Lab 2-3: ClamAV

Because teaching teaches

teachers to teach
 Introduction
2

• ClamAV is an open source antivirus engine

owned by Sourcefire.
 ClamAV offers a fast and flexible framework for
detecting malicious code and artifacts.
 Multi-OS: Ubuntu, Window, …

2
 Install ClamAV
3

 Install ClamAV and ClamTK

(http://www.clamav.net/doc/latest/)
comd: sudo apt-get install clamav clamav-freshclam
 Update ClamAV database signature.
comd: sudo freshclam
 Run ClamAV
comd: clamav -r -i /home/bangbh

3
 Understand ClamAV databases
4

 MD5 hashes of malicious binaries (stored in

.hdb)
 MD5 hashes of PE sections (stored in .mdb)
 Hexadecimal signatures (stored in .ndb)
 Archive metadata signatures (stored in .zmd or
.rmd)
 White list database of good files (stored in .fp)

4
 Examining ClamAV Signature
5

 Find main.cld and daily.cld in /usr/lib/clamav

 The main.cld file contains the primary base of
signatures.
 daily.cld contains incremental daily updates
Comd:
sigtool -u /var/lib/clamav/main.cld
sigtool –u /var/lib/clamav/daily.cld
ls –Al

5
 Customize ClamAV database
6

 Customize ClamAV databases:

 ASCII Signatures

 Binary Signatures (Shellcode)

 Logical Signatures (New in v0.96)

6
3 Steps for ASCII Signatures
7

 Create a ASCII signature:

 SigName:Target:Offset:HexadecimalSignature

 Clam_HelloWorld:0:*:68656c6c6f*776f726c64

• Create a file test.txt: This is the data I’d like to scan

looking for ‘hello’ and ‘world’.
 Comd: clamscan -d Clam_HelloWorld.ndb test.txt

7
3 Steps for Binary Signatures
8

Assembly bycode
xor ecx, ecx 33c9
mov cx,? 66b9????
xor byte [edx+ecx], ?? 80340a??
loop ?? e2??
jmp ?? Eb??

8
3 Steps for Binary Signatures
9

 Create a Binary signature:

 Clam_HellCodeXOR:0:*:33c966b9470180340ae9e2faeb0a

• Create a file test.txt such as the above

bycode
• Comd: clamscan -d Clam_HellCodeXOR.ndb test.txt

9
 Q&A

10