.APT_malware_1.UNOFFICIAL FOUND bookmarks-2017-05-13.json: YARA.APT_malware_1.UNOFFICIAL FOUND bookmarks-2018-02-19.json: YARA.APT_malware_1.UNOFFICIAL FOUND Those bookmarks (Firefox exported stuff) are flagged because they contain "/icon.png". That rule is authored by "DHS | NCCIC Code Analysis Team". I guess US-CERT rules are not for end users like me, but I'd be curious if they end up (possibly modified) in some easy-to-download clamav database. Ale _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
