Discussion:
[clamav-users] Detecting Word docs with macros
Steve Basford
2018-12-10 18:50:42 UTC
Permalink
Hi there,
... MiscreantPunch099-Low.ldb for additional detection but can hit
scanning performance.
Can you give any estimate (however rough) of the performance hit?
Scanning a small file... With each database... Not hugely scientific...
Just relative to each other...

badmacro.ndb: 937 ms

blurl.ndb: 1125 ms

bofhland_cracked_URL.ndb: 859 ms
bofhland_malware_attach.hdb: 859 ms
bofhland_malware_URL.ndb: 844 ms
bofhland_phishing_URL.ndb: 828 ms
crdfam.clamav.hdb: 844 ms
doppelstern.hdb: 844 ms
doppelstern.ndb: 844 ms
doppelstern-phishtank.ndb: 828 ms
foxhole_all.cdb: 844 ms
foxhole_all.ndb: 844 ms
foxhole_filename.cdb: 938 ms
foxhole_generic.cdb: 860 ms
foxhole_js.cdb: 828 ms
foxhole_js.ndb: 828 ms
foxhole_mail.cdb: 828 ms

junk.ndb: 1750 ms

jurlbl.ndb: 985 ms
jurlbla.ndb: 906 ms
lott.ndb: 859 ms
malware.expert.hdb: 828 ms
malware.expert.ldb: 860 ms
malware.expert.ndb: 859 ms
MiscreantPunch099-INFO-Low.ldb: 922 ms

MiscreantPunch099-Low.ldb: Possible Performance Issue: 10407 ms

phish.ndb: 4282 ms

phishtank.ndb: 1172 ms

porcupine.ndb: 922 ms
rogue.hdb: 859 ms

scam.ndb: 1156 ms

scamnailer.ndb: 3953 ms

shelter.ldb: 843 ms
spam.ldb: 844 ms
spamattach.hdb: 891 ms
spamimg.hdb: 844 ms

spear.ndb: 1532 ms

spearl.ndb: 828 ms
winnow.attachments.hdb: 829 ms
winnow.complex.patterns.ldb: 860 ms
winnow_bad_cw.hdb: 844 ms
winnow_extended_malware.hdb: 937 ms
winnow_extended_malware_links.ndb: 844 ms
winnow_malware.hdb: 828 ms
winnow_malware_links.ndb: 843 ms
winnow_phish_complete.ndb: 843 ms
winnow_phish_complete_url.ndb: 828 ms
winnow_spam_complete.ndb: 844 ms


Cheers,

Steve
Twitter: @sanesecurity
Steve Basford
2018-12-10 15:17:24 UTC
Permalink
Default clam sigs obviously are not catching these, but wondering if
anyone has them included in a third party that rather FP friendly.
I also just tested a yara from here, and it seems to work, but not
certain about FPs from it either.
Sanesecurity badmacro.ndb and phish.ndb and rogue.hdb will pretty much
cover a lot of those... MiscreantPunch099-Low.ldb for additional detection
but can hit scanning performance.

ClamAV settings in clamd.conf can also be tweaked to block documents with
macro and or passwords.
--
Cheers,

Steve
Twitter: @sanesecurity

_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Eric Tykwinski
2018-12-10 15:46:46 UTC
Permalink
Steve.
Post by Steve Basford
Sanesecurity badmacro.ndb and phish.ndb and rogue.hdb will pretty much
cover a lot of those... MiscreantPunch099-Low.ldb for additional detection
but can hit scanning performance.
ClamAV settings in clamd.conf can also be tweaked to block documents with
macro and or passwords.
Thanks, just added badmacro.ndb, so hopefully that will help.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300


_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Continue reading on narkive:
Loading...