ClamWin Free Antivirus :: View topic

Posted: Tue Aug 07, 2007 4:40 pm

Some months ago, Sherpya and bOne did some work on PE headers. I was wondering if anything ever came of this--did they come up with anything that could be used in ClamWin to enhance malware identification using PE file headers?

Regards,

Posted: Tue Aug 07, 2007 8:31 pm

GuitarBob wrote:

Some months ago, Sherpya and bOne did some work on PE headers. I was wondering if anything ever came of this--did they come up with anything that could be used in ClamWin to enhance malware identification using PE file headers?

It was to enable self-decrypted processes to be dumped from memory to disk, then scanned by clamscan. It's in there, unfortunately, most signatures created by the clamav team do not target unpacked data since clamav has limited unpacking capabilities.

Posted: Wed Aug 08, 2007 12:09 am

Thanks for the info. Clam adds a new unpacker every once in a while. Have you contacted them to see if they are interested in enabling this functionality? They might at least keep it on the back burner.

Regards,

Posted: Wed Aug 08, 2007 3:57 pm

GuitarBob wrote:

Thanks for the info. Clam adds a new unpacker every once in a while. Have you contacted them to see if they are interested in enabling this functionality? They might at least keep it on the back burner.

Unfortunately, it is platform dependent functionality. It is designed to target malware that has already "run" on the Windows platform and has unpacked itself with no 3rd party intervention.

In order to scan that with the clamav engine, all that is basically needed is to dump that process snapshot out of memory to a temp file on disk and toss it at clamscan.

Posted: Wed Aug 08, 2007 7:13 pm

b0ne wrote:

Unfortunately, it is platform dependent functionality. It is designed to target malware that has already "run" on the Windows platform and has unpacked itself with no 3rd party intervention.

In order to scan that with the clamav engine, all that is basically needed is to dump that process snapshot out of memory to a temp file on disk and toss it at clamscan.

It seems like some good functionality that should be considered, but I guess Clam isn't concerned with Windows per se. By "already run" do you mean that if this functionality could be implemented, the associated malware will have already done its thing or just unpacked itself? If it has done its thing, what would it take to insert a Windows hook to prevent it from running if it is malware? Finally, is there any way to toss it at Clamscan from ClamWin?

Regards,

Posted: Fri Aug 10, 2007 7:11 pm

GuitarBob wrote:

By "already run" do you mean that if this functionality could be implemented, the associated malware will have already done its thing or just unpacked itself? If it has done its thing, what would it take to insert a Windows hook to prevent it from running if it is malware? Finally, is there any way to toss it at Clamscan from ClamWin?

I mean that the malware is already alive on the system and currently still has a process loaded in memory. Allowing it to decrypt itself while not performing malicious things on the live OS is a near impossible thing to do in a generic fashion without an emulator and a "fake" windows environment inside of that emulator.

Posted: Fri Aug 10, 2007 8:29 pm

I see. Some security people have been talking about virtual sandboxes lately. Would that be feasable?

Regards,

Posted: Fri Aug 10, 2007 9:59 pm

GuitarBob wrote:

I see. Some security people have been talking about virtual sandboxes lately. Would that be feasable?

Essentially the same thing. It takes a massive amount of effort and time to create such things.