Hi all.

I was wondering if there is the possibility of creating a signature DB using 
hashes extracted from SSDeep
(ref: https://ssdeep-project.github.io/ssdeep/index.html).

We are from time to time pestered by spam email with fake invoices as 
attachments, like the ones reported here:


Indeed, one of this file is now recognized as 'Doc.Malware.Generic-6779191-0' 
but it took some time before this signature ended
in the ClamAV DBs and in the mean time some of these email slipped through the 
users. Before someone ask: yes, we are using 
Sanesecurity signatures too and recently I am starting to use the 
Sanesecurity.Badmacro DB too but so far it did not help.

What is interesting for me is that VT reported the same SSDeep hashes for both 
files, which I believe means that these macro 
viruses are mostly the same. Looking into ClamAV documentation I believe 
there's no easy way to integrate hashes from
SSDeep into the AV engine itself. Anyone has considered this possibility or is 
this unfeasible/useless?

Best regards,
clamav-users mailing list

Help us build a comprehensive ClamAV guide:


Reply via email to