ClamAV Signatures from SecuriteInfo 90% Detection Rate!

[hata_ph]

I cannot download the virus for testing https://easyupload.io/m/r0xayp

 

[killmasta93]

Hi im attaching you again
https://we.tl/t-Sqf9j89OFP

 

[hata_ph]

Btw, I notice latest clamav signature should detect the virus without 3rd party signature.

 

[killmasta93]

but on proxmox its not detecting whats odd

 

[tom]

but on proxmox its not detecting whats odd

if the flie is compressed with rar, you need to install the needed toolset.

see https://forum.proxmox.com/threads/av-scanning-in-rar-archives-not-working.71139/#post-319137

 

[hata_ph]

@tom Yes, it is missing libclamunrar. But why PMG did not include clamav rar support in the first place if PMG come with clamav as the default antivirus?

It is mentioned in the reference documentation - https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmg_package_repositories
(3.5.6 Other Repository Sources)

 

[hata_ph]

but on proxmox its not detecting whats odd

Follow below link to enable clamav rar support.

https://forum.proxmox.com/threads/pmg-clamav-rar-support.104387/

 

[killmasta93]

Thank you so much @hata_ph

 

[killmasta93]

hi guys anyone else has had this issue before, currently im using the securite paid version but when i try to scan it manually i get this

clamscan -id /var/lib/clamav securiteinfo0hour.hdb /root/bademail.eml
securiteinfo0hour.hdb: No such file or directory
WARNING: securiteinfo0hour.hdb: Can't access file
/root/bademail.eml: SecuriteInfo.com.Exploit.CVE-2018-0802.Gen.27640.18064.UNOFFICIAL FOUND

but when i check the directory it shows the .hdb file

----------- SCAN SUMMARY -----------
Known viruses: 12902762
Engine version: 0.103.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.66 MB
Data read: 0.30 MB (ratio 2.22:1)
Time: 37.121 sec (0 m 37 s)
Start Date: 2022:05:25 00:15:48
End Date:   2022:05:25 00:16:25


root@mail:/var/lib/clamav# ls -l -h
total 592M
-rw-r--r-- 1 clamav clamav 586K Oct 14  2020 MiscreantPunch099-Low.ldb
-rw-r--r-- 1 clamav clamav 1.5K Jul  1  2015 Sanesecurity_sigtest.yara
-rw-r--r-- 1 clamav clamav 1.3K Feb 22  2016 Sanesecurity_spam.yara
-rw-r--r-- 1 clamav clamav  98K May 16 07:48 badmacro.ndb
-rw-r--r-- 1 clamav clamav 495K May 25 00:06 blurl.ndb
-rw-r--r-- 1 clamav clamav 3.4K Oct 14  2020 bofhland_cracked_URL.ndb
-rw-r--r-- 1 clamav clamav  610 Oct 14  2020 bofhland_malware_URL.ndb
-rw-r--r-- 1 clamav clamav 104K Oct 14  2020 bofhland_malware_attach.hdb
-rw-r--r-- 1 clamav clamav 9.5K Oct 14  2020 bofhland_phishing_URL.ndb
-rw-r--r-- 1 clamav clamav 287K Mar  9  2021 bytecode.cvd
-rw-r--r-- 1 clamav clamav  56M May 24 03:42 daily.cvd
-rw-r--r-- 1 clamav clamav 241K May 24 11:06 foxhole_filename.cdb
-rw-r--r-- 1 clamav clamav  51K Sep 11  2020 foxhole_generic.cdb
-rw-r--r-- 1 clamav clamav 3.8K Aug 18  2017 foxhole_js.cdb
-rw-r--r-- 1 clamav clamav  230 Nov 21  2016 foxhole_js.ndb
-rw-r--r-- 1 clamav clamav   69 May 16 23:08 freshclam.dat
-rw-r--r-- 1 clamav clamav  48K Aug  5  2015 hackingteam.hsb
-rw-r--r-- 1 clamav clamav  15M May 24 01:42 javascript.ndb
-rw-r--r-- 1 clamav clamav 6.7M May 24 11:06 junk.ndb
-rw-r--r-- 1 clamav clamav 661K May 24 11:06 jurlbl.ndb
-rw-r--r-- 1 clamav clamav 172K May 24 19:06 jurlbla.ndb
-rw-r--r-- 1 clamav clamav 240K May 12 03:06 lott.ndb
-rw-r--r-- 1 clamav clamav 163M Nov 10  2021 main.cvd
-rw-r--r-- 1 clamav clamav   73 Oct 14  2020 malware.expert.fp
-rw-r--r-- 1 clamav clamav   73 Oct 14  2020 malware.expert.hdb
-rw-r--r-- 1 clamav clamav  246 Oct 14  2020 malware.expert.ldb
-rw-r--r-- 1 clamav clamav  130 Oct 14  2020 malware.expert.ndb
-rw-r--r-- 1 clamav clamav  73K Jun 29  2017 malwarehash.hsb
-rw-r--r-- 1 clamav clamav  147 Oct 14  2020 malwarepatrol.db
-rw-r--r-- 1 clamav clamav 4.1M May 24 09:06 phish.ndb
-rw-r--r-- 1 clamav clamav 600K Feb  5 10:00 phishtank.ndb
-rw-r--r-- 1 clamav clamav  31K May 24 21:01 porcupine.hsb
-rw-r--r-- 1 clamav clamav 640K May 25 00:00 porcupine.ndb
-rw-r--r-- 1 clamav clamav 847K Mar 16 00:22 rfxn.hdb
-rw-r--r-- 1 clamav clamav 442K Dec  1  2020 rfxn.ndb
-rw-r--r-- 1 clamav clamav 401K Aug 17  2020 rfxn.yara
-rw-r--r-- 1 clamav clamav 292K May 25 00:06 rogue.hdb
-rw-r--r-- 1 clamav clamav  13K Mar 31 10:07 sanesecurity.ftm
-rw-r--r-- 1 clamav clamav 1.9M May 24 04:05 scam.ndb
-rw-r--r-- 1 clamav clamav  108 Nov 16  2020 scamnailer.ndb
-rw-r--r-- 1 clamav clamav  11M May 24 21:48 securiteinfo.hdb
-rw-r--r-- 1 clamav clamav 3.7K May 16 23:08 securiteinfo.ign2
-rw-r--r-- 1 clamav clamav 1.7M May 24 13:45 securiteinfo.mdb
-rw-r--r-- 1 clamav clamav  123 May 19 10:45 securiteinfo.pdb
-rw-r--r-- 1 clamav clamav 3.3K May 16 23:09 securiteinfo.yara
-rw-r--r-- 1 clamav clamav  38K May 25 00:11 securiteinfo0hour.hdb
-rw-r--r-- 1 clamav clamav 9.1M May 24 20:17 securiteinfoandroid.hdb
-rw-r--r-- 1 clamav clamav 8.8M May 24 21:17 securiteinfoascii.hdb
-rw-r--r-- 1 clamav clamav 5.1M May 24 20:47 securiteinfohtml.hdb
-rw-r--r-- 1 clamav clamav 299M May 16 23:08 securiteinfoold.hdb
-rw-r--r-- 1 clamav clamav 210K May 24 20:17 securiteinfopdf.hdb
-rw-r--r-- 1 clamav clamav 7.2K Dec 31  2020 shelter.ldb
-rw-r--r-- 1 clamav clamav  394 Apr 21 08:11 sigwhitelist.ign2
-rw-r--r-- 1 clamav clamav  556 May  5  2017 spam.ldb
-rw-r--r-- 1 clamav clamav 4.6M May 25 00:11 spam_marketing.ndb
-rw-r--r-- 1 clamav clamav 1.4K Apr 28  2017 spamattach.hdb
-rw-r--r-- 1 clamav clamav  20K May  5 07:06 spamimg.hdb
-rw-r--r-- 1 clamav clamav  115 Oct 14  2020 spear.ndb
-rw-r--r-- 1 clamav clamav  115 Nov 27  2018 spearl.ndb
-rw-r--r-- 1 clamav clamav 987K May 25 00:09 urlhaus.ndb
-rw-r--r-- 1 clamav clamav   64 Apr 20 09:14 winnow.attachments.hdb
-rw-r--r-- 1 clamav clamav  660 Mar  5  2018 winnow.complex.patterns.ldb
-rw-r--r-- 1 clamav clamav   66 Mar  5  2018 winnow_bad_cw.hdb
-rw-r--r-- 1 clamav clamav   65 Apr 20 09:08 winnow_extended_malware.hdb
-rw-r--r-- 1 clamav clamav  159 Mar  5  2018 winnow_extended_malware_links.ndb
-rw-r--r-- 1 clamav clamav   65 Apr 20 09:00 winnow_malware.hdb
-rw-r--r-- 1 clamav clamav  15K Nov 26  2019 winnow_malware_links.ndb
-rw-r--r-- 1 clamav clamav 6.5K Nov 13  2018 winnow_phish_complete_url.ndb
-rw-r--r-- 1 clamav clamav 2.8K Nov 14  2018 winnow_spam_complete.ndb

 

[Stoiko Ivanov]

clamscan -id /var/lib/clamav securiteinfo0hour.hdb /root/bademail.eml

I think you're using clamscan wrong - see the manpage: `man clamscan`

I suppose it will work if you run `clamscan -id /var/lib/clamav /root/bademail.eml` - or even just: `clamscan -i /root/bademail.eml`

 

[killmasta93]

hi @Stoiko Ivanov it seems that it reads the file but very odd how it got passed in the first place i guess ill come back if anything comes up

root@mail:~# clamscan -i /root/bademail.eml
/root/bademail.eml: SecuriteInfo.com.Exploit.CVE-2018-0802.Gen.27640.18064.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 12908794
Engine version: 0.103.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.66 MB
Data read: 0.30 MB (ratio 2.22:1)
Time: 44.959 sec (0 m 44 s)
Start Date: 2022:05:30 14:14:30
End Date:   2022:05:30 14:15:15

Thank you