Monday, June 19, 2017

ClamAV Users --

Please take a look at the newest OpenSource project from Cisco Talos, entirely released towards the ClamAV audience, the BASS Automated Signature Synthesizer.



A short preview to the blog post linked above, is the following:

BASS (pronounced "bæs") is a framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters. It is meant to reduce resource usage of ClamAV by producing more pattern-based signatures as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable thanks to Docker. 
Please note that this framework is still considered in the Alpha stage and as a result, it will have some rough edges. As this tool is open source and actively maintained by us, we gladly welcome any feedback from the community on improving the functionality of BASS. You can find source code for BASS here:
https://github.com/Cisco-Talos/bass

Please check out our project,  check it out, play with it, use it, and help us improve it.

Wednesday, June 7, 2017

As promised, we were able to ship a new Main.cvd and the cdiff for the main.cvd a few minutes ago.

It should have hit the mirrors in the past few minutes. As always, this will increase the amount of traffic on the mirrors from people downloading the file, and should settle down within in the next 12-24 hours.

I’d like to thank our Signature team for working late into the night the past several days in order to get this out on time!

We have tested this Main.cvd and cdiff on all currently supported versions of ClamAV. Please let us know via the clamav-users list if there are any problems.

Tuesday, May 16, 2017

We are currently planning on cutting a new Main.cvd on Wednesday, June 7th, 2017.  After the new Main.cvd is published the "daily" load on the mirrors and your networks should be much lighter.

As always, this will result in a period of heavy downloading following the release, and lighter loads from smaller "daily" cvds after.

We will post an estimated size in an updated post.

Wednesday, February 22, 2017

We took note of this article over on the NVISO Labs blog that basically starts off like this:

Did you know the open-source anti-virus ClamAV supports YARA rules? What benefits can this bring to us? One of the important features ClamAV has is the file decomposition capability. Say that the file you want to analyze resides in an archive, or is a packed executable, then ClamAV will unarchive/unpack the file, and run the YARA engine on it.

A lot of people actually don't know this.  But NVISIO wrote a great article on it and is definitely worth the read if you are interested in doing some hunting with Yara content with ClamAV.

Friday, February 10, 2017

Yesterday, several articles came out through various publications regarding a piece of malware named "MacDownloader".  It appears to be specifically targeting the Defense Industry. Several other research firms attribute the malware to Iranian attackers.

For more information we are publishing links to several blogs below:

https://blog.malwarebytes.com/threat-analysis/2017/02/macdownloader-malware-targeting-defense-industry/
http://www.csoonline.com/article/3167249/security/mac-malware-possibly-made-in-iran-targets-us-defense-industry.html

and finally the original blog:

https://iranthreats.github.io/resources/macdownloader-macos-malware/

Our ClamAV auto detection scripts have published detection for this already:

Osx.Downloader.MacDownloader-5781857-0

Please ensure you are scanning your machines regularly!

Thursday, December 15, 2016

Later today (December 15, 2016) we will be implementing a database change within the system that manages the naming of signatures.

I wanted to let you know as some of you may notice that the numbers at the end of the signature names may change slightly.  This won't have any affect on detection, and is an optimization on our backend for detection distribution.

If there are any questions regarding this, please feel free to reach out to us on the ClamAV-Users list.

Thanks!

Tuesday, November 22, 2016

ClamAV friend and community signature contributor Arnaud Jacques from SecuriteInfo.com wrote a quick article about how to whitelist a signature in ClamAV that may be giving you problems.

Please take a look at this article on his website, for some quick instruction on how to prevent a potential disaster in your environment.