Scribd
Upload
70 views10 pages

Lab 2-3: Clamav: Because Teaching Teaches Teachers To Teach

This document discusses the open source antivirus software ClamAV. It provides instructions on installing ClamAV on Ubuntu and updating its virus signature databases. It explains the different types of databases used by ClamAV to store hashes of malicious files and payloads. The document also demonstrates how to examine ClamAV's main signature databases and create custom ASCII and binary signatures to detect specific malware patterns and payloads in files.

Uploaded by

THUẬN NGUYỄN MINH
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views10 pages

Lab 2-3: Clamav: Because Teaching Teaches Teachers To Teach

This document discusses the open source antivirus software ClamAV. It provides instructions on installing ClamAV on Ubuntu and updating its virus signature databases. It explains the different types of databases used by ClamAV to store hashes of malicious files and payloads. The document also demonstrates how to examine ClamAV's main signature databases and create custom ASCII and binary signatures to detect specific malware patterns and payloads in files.

Uploaded by

THUẬN NGUYỄN MINH
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Lab 2-3: ClamAV

Because teaching teaches


teachers to teach
Introduction
2

• ClamAV is an open source antivirus engine


owned by Sourcefire.
 ClamAV offers a fast and flexible framework for
detecting malicious code and artifacts.
 Multi-OS: Ubuntu, Window, …

2
Install ClamAV
3

 Install ClamAV and ClamTK


(http://www.clamav.net/doc/latest/)
comd: sudo apt-get install clamav clamav-freshclam
 Update ClamAV database signature.
comd: sudo freshclam
 Run ClamAV
comd: clamav -r -i /home/bangbh

3
Understand ClamAV databases
4

 MD5 hashes of malicious binaries (stored in


.hdb)
 MD5 hashes of PE sections (stored in .mdb)
 Hexadecimal signatures (stored in .ndb)
 Archive metadata signatures (stored in .zmd or
.rmd)
 White list database of good files (stored in .fp)

4
Examining ClamAV Signature
5

 Find main.cld and daily.cld in /usr/lib/clamav


 The main.cld file contains the primary base of
signatures.
 daily.cld contains incremental daily updates
Comd:
sigtool -u /var/lib/clamav/main.cld
sigtool –u /var/lib/clamav/daily.cld
ls –Al

5
Customize ClamAV database
6

 Customize ClamAV databases:


 ASCII Signatures

 Binary Signatures (Shellcode)

 Logical Signatures (New in v0.96)

6
3 Steps for ASCII Signatures
7

 Create a ASCII signature:


 SigName:Target:Offset:HexadecimalSignature

 Clam_HelloWorld:0:*:68656c6c6f*776f726c64

• Create a file test.txt: This is the data I’d like to scan


looking for ‘hello’ and ‘world’.
 Comd: clamscan -d Clam_HelloWorld.ndb test.txt

7
3 Steps for Binary Signatures
8

Assembly bycode
xor ecx, ecx 33c9
mov cx,? 66b9????
xor byte [edx+ecx], ?? 80340a??
loop ?? e2??
jmp ?? Eb??

8
3 Steps for Binary Signatures
9

 Create a Binary signature:


 Clam_HellCodeXOR:0:*:33c966b9470180340ae9e2faeb0a

• Create a file test.txt such as the above


bycode
• Comd: clamscan -d Clam_HellCodeXOR.ndb test.txt

9
Q&A

10

You might also like