Hi Guys, I have a multiple signed malwares. I want to create detection using the certificate that is used to sign them. I came across an old blog from ClamAV folks. https://blog.clamav.net/2013/02/authenticode-certificate-chain.html Where the author creates a signature for the revoked certificate and adds it to .crtdb to detect the signed malicious binary. Recent versions of ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file. In the documentation, I found this
The .crb format supports blacklist rule entries, but these cannot currently be used as a basis for malware detection. Instead, as currently implemented, these entries just override .crb rules which would otherwise whitelist a given sample https://www.clamav.net/documents/microsoft -authenticode-signature-verification My question is, Is there any way to detect signed malicious binaries using signing certificate properties like the author does in the old blog mentioned above. Thank you :) I am new to ClamAV. Please forgive my ignorance. Have a nice day, you all. :) Regards, Irshad Muhammad.
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
