Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

ClamAV

ClamAV and signatures generation

Andrea Cavallini : 2 May 2024 12:11

Threat intelligence has many fields of application, starting from control of infrastructures using automation processes to security increasing the perimeter of applications and solutions in general. One of the most common applications of this concept is antimalware tools, which enterprise antivirus solutions are preferable rather than open sources due to two main aspects: enterprise solutions are covered by official support in case of any type of problem (even if this is not always true due to different type of subscriptions) and signatures in the enterprise tools are more precise and updated than open sources. What can we do to perform a significant growth in open source technologies?

I have analyzed one of the most common open source antivirus solutions, ClamAV. This antimalware is deployable on Linux, Windows and Mac and it uses its own signatures and definitions. Only these? No, even the signature upload process is open source and antimalware definition databases can be created from custom sources. In this flow, threat intelligence can help us to receive IOC from open source feeds, centralize them in a orchestrator solution like MISP, an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threats about cyber security incidents analysis and malware analysis.

Using its query API system, we can extract from MISP the IOC events that include attributes with SHA256 or MD5 type, considering the value field. Following official documentation, we can create ClamAV HSB file (hash-based signatures) with the list of SHA256/MD5 values extracted, for example:

7311356d9420f387813a720981688e78:*:AgentTesla:73

This line has the following fields:

  • 7311356d9420f387813a720981688e78 is the hash evidenced in the previous screenshot
  • * is the marker to say to the antivirus engine to not check for specific size
  • AgentTesla is the malware description related to the hash that will be reported in case of
  • 73 is the minimum functional level mandatory to use wildcard in signatures

Sei un Esperto di Formazione?
Entra anche tu nel Partner program!
Accedi alla sezione riservata ai Creator sulla nostra Academy e scopri i vantaggi riservati ai membri del Partner program.
Per ulteriori informazioni, scrivici ad [email protected] oppure su Whatsapp al 379 163 8765 

Supporta RHC attraverso:


Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo

Once every HSB file is created, we can packetize them with the ClamAV sigtool command suite to build a CUD file (ClamAV Unsigned Database), importable in the main ClamAV signatures directory and usable next to scanning desired elements. Tuning will be the next process step because a database created can warn us about false positives, but with little work we will have a very useful and powerful open source antimalware solution.

Andrea Cavallini
Since forever cybersecurity lover and hacking in general, he began his career in IT and then moved on to applications and control systems development; he mainly deals about solutions for critical infrastructures providing, writes digital topics for Red Team and Blue Team themes and develops open source solutions related to cybersecurity world.
Categories
Banner

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr
Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.