Red Hot Cyber

Cyber security, cybercrime, hack news, and more
Search

ClamAV

ClamAV and signatures generation

Andrea Cavallini : 2 May 2024 12:11

Threat intelligence has many fields of application, starting from control of infrastructures using automation processes to security increasing the perimeter of applications and solutions in general. One of the most common applications of this concept is antimalware tools, which enterprise antivirus solutions are preferable rather than open sources due to two main aspects: enterprise solutions are covered by official support in case of any type of problem (even if this is not always true due to different type of subscriptions) and signatures in the enterprise tools are more precise and updated than open sources. What can we do to perform a significant growth in open source technologies?

I have analyzed one of the most common open source antivirus solutions, ClamAV. This antimalware is deployable on Linux, Windows and Mac and it uses its own signatures and definitions. Only these? No, even the signature upload process is open source and antimalware definition databases can be created from custom sources. In this flow, threat intelligence can help us to receive IOC from open source feeds, centralize them in a orchestrator solution like MISP, an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threats about cyber security incidents analysis and malware analysis.

Using its query API system, we can extract from MISP the IOC events that include attributes with SHA256 or MD5 type, considering the value field. Following official documentation, we can create ClamAV HSB file (hash-based signatures) with the list of SHA256/MD5 values extracted, for example:

7311356d9420f387813a720981688e78:*:AgentTesla:73

This line has the following fields:

  • 7311356d9420f387813a720981688e78 is the hash evidenced in the previous screenshot
  • * is the marker to say to the antivirus engine to not check for specific size
  • AgentTesla is the malware description related to the hash that will be reported in case of
  • 73 is the minimum functional level mandatory to use wildcard in signatures

Supporta Red Hot Cyber attraverso

Once every HSB file is created, we can packetize them with the ClamAV sigtool command suite to build a CUD file (ClamAV Unsigned Database), importable in the main ClamAV signatures directory and usable next to scanning desired elements. Tuning will be the next process step because a database created can warn us about false positives, but with little work we will have a very useful and powerful open source antimalware solution.

Andrea Cavallini
Since forever cybersecurity lover and hacking in general, he began his career in IT and then moved on to applications and control systems development; he mainly deals about solutions for critical infrastructures providing, writes digital topics for Red Team and Blue Team themes and develops open source solutions related to cybersecurity world.
Categories
Banner

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr
Redhotcyber is an open-news project born from the idea of Massimiliano Brolli in 2019, subsequently expanded into a network of people who collaborate in the dissemination of topics focused on information security, but also on technology and information technology in general, with the aim to disseminate the concepts of cybersecurity to an ever-increasing number of people
The photos and articles on redhotcyber.com were partly taken from the Internet and therefore considered to be in the public domain. If the subjects or authors have something against their publication, they can report it to the editorial staff who will promptly remove them from the site.