You may want to add “ELF….” To your count. Perhaps even “OSX….” -- Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>
On Dec 20, 2017, at 7:02 AM, Maarten Broekman <maarten.broek...@gmail.com<mailto:maarten.broek...@gmail.com>> wrote: There are far more than 31 signatures that have the potential to impact Linux systems. There are, in truth, over 23,000 signatures that are able to detect malware on Linux and Unix systems. Most "Linux" signatures only contain the word Unix, however. Additionally, keep in mind that these are only from the ClamAV provided databases. Sanesecurity and the Linux Malware Detect project add more as well. Of the official databases, the signatures break down like this for Unix signatures: 1 [bytecode] 7386 [daily.hdb] 11640 [daily.hsb] 67 [daily.ldb] 11 [daily.ndb] 141 [main.hdb] 3445 [main.hsb] 5 [main.mdb] 426 [main.ndb] 2 [daily.ldb] <== These are noted by Al in his previous message. Aside from the Win.* signatures, these are the major grouping of the non-hash signatures: 1 Unix.Downloader 28 Unix.Exploit 1 Unix.Malware 1 Unix.Packer 6 Unix.Rootkit 311 Unix.Tool 144 Unix.Trojan 11 Unix.Worm Of the hashes, there are about 50 different 'families' of Unix/Linux related malware of varying specificity: 3 Unix.Adware.Bundlore 1 Unix.Adware.Bundloreca 9 Unix.Adware.Genieo 1 Unix.Adware.Installmiez 1 Unix.Adware.Macinst 1 Unix.Adware.Spigot 1 Unix.Adware.Xloader 1 Unix.Downloader.Amcleaner 1 Unix.Exploit.CVE_2016_8733 1 Unix.Exploit.CVE_2016_9032 1 Unix.Exploit.CVE_2016_9033 1 Unix.Exploit.CVE_2017_1000253 1 Unix.Exploit.Gingerbreak 1 Unix.Exploit.Iosjailbreak 1 Unix.Exploit.Lacksand 4 Unix.Exploit.Lotoor 1 Unix.Exploit.Powershell 1 Unix.Exploit.Remotesync 1 Unix.Exploit.Roothack 1 Unix.Exploit.TALOS_2016_0257 21777 Unix.Malware.Agent 1 Unix.Malware.Generic 1 Unix.Malware.Setag 4 Unix.Malware.Tsunami 1 Unix.Malware.Xorddos 1 Unix.Spyware.Opinionspy 1 Unix.Tool.Dnsamp 6 Unix.Tool.Dofloo 448 Unix.Tool.EQGRP 5 Unix.Tool.FakeAV 1 Unix.Tool.Flood 1 Unix.Tool.Zusy 137 Unix.Trojan.Agent 6 Unix.Trojan.Cornelgen 7 Unix.Trojan.Ddostf 13 Unix.Trojan.Dofloo 1 Unix.Trojan.Dogspectus 1 Unix.Trojan.Elknot 1 Unix.Trojan.Elzob 127 Unix.Trojan.Gafgyt 3 Unix.Trojan.Hanthie 3 Unix.Trojan.Mayday 24 Unix.Trojan.Mirai 2 Unix.Trojan.Small 7 Unix.Trojan.Tsunami 1 Unix.Trojan.Webshell 1 Unix.Trojan.Zonie 1 Unix.Virus.Zusy 1 Unix.Worm.Cheese 1 Unix.Worm.Darlloz My suggestion is, yes. Run ClamAV. But don't rely on just the official databases. --Maarten On Wed, Dec 20, 2017 at 4:09 AM, Al Varnell <alvarn...@mac.com<mailto:alvarn...@mac.com>> wrote: FYI, there are 31 ClamAV signatures that contain the word "Linux". There are currently almost 6.4 million ClamAV signatures in the database. All but two are in main.ndb or main.hdb, meaning they are relatively old. All but five start with Win.Trojan or Win.Exploit or Win.Tool so I'm not clear on their relationship to Linux. The two most recent ones are: - Unix.Trojan.Linux_DDoS_93-2 - Unix.Trojan.Linux_DDoS_93-5364119-0 -Al- On Wed, Dec 20, 2017 at 12:47 AM, Matus UHLAR - fantomas wrote: On 19.12.17 12:44, Dan Rawson wrote: I'm working on running clamav on my Linux workstation - NOT a server environment. What is the recommended usage in that environment? clamd + OnAccess? clamscan scheduled from cron?? clamdscan scheduled from cron?? I did search through the documentation but didn't see much addressing "best practices" in a single machine environment. I haven't seen a linux malware yet. Well, I've heard that it exists, but haven't seen it (except hacking suite...) what makes you think you need it? -Al- -- Al Varnell Mountain View, CA _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
