Hi all. I was wondering if there is the possibility of creating a signature DB using hashes extracted from SSDeep (ref: https://ssdeep-project.github.io/ssdeep/index.html).
We are from time to time pestered by spam email with fake invoices as attachments, like the ones reported here: https://www.virustotal.com/#/file/c7263a3bc477a376a40f703bbf250033499f8dc84bb08e9c976bd4914c823690/details https://www.virustotal.com/#/file/908a15a9200d7676af884b8a90e5c913c44b1991712339ad86050cf53f7a2637/details Indeed, one of this file is now recognized as 'Doc.Malware.Generic-6779191-0' but it took some time before this signature ended in the ClamAV DBs and in the mean time some of these email slipped through the users. Before someone ask: yes, we are using Sanesecurity signatures too and recently I am starting to use the Sanesecurity.Badmacro DB too but so far it did not help. What is interesting for me is that VT reported the same SSDeep hashes for both files, which I believe means that these macro viruses are mostly the same. Looking into ClamAV documentation I believe there's no easy way to integrate hashes from SSDeep into the AV engine itself. Anyone has considered this possibility or is this unfeasible/useless? Best regards, Matteo _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
