Wednesday, February 25, 2015

What to do with MD5 checksums of files provided as an Indicator of Compromise?

I spotted this blog article over on thepcn3rd blog, with a really simple blog article on how to generate ClamAV detection quickly given an md5 for a malicious file.

As I have researched malware and the indicators of compromise an MD5 checksum of the files are provided so that you can detect them in your environment. I am not sure about your anti-virus but I am not able to plug-in an MD5 and have it search for them across the enterprise as it does it's scan.
The blog highlights a great point about ClamAV and Open Source, the ability to generate your own detection!

Take a look at the blog here.

2 comments :

  1. Good morning! I have read the guides about install postfix on the server and there is written to set the parameter: SOCKET_RWGROUP = postfix in the file / etc / default / clamav-milter but I installed ClamAV and unfortunately I do not have such a file. How do I set it up?

    I have followed the instructions on the page: https://greenqloud.zendesk.com/entries/74986716-How-To-Make-your-e-mail-Truly-Green-Part-2-fighting-spam

    ReplyDelete
  2. A more appropriate place to get your question answered would be the ClamAV users list:

    http://lists.clamav.net/mailman/listinfo/clamav-users

    ReplyDelete