Hi Brandon, Many thanks for your reply. I totally agree with you on EICAR, but this should not happen with Zeus. EICAR was only included as a test case i.e. to make sure that static signatures are being checked...
Andrew On 7 November 2014 17:06, Brandon Perry <bperry.volat...@gmail.com> wrote: > EICAR should only ever be detected as is. It is specially made for testing > AV, and AV has no use for detecting variations of it. > > On Fri, Nov 7, 2014 at 11:02 AM, Andrew Camilleri < > andrew.camill...@gmail.com> wrote: > > > Hi! > > > > I am totally new to ClamAV, so please excuse my ignorance. > > I am looking at how AV scanning is done in general, but also specifically > > in ClamAV. I came across this > > < > https://www.mail-archive.com/clamav-devel@lists.clamav.net/msg03096.html> > > post, so I got that bit covered and won't repeat questions. > > I am working on a WAF and we will use ClamAV for scanning traffic. I am > > investigating the tolerance in correct classification with respect to > > changes in malware binaries. To conduct my experiments I picked up the > > EICAR "virus" and an actual virus, Zeus, from here > > <https://github.com/Visgean/Zeus>. I noticed that if I change a single > > character in EICAR, ClamAV will fail to detect it; I assume that this is > > due to a static signature (correct me if I am wrong) associated with this > > test virus; this seems like a perfectly good result to me. Next thing was > > to scan Zeus (after a simple git clone) and it picks up a few trojans > from > > the ready built binaries. I then changed the first byte of client32.bin > > (one of the files that was marked as a trojan) and scanned it. The result > > was the ClamAV did not recognize the trojan from this simple change. I > then > > changed another byte, the 32nd one to be precise, and scanned it. The > > result was that ClamAV correctly classifies the binary as a Trojan. I > was a > > little surprised that a change in the first byte would "hide" the trojan > > from scanning, especially since the first two bytes are completely > useless > > <http://en.wikipedia.org/wiki/Mark_Zbikowski> in terms of running a > > windows > > binary. My only explanation is that with the change, the file fails some > > integrity check that ClamAV does, to make sure that the binary is > runnable; > > I am assuming that there isnt a static signature here, otherwise it would > > not have been picked up with any change. I also did this test with > zsb.exe > > in the repo and I got the same results. Finally I performed the same > tests > > against McAffee and all these changes had no effect i.e. the trojans > where > > always correctly classified. In the case of deltas to EICAR however, > McAfee > > did not recognize the "virus". > > Could you please help me to understand the meaning of these results? > Also, > > is it possible to view the signature of a virus in the signature > database? > > I looked at the doc, but I couldn't find how to do this; but I may have > > missed it and in that case sorry to ask this! > > > > Andrew > > _______________________________________________ > > http://lurker.clamav.net/list/clamav-devel.html > > Please submit your patches to our Bugzilla: http://bugs.clamav.net > > > > http://www.clamav.net/contact.html#ml > > > > > > -- > http://volatile-minds.blogspot.com -- blog > http://www.volatileminds.net -- website > _______________________________________________ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net > > http://www.clamav.net/contact.html#ml > _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net http://www.clamav.net/contact.html#ml
