Re: [clamav-users] using clamav to detect unwanted data exfiltration programs (e.g., Dropbox)?

2018-02-15 Thread Paul Kosinski 
Perhaps it would be more effective simply to block access (in the
firewall) to sites like Dropbox. In any case, it might improve "legal
security" to add such blocking to the firewall, or perhaps your local
DNS forwarding server.

P.S. Note that site blocking works even for encrypted connections, if
direct (although not for encrypted VPNs).


On Thu, 15 Feb 2018 15:34:17 -0500
James Ralston  wrote:

> Has anyone experimented with using clamav to detect PUAs (potentially
> unwanted executables) beyond what clamav already can detect? If so, do
> you have any advice?
> 
> For legal reasons, we prohibit cloud-based file storage technologies
> like Dropbox. On our Windows systems, we can prohibit Dropbox via
> AppLocker, but for Linux, it's not so easy.
> 
> Since we regularly scan our systems with clamav anyway, creating
> clamav signatures to detect Dropbox scripts and executables seems like
> a reasonable approach.
> 
> Looking for the "dropbox_client_start" symbol seems like it will
> detect the nautilus extension:
> 
> $ dd if=libnautilus-dropbox.so bs=1c skip=5412 count=22 2>/dev/null |
> od -a 000 nul   d   r   o   p   b   o   x   _   c   l   i   e
> n   t   _ 020   s   t   a   r   t nul
> 026
> 
> So, to create a signature out of that:
> 
> PUA.Elf.Dropbox.A:6:*:0064726f70626f785f636c69656e745f737461727400
> 
> For the /usr/bin/dropbox Python script, looking for the
> opener.addheaders string followed closely by the
> DropboxLinuxDownloader string seems like a good strategy:
> 
> $ tail -n +213 dropbox | head -4
> def download_file_chunk(url, buf):
> opener = urllib2.build_opener()
> opener.addheaders = [('User-Agent',
> "DropboxLinuxDownloader/2015.10.28")] sock = opener.open(url)
> 
> PUA.Script.Dropbox.A:7:*:6f70656e65722e61646468656164657273{12-32}64726f70626f786c696e7578646f776e6c6f61646572
> 
> But while we can create one-off signatures for these
> scripts/executables, it strikes me that it may make more sense to
> create a new PUA category for them. E.g.:
> 
> DataEx
> 
> Data exfiltration tools, like cloud-based file storage
> technologies, can seamlessly move local data to cloud-based
> services. If local data is sensitive or restricted, this can be
> undesirable, or legally prohibited.
> 
> There will be more of these unwanted scripts/executables than just
> Dropbox; that's just the example de jour.
> 
> Thoughts?
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] using clamav to detect unwanted data exfiltration programs (e.g., Dropbox)?

2018-02-15 Thread James Ralston 
Has anyone experimented with using clamav to detect PUAs (potentially
unwanted executables) beyond what clamav already can detect? If so, do
you have any advice?

For legal reasons, we prohibit cloud-based file storage technologies
like Dropbox. On our Windows systems, we can prohibit Dropbox via
AppLocker, but for Linux, it's not so easy.

Since we regularly scan our systems with clamav anyway, creating
clamav signatures to detect Dropbox scripts and executables seems like
a reasonable approach.

Looking for the "dropbox_client_start" symbol seems like it will
detect the nautilus extension:

$ dd if=libnautilus-dropbox.so bs=1c skip=5412 count=22 2>/dev/null | od -a
000 nul   d   r   o   p   b   o   x   _   c   l   i   e   n   t   _
020   s   t   a   r   t nul
026

So, to create a signature out of that:

PUA.Elf.Dropbox.A:6:*:0064726f70626f785f636c69656e745f737461727400

For the /usr/bin/dropbox Python script, looking for the
opener.addheaders string followed closely by the
DropboxLinuxDownloader string seems like a good strategy:

$ tail -n +213 dropbox | head -4
def download_file_chunk(url, buf):
opener = urllib2.build_opener()
opener.addheaders = [('User-Agent', "DropboxLinuxDownloader/2015.10.28")]
sock = opener.open(url)

PUA.Script.Dropbox.A:7:*:6f70656e65722e61646468656164657273{12-32}64726f70626f786c696e7578646f776e6c6f61646572

But while we can create one-off signatures for these
scripts/executables, it strikes me that it may make more sense to
create a new PUA category for them. E.g.:

DataEx

Data exfiltration tools, like cloud-based file storage
technologies, can seamlessly move local data to cloud-based
services. If local data is sensitive or restricted, this can be
undesirable, or legally prohibited.

There will be more of these unwanted scripts/executables than just
Dropbox; that's just the example de jour.

Thoughts?
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Possible FP on Doc.Dropper.Agent-6447876-0?

2018-02-15 Thread Alain Zidouemba 
The alert with the signature Doc.Dropper.Agent-6447876-0 is not a false
positive. The signature alerted on a Microsoft Word document. The hash for
that document is
f614c9664f566becb3bdf5a52027088407a3a73d5de8f2a5ec1da2b47438d156.

The Word document has a macro that launches powershell, downloads an
executable and runs it.

On Thu, Feb 15, 2018 at 2:05 PM, Kris Deugau  wrote:

> I've had a customer reporting problems sending a supposedly all-text
> (likely actually multipart text+html with no hand-added attachments)
> triggering this signature.
>
> Since it's a hash I'm baffled by what it might be misfiring on in a
> legitimate more-or-less text-only message.
>
> I don't yet have a copy of the message that actually triggered this
> signature, and after finally getting a couple of empty test messages they
> are of course scanning clean.
>
> Can anyone give any more detail on what kind of file or file component
> this is matching on?  All I can see is that it's in daily.hsb, so beyond
> the fact that it is a hash of either the whole file or a component of a
> Word document containing macros I have no idea what it is, and whether it's
> really a FP or not.
>
> -kgd
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Possible FP on Doc.Dropper.Agent-6447876-0?

2018-02-15 Thread Arnaud Jacques 

Hello,

> Can anyone give any more detail on what kind of file or file 
component this is matching on?


It is a word document. More information at :
https://www.virustotal.com/fr/file/f614c9664f566becb3bdf5a52027088407a3a73d5de8f2a5ec1da2b47438d156/analysis/

Seems a real malware, not a false positive.

--
Cordialement,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Possible FP on Doc.Dropper.Agent-6447876-0?

2018-02-15 Thread Kris Deugau 
I've had a customer reporting problems sending a supposedly all-text 
(likely actually multipart text+html with no hand-added attachments) 
triggering this signature.


Since it's a hash I'm baffled by what it might be misfiring on in a 
legitimate more-or-less text-only message.


I don't yet have a copy of the message that actually triggered this 
signature, and after finally getting a couple of empty test messages 
they are of course scanning clean.


Can anyone give any more detail on what kind of file or file component 
this is matching on?  All I can see is that it's in daily.hsb, so beyond 
the fact that it is a hash of either the whole file or a component of a 
Word document containing macros I have no idea what it is, and whether 
it's really a FP or not.


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Commercial License

2018-02-15 Thread Alessio Cecchi 

Il 14/02/2018 16:25, McRoy, Jeffrey (GE Healthcare) ha scritto:

Hi Everyone,

  


I’ve heard of some malware scanners that have commercial licensing or support 
agreements available where the end user gets access to an advance version of 
the database. Does something like that exist for ClamAV?

Hi,

Malware Patrol (should) have commercial data feed for clamav:

https://www.malwarepatrol.net

Ciao

--
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml