Re: [clamav-users] using clamav to detect unwanted data exfiltration programs (e.g., Dropbox)?
Perhaps it would be more effective simply to block access (in the firewall) to sites like Dropbox. In any case, it might improve "legal security" to add such blocking to the firewall, or perhaps your local DNS forwarding server. P.S. Note that site blocking works even for encrypted connections, if direct (although not for encrypted VPNs). On Thu, 15 Feb 2018 15:34:17 -0500 James Ralstonwrote: > Has anyone experimented with using clamav to detect PUAs (potentially > unwanted executables) beyond what clamav already can detect? If so, do > you have any advice? > > For legal reasons, we prohibit cloud-based file storage technologies > like Dropbox. On our Windows systems, we can prohibit Dropbox via > AppLocker, but for Linux, it's not so easy. > > Since we regularly scan our systems with clamav anyway, creating > clamav signatures to detect Dropbox scripts and executables seems like > a reasonable approach. > > Looking for the "dropbox_client_start" symbol seems like it will > detect the nautilus extension: > > $ dd if=libnautilus-dropbox.so bs=1c skip=5412 count=22 2>/dev/null | > od -a 000 nul d r o p b o x _ c l i e > n t _ 020 s t a r t nul > 026 > > So, to create a signature out of that: > > PUA.Elf.Dropbox.A:6:*:0064726f70626f785f636c69656e745f737461727400 > > For the /usr/bin/dropbox Python script, looking for the > opener.addheaders string followed closely by the > DropboxLinuxDownloader string seems like a good strategy: > > $ tail -n +213 dropbox | head -4 > def download_file_chunk(url, buf): > opener = urllib2.build_opener() > opener.addheaders = [('User-Agent', > "DropboxLinuxDownloader/2015.10.28")] sock = opener.open(url) > > PUA.Script.Dropbox.A:7:*:6f70656e65722e61646468656164657273{12-32}64726f70626f786c696e7578646f776e6c6f61646572 > > But while we can create one-off signatures for these > scripts/executables, it strikes me that it may make more sense to > create a new PUA category for them. E.g.: > > DataEx > > Data exfiltration tools, like cloud-based file storage > technologies, can seamlessly move local data to cloud-based > services. If local data is sensitive or restricted, this can be > undesirable, or legally prohibited. > > There will be more of these unwanted scripts/executables than just > Dropbox; that's just the example de jour. > > Thoughts? ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] using clamav to detect unwanted data exfiltration programs (e.g., Dropbox)?
Has anyone experimented with using clamav to detect PUAs (potentially unwanted executables) beyond what clamav already can detect? If so, do you have any advice? For legal reasons, we prohibit cloud-based file storage technologies like Dropbox. On our Windows systems, we can prohibit Dropbox via AppLocker, but for Linux, it's not so easy. Since we regularly scan our systems with clamav anyway, creating clamav signatures to detect Dropbox scripts and executables seems like a reasonable approach. Looking for the "dropbox_client_start" symbol seems like it will detect the nautilus extension: $ dd if=libnautilus-dropbox.so bs=1c skip=5412 count=22 2>/dev/null | od -a 000 nul d r o p b o x _ c l i e n t _ 020 s t a r t nul 026 So, to create a signature out of that: PUA.Elf.Dropbox.A:6:*:0064726f70626f785f636c69656e745f737461727400 For the /usr/bin/dropbox Python script, looking for the opener.addheaders string followed closely by the DropboxLinuxDownloader string seems like a good strategy: $ tail -n +213 dropbox | head -4 def download_file_chunk(url, buf): opener = urllib2.build_opener() opener.addheaders = [('User-Agent', "DropboxLinuxDownloader/2015.10.28")] sock = opener.open(url) PUA.Script.Dropbox.A:7:*:6f70656e65722e61646468656164657273{12-32}64726f70626f786c696e7578646f776e6c6f61646572 But while we can create one-off signatures for these scripts/executables, it strikes me that it may make more sense to create a new PUA category for them. E.g.: DataEx Data exfiltration tools, like cloud-based file storage technologies, can seamlessly move local data to cloud-based services. If local data is sensitive or restricted, this can be undesirable, or legally prohibited. There will be more of these unwanted scripts/executables than just Dropbox; that's just the example de jour. Thoughts? ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Possible FP on Doc.Dropper.Agent-6447876-0?
The alert with the signature Doc.Dropper.Agent-6447876-0 is not a false positive. The signature alerted on a Microsoft Word document. The hash for that document is f614c9664f566becb3bdf5a52027088407a3a73d5de8f2a5ec1da2b47438d156. The Word document has a macro that launches powershell, downloads an executable and runs it. On Thu, Feb 15, 2018 at 2:05 PM, Kris Deugauwrote: > I've had a customer reporting problems sending a supposedly all-text > (likely actually multipart text+html with no hand-added attachments) > triggering this signature. > > Since it's a hash I'm baffled by what it might be misfiring on in a > legitimate more-or-less text-only message. > > I don't yet have a copy of the message that actually triggered this > signature, and after finally getting a couple of empty test messages they > are of course scanning clean. > > Can anyone give any more detail on what kind of file or file component > this is matching on? All I can see is that it's in daily.hsb, so beyond > the fact that it is a hash of either the whole file or a component of a > Word document containing macros I have no idea what it is, and whether it's > really a FP or not. > > -kgd > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Possible FP on Doc.Dropper.Agent-6447876-0?
Hello, > Can anyone give any more detail on what kind of file or file component this is matching on? It is a word document. More information at : https://www.virustotal.com/fr/file/f614c9664f566becb3bdf5a52027088407a3a73d5de8f2a5ec1da2b47438d156/analysis/ Seems a real malware, not a false positive. -- Cordialement, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Possible FP on Doc.Dropper.Agent-6447876-0?
I've had a customer reporting problems sending a supposedly all-text (likely actually multipart text+html with no hand-added attachments) triggering this signature. Since it's a hash I'm baffled by what it might be misfiring on in a legitimate more-or-less text-only message. I don't yet have a copy of the message that actually triggered this signature, and after finally getting a couple of empty test messages they are of course scanning clean. Can anyone give any more detail on what kind of file or file component this is matching on? All I can see is that it's in daily.hsb, so beyond the fact that it is a hash of either the whole file or a component of a Word document containing macros I have no idea what it is, and whether it's really a FP or not. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Commercial License
Il 14/02/2018 16:25, McRoy, Jeffrey (GE Healthcare) ha scritto: Hi Everyone, I’ve heard of some malware scanners that have commercial licensing or support agreements available where the end user gets access to an advance version of the database. Does something like that exist for ClamAV? Hi, Malware Patrol (should) have commercial data feed for clamav: https://www.malwarepatrol.net Ciao -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml