Hi Yas Man,

Right now, clamscan/clamd only parses PE Authenticode signatures when looking 
for false positives, which means a signature has to match before the sigs will 
be printed.

One of our malware researchers is in the process of updating this code. The 
plan is to change it so that the Authenticode signature is always checked / 
verified if a binary is signed so we can alert on files that match blacklisted 
signing certificates.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Jan 14, 2019, at 1:23 PM, Yas Man 
<cla...@outlook.com<mailto:cla...@outlook.com>> wrote:

Hello,

I am trying to dump the certificates of a signed PE, but noting is being 
dumped, the output is simply the scan summary. I went through the list archive 
but I was not able to find a relevant topic. I also tried dumping the 
certificate of legitimate files and the results were the same, although running 
sigtool --print-certs successfully prints the authenticode.

I went through the signatures manual and the authenticode blog post and I can't 
figure out what am I doing wrong.  I am running ClamAV version 0.100.2.

Thanks.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to