Hi there, On Fri, 30 Aug 2019, Manna, Mohammed via clamav-users wrote:
What I can see that ClamAV cannot always successfully detect reverse shell type of files (built using Metasploit msfvenom). And also, if the file is covered using a pseudo extension e.g. test.exe.txt When I was comparing this on virustotal.com ClamAV seems to be missing quite a lot of them. Is there any reason why ClamAV doesn't do a more extensive search?
ClamAV is by no means perfect, but you haven't told us how you have configured it, nor how you are using it, so it's difficult to make any particular observations. There is a system for reporting failed detections which you can use, but to avoid wasted effort it will be as well for you first to check that your issue is not simply the expected result of how you have configured your ClamAV installation.
Reverse shell or bind shell both are sensitive files and I was expecting ClamAV to be detecting them somehow.
In network security, expecting things to work as intended is sure to lead to eventual disappointment. If instead you expect things to fail, and base your behaviour on that expectation, you will likely be surprised less often - and suffer fewer system compromises. For example, although I scan all mail using ClamAV, I never expect it to find anything; but I also block all mail from more than a hundred and sixty ISO 3166 country codes, which is partly why ClamAV hasn't reported anything malicious in our mail since last September. That doesn't mean that ClamAV wouldn't have found anything if it had been given the opportunity to scan it, but it *does* mean that there is a much reduced probability of something nasty reaching one of my users. Of course, even if it did, it's unlikely to have any serious effect because (a) the users are educated and (b) they're using Linux boxes which are immune from the vast majority of malicious software. This is called "defence in depth". There's more, which I won't reveal in a public forum.
Could someone clarify? Also, if this is mentioned anywhere in the docs, I would be grateful if you please point me to that.
The 'man' pages for clamscan, clamd.conf and clamsubmit might be good places to start. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
