Hi Andrew, Thank you very much, it helps. Regards, Irshad.
On Mon, Oct 14, 2019 at 8:57 PM Andrew Williams <[email protected]> wrote: > Irshad, > > The recent ClamAV 0.102 release introduces (reintroduces?) the ability to > write blacklist .crb rules that cause a matching sample to be detected as > malicious without requiring other signatures to match. Updating the > documentation you highlighted is still on my TODO list, but is true for > previous versions in the recent past. I too have wondered about that blog > post - I haven't checked to see if this functionality existed in the ClamAV > from 2013, but if so it must have been hindered at some point (and likely > went unnoticed, since blacklist .crb rules haven't seen much use). > > Hope that helps! Let me know if you have any other questions > > -Andrew > > Andrew Williams > Malware Research Team > Cisco Talos > > On Mon, Oct 14, 2019 at 4:35 AM Irshad via clamav-users < > [email protected]> wrote: > >> Hi Guys, >> >> I have a multiple signed malwares. I want to create detection using the >> certificate that is used to sign them. I came across an old blog from >> ClamAV folks. >> https://blog.clamav.net/2013/02/authenticode-certificate-chain.html >> Where the author creates a signature for the revoked certificate and adds >> it to .crtdb to detect the signed malicious binary. Recent versions of >> ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file. >> In the documentation, I found this >> >> The .crb format supports blacklist rule entries, but these cannot >> currently be used as a basis for malware detection. Instead, as currently >> implemented, these entries just override .crb rules which would otherwise >> whitelist a given sample >> https://www.clamav.net/documents/microsoft >> -authenticode-signature-verification >> >> My question is, Is there any way to detect signed malicious binaries >> using signing certificate properties like the author does in the old blog >> mentioned above. >> >> Thank you :) I am new to ClamAV. Please forgive my ignorance. >> >> Have a nice day, you all. :) >> >> Regards, >> Irshad Muhammad. >> >> _______________________________________________ >> >> clamav-users mailing list >> [email protected] >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > _______________________________________________ > > clamav-users mailing list > [email protected] > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
