[clamav-users] Information regarding Win.Downloader.DDECmdExec-6715271-0

Kris Deugau

2018-11-13 18:13:54 UTC

Post by Dominique Sarrazin
Hi everyone,
On October 26^th , ClamAV’s signature database was updated with the
addition of Win.Downloader.DDECmdExec-6715271-0, for which I cannot find
any information despite my thorough research.

sigtool --find-sigs [sig name] |sigtool --decode-sigs will at least tell
you what it's matching on, assuming it's an active signature.

I don't seem to have that particular signature on any system I manage,
so either it's third-party or it was dropped at some point.

The closest matches on that sig name that I have are
Win.Downloader.DDEObfuscatedCmdExec-6715127-0 and
Win.Downloader.DDEObfuscatedCmdExec-6715128-0.

Post by Dominique Sarrazin
Since that update, ClamAV has reported that many tables in our MySQL are
susceptible to this vulnerability. I would simply like to know the
details of this vulnerability and how to identify it in our database.

Scanning the filesystem storage for any DBMS is almost certainly a waste
of time and likely to lead to all kinds of bizarre false positives.

If you really need to scan the content, scan things before inserting, or
do a periodic "retrieve-and-scan" process if you're worried about
zero-day malware that might not have had a signature when it was inserted.

-kgd
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vr