Monday, February 21, 2011

Realtime protection with ClamAV on Windows

One of the major features in Immunet 3.0 powered by ClamAV is the integration of the full ClamAV engine for "offline protection, advanced archive and unpacking support, and custom signature creation". What does that mean though?

First of all it means that when you are not connected to the cloud then you are protected by the locally installed ClamAV engine. What may not be clear from that feature description is that ClamAV is also used when you are online, and it is used for realtime protection (on-access scanning) too!

Is the ClamAV engine enabled by default in Immunet 3.0?
That depends on how you install it, but you can always change the settings later. In fact it is easy to test if the local ClamAV engine is enabled and working, as I'll show you next:

Download the Immunet 3.0 powered by ClamAV installer from here, and run it.
Make sure you select Cloud + ClamAV as shown here, and then proceed with the installation:

Once installed you can check whether ClamAV is enabled (and enable if not):
Then check that archive and packed file scanning is enabled:
Finally click on "Update Now" to make sure your antivirus database is up-to-date:

To test the local ClamAV engine you can use the following test file, (which is completely safe, it is not even executable):
Open notepad, then Copy and Paste this text exactly as shown here:
$CEliacmaTrESTuScikgsn$FREE-TEST-SIGNATURE$EEEEE$

Once you save the file (lets call it clam.txt for example) you should get a popup from Immunet showing that it has detected Clam.ClamAV-Test-Signature:
You can open the folder you tried to save the file in, and check that it is really gone.

Now you should be confident that you are protected by ClamAV's engine in "Immunet 3.0 powered by ClamAV".

How do you know which engine detected the file?
  • if the virusname starts with "W32." then it is a cloud detection
  • if it starts with "W32.SPERO.", it is a cloud detection from the SPERO heuristic engin
  • if it starts with "W32.ETHOS.", it is a cloud detection from the ETHOS heuristic engine
  • if it starts with "W32.Clam.", it is a file that was detected by ClamAV on the cloud
  • if it starts with "Clam.", it is a local ClamAV detection
  • if it starts with "Clam." and ends with ".UNOFFICIAL", then it is your custom signature
If you are interested in some of the technical details of how the ClamAV engine
works together with the cloud read on.

A scan can be triggered by:
  • on-access, i.e. realtime protection: when you launch an application, copy or move files
  • on-demand, via the "Scan Now" button
  • scheduled scan, which can be configured in "Scan Settings", "Add New Scheduled Scan
Once a scan is triggered the following happens:
  • scans the file using the cloud (by sending the file's fingerprints), if you are online
  • if the ClamAV engine is enabled it starts scanning the file, as usual:
  • using its (official or custom) signatures database
  • scanning files inside archives (if enabled in Settings)
  • scanning inside packed executables (if enabled in Settings)
  • each of these inner files (inside archives, packed executables) is
  • scanned using the cloud as well
  • ClamAV checks its local whitelist when it detects a virus
  • as soon as either engine finds a malware, scanning is stopped
  • the cloud also checks its whitelist for both its own detections and ClamAV's detections
For a file to be considered malicious it is enough that just one engine considers it as such. For it to be considered clean both must consider it clean.

If a malware is detected the file is quarantined, and the malicious process is blocked, prevented from execution.

So you see when you have both the cloud and ClamAV enabled it performs a more thorough scan than when scanning with both individually.

What if a file is detected by both the cloud and the local ClamAV engine?
Currently the detection from the cloud wins, but that may change as we work on optimizing the integration of the engine. Also just because you see a cloud detection, it doesn't mean the local engine wouldn't have detected it.

Friday, February 11, 2011

How to create custom signatures for Immunet 3.0, powered by ClamAV

Immunet 3.0 is Sourcefire’s new cloud-based desktop anti-malware solution for Microsoft Windows. For best performance, an Internet connection is recommended. Additionally, Immunet 3.0 is powered by ClamAV, which allows users to stay protected even when not connected to the Immunet cloud. ClamAV built its reputation over the years on the UNIX platform as being a robust and capable enterprise-level anti-malware solution, which allows the advanced user to create their own signatures to complement the ones supplied and updated several times a day by Sourcefire.

Why is being able to use your custom signatures a great feature? Well, it’s because you can make your anti-malware program look for threats that you are the first to see or that you will be the only one to see (e.g. Advanced Persistent Threats, or APT). Or, you could have found that an older version of a proprietary program that's running on your network is vulnerable and you want to make sure that users only run the latest version. Writing a custom signature that targets the older program, can help you enforce that policy.

Here's how to get started on writing your own custom ClamAV signatures for Immunet 3.0.

Download the ClamAV command-line Signature Tool, sigtool (MD5:838f6b4ea87199b86f04e9efb96241c3). Now let’s say that test.exe is the file you want to create a signature for. To create a signature that will match only that file, use the --md5 option of sigtool (in this example, I am redirecting the output from sigtool into a file with a .hdb extension):

sigtool --md5
Pic.1: Signature using full MD5 hash of file.

Now, in this case the signature will match on only one file. You may want to write something that matches on multitple files. For example, in the case of executable files you may want to write a signature that will match a particular PE-section, and all files that have the same PE-section. To do so, break up your executable into its different PE-sections either manually or by using tools, identify the one you want to write a signature for (typically the sections are labelled .text, .rdata, .data, .idata, etc..) and use the --mdb option of sigtool (in this example I am redirecting the output from sigtool into a file with a .mdb extension):

sigtool --mdb
Pic.2: Signature using the hash of the PE-section of an executable.

Another way to have ClamAV detect a file is to base your signature on a hexadecimal fragment contained within the body of the file. Let's say you have a text file that contains the text I look like a benign file but actually I am a bad script and I will pwn your machine, if you don't pay attention. We decide that our detection will be based on detecting the phrase I am a bad script in any text files. To write a signature, we can start by echoing I am a bad script into sigtool --hex-dump (this time I'm not redirecting output into a file just yet):


Pic.3: Signature using the a hex fragment of a file.

Then I'm going to create a signature that has the format Name:TargetType:Offset:HexSignature and redirect it to a file with a .ndb extension, like I did at the end of the example above. You'll notice that I did not include the line break 0d0a in the hex signature.

For more in-depth information on how to create signatures, check out the documentation on Creating Signatures for ClamAV. There is also a webcast on the topic as well as a blog entry on how to create logical signatures for ClamAV.

Well, all that is good and I've created signatures, how do I load them into Immunet 3.0? You may very well ask.

First things first: Make sure that the ClamAV detection engine is turned on. Open Immunet 3.0, select “Settings” and switch the ClamAV “on”. Click on “Apply”.


Pic.4: Making sure that the ClamAV engine is turned on.

Optional (but highly recommended): Back in the main pane, click on “Update Now” to download the latest official ClamAV signatures.


Pic.5: "Update Now" to get the latest official ClamAV signatures.

Next, launch SigUI from Start->All Programs->Immunet 3.0->Custom Signature Tool.


Pic.6: SigUI's interface.

SigUI is a graphical user interface used to configure a back-end tool called Freshclam, which is used to download ClamAV signatures. Under the "Updater configuration”tab, you can enter proxy settings if you access the Internet using a proxy. To ensure that the settings have been entered properly, click on "Run freshclam to test configuration". Upon successfully accessing the Internet, Freshclam will exit without error (“Freshclam exited with code: 0”) (see Pic. 7):


Pic.7: Freshclam running.

Next, from the pull-down menu "Download Official Signatures from mirror", select where you want to download official ClamAV signatures from. By default, official signatures will be fetched from db.local.clamav.net. Although this works well most of the time, you may get better performance by using a server closer to your location. Mirrors are in the form db.XY.clamav.net, where XY is a two-letter country code. Alternatively, you can manually enter a hostname, such as your own server if that is where you are hosting the official ClamAV signatures. This completes the configuration for the automatic retrieval of official signatures.

To deploy your own signatures (or signatures provided by third-parties), you can either:
- specify their full URI (URL or UNC path) under Custom signatures URLs (see Pic. 6). The signatures can be in any format that ClamAV understands
- add the signatures file(s) under the "Local signature management tab" (see Pic. 8). At that point the signature aren’t yet installed. You must click on Verify and Install signatures to test the new signatures (see Pic. 9). The ones that pass verification will be installed and ClamAV will load them at the next database update


Pic.8: SigUI's "Local signature management" tab


Pic.9: Signatures installed after verification

Your custom signatures will be copied to the ClamAV signatures folder and loaded the next time the system is idle.

Voila! You now know how to write and deploy your own ClamAV signatures. You can also load third-party signatures written in the a format that ClamAV understands the same way you would your custom signatures. Again, you don't have to write your own signatures, but you can if you want and that is a powerful feature at your disposal. Feel free to contribute your signatures to our online forum. Feel free to post your questions to our mailing list. Additionally, you will find someone to answer your questions in the IRC chat room #clamav on irc.freenode.net.

Wednesday, February 9, 2011

Sourcefire Unveils Immunet 3.0, with Customized Protection Against Zero-Day Threats and Automated Remediation of Infected Files

Columbia, MD – February 09, 2011 -- Sourcefire, Inc. (Nasdaq: FIRE), the creator of Snort® and a leader in intelligent cybersecurity solutions, today announced the availability of Immunet™ 3.0, which leverages a cloud-based collective immunity platform to deliver real-time protection against zero-day attacks. Immunet 3.0 enables businesses and consumers to create custom anti-malware signatures for more accurate protection against targeted attacks and offers an innovative Cloud Recall™ feature, which can remediate previously approved files, automatically quarantining them in real time based on new threat information.

“Immunet 3.0 changes the way anti-malware works. By leveraging the cloud and allowing users to create custom signatures, Sourcefire is increasing the speed and accuracy of its protection to align with the demands of today’s environments,” said Charles Kolodgy, research Vice president at IDC. “With the added ability to protect against malware introduced by non-traditional means, including rootkits and USB drives, Immunet 3.0 is offering customers the functionality they require, while filling significant holes that have been left by more traditional solutions.”

Backed by the additional resources of Sourcefire®, Immunet 3.0 offers significant advancements that enable consumers and businesses to protect their PCs from Client-Side attacks.  These include:
  • Custom Signature Creation – While customization is available in some enterprise security solutions, including Intrusion Prevention Systems, traditional antivirus offerings continue to take a “black box” mentality to customization. With Immunet 3.0, customers now have the power to create signatures for their specific requirements, significantly improving the effectiveness of Immunet.
  • Cloud Recall – This new, innovative feature leverages the power of the Immunet platform to provide increased endpoint protection.  Through continuous file processing in the cloud, Immunet 3.0 can retroactively quarantine a file that was originally cleared, but later deemed to be malware. The Immunet Community is updated automatically as new threats are discovered.  Cloud Recall provides a significant advantage over traditional approaches to solving this problem, which include sending 20,000 - 40,000 signatures down to each and every endpoint on a daily basis, then invoking a resource-intensive full system scan.
  • Collective Immunity™ – A key benefit of Immunet 3.0 is Collective Immunity, which allows users to harness the collective presence of Immunet’s 850,000 worldwide users for increased endpoint protection. This cloud-based approach enables organizations to better protect against zero-day attacks with real-time protection driven by intelligence from the user community.  Each time someone in this collective community encounters a threat, everyone else in the community automatically gains protection from that same threat in real time. Customers no longer have to rely on the isolated security of their traditional antivirus vendor.
Because Immunet offers users an extremely light client, it is ideal for individual consumers and organizations looking to enhance their current anti-malware protection with a companion solution.  Removing previous limitations for multiple anti-malware solutions residing on a single system, Immunet enables users and organizations to simultaneously run multiple solutions, without the risk of system conflicts, for defense-in-depth protection.

“When it comes to protecting against new and targeted threats, traditional anti-malware solutions typically fall short because of the time it takes to push new signatures,” said Martin Roesch, Sourcefire’s CTO and Founder. “Sourcefire’s approach is revolutionizing the way consumers and organizations protect their endpoints. By leveraging our innovative cloud platform and enabling customers to create custom signatures, Immunet 3.0 is offering consumers and businesses the ability to take a more proactive stance with their anti-malware investments and better protect against the latest attacks that traditional solutions miss.”

About Sourcefire
Sourcefire, Inc. (Nasdaq:FIRE), is a world leader in intelligent cybersecurity solutions.  Sourcefire is transforming the way Global 2000 organizations and government agencies manage and minimize network security risks. Sourcefire’s IPS, RNA® (Real-time Network Awareness) and Real-time Adaptive Security solutions equip customers with an efficient and effective layered security defense – protecting network assets before, during and after an attack. Through the years, Sourcefire has been consistently recognized for its innovation and industry leadership by customers, media and industry analysts alike – with more than 50 awards and accolades. Today, the name Sourcefire has grown synonymous with innovation and network security intelligence. For more information about Sourcefire, please visit http://www.sourcefire.com.

SOURCEFIRE®, Sourcefire IPS™, SNORT®, RAZORBACK™, the Sourcefire logo, the Snort and Pig logo, SECURITY FOR THE REAL WORLD™, SOURCEFIRE DEFENSE CENTER®, SOURCEFIRE 3D®, RNA®, RUA®, DAEMONLOGGER™, CLAMAV®, IMMUNET™ and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.

Tuesday, February 8, 2011

Immunet 3.0 - Powered by ClamAV

Tomorrow, February 9th, will mark the day that the Immunet 3.0 product from Sourcefire officially rolls out.  Immunet 3.0, not only has the familiar Immunet cloud based anti-virus product that you are used to, but it also builds in the ClamAV 0.97 engine for even more detection from threats.

We are no longer calling the product "ClamAV for Windows 3.0", we are now referring to the product as "Immunet 3.0".

New Features:
  • Offline Protection -- This is the ClamAV portion, allowing you to stay protected even while not connected to the Immunet cloud.
  • Cloud Recall -- Even if the file that Immunet scanned today is "clean", and tomorrow it's discovered the file is bad, Immunet will still get it.
  • Custom Signature Generation -- This gives advanced users the ability to create your own anti-virus signatures for new emerging threats.  With the Immunet 3.0 release, we are the only Windows based anti-virus product to allow you to do this.
This is a great release, building in a lot of features and combining the power of ClamAV with the power of the cloud of Immunet is quite an achievement. 

Check out the blog post from Al Huger over on the Immunet blog for further information.  I'll put a formal announcement up tomorrow.

Monday, February 7, 2011

ClamAV 0.97 has been released!

Since the release of ClamAV 0.97rc, there have been several bug fixes:

* libclamav/vba_extract.c: fix error path double free (bb#2486)
 * libclamav/phishcheck.c: fix some missed safebrowsing URLs (bb #2514)
 * libclamav/matcher-bm.c: fix error message (bb#2513)
 * libclamav/matcher-hash.c: stop leaking virusnames (nopool mode)
So anyone using the RC, or a previous version of ClamAV should go ahead and take the opportunity to update to 0.97 now.

ClamAV 0.97 brings many improvements, including complete Windows support (all major components compile out-of-box under Visual Studio), support for signatures based on SHA1 and SHA256, better error detection, as well as speed and memory optimizations. The complete list of changes is available in the ChangeLog file. For upgrade notes and tips please see: https://wiki.clamav.net/Main/UpgradeNotes097

Download: http://downloads.sourceforge.net/cla...av-0.97.tar.gz
PGP sig: http://downloads.sourceforge.net/cla....97.tar.gz.sig
Bugfixes: http://www.clamav.net/release-info/bugs/0.97
ChangeLog: http://www.clamav.net/release-info/changelog/0.97

We'll have further information regarding ClamAV this week, stay tuned to the blog to find out more!

Wednesday, February 2, 2011

ClamAV 0.97rc is available for download

The release candidate for ClamAV 0.97 is available for download.

ClamAV 0.97 brings many improvements, including complete Windows support
(all major components compile out-of-box under Visual Studio), support
for signatures based on SHA1 and SHA256, better error detection, as well as
speed and memory optimizations. The complete list of changes is
available in the ChangeLog file. For upgrade notes and tips please see:
https://wiki.clamav.net/Main/UpgradeNotes097

We encourage as many people as possible to test this release.
If you don't have access to a test machine you can still help
by downloading it and checking for us that it compiles and links
on your platform and by running "make check".
If you do have a test machine/model/network please help us by loading
ClamAV 0.97rc and testing.

All bug reports should be filed at http://bugs.clamav.net.
We also encourage all 3rd party developers of products and
distribution/port maintainers to download and check this update so that
you can go live as soon as the final version is released.

Download : http://downloads.sourceforge.net/clamav/clamav-0.97rc.tar.gz
PGP sig : http://downloads.sourceforge.net/clamav/clamav-0.97rc.tar.gz.sig
Bugfixes : http://www.clamav.net/release-info/bugs/0.97
ChangeLog: http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.97rc