![]() 1 = Portable Executable (ie Windows exe).You should edit customsig.ndb and prefix the content with the appropriate Name, Type and Offset in the following format: See the ClamAV signature docs for more detail on how to create signatures. You can also take a signature from an off-set within the file, it doesn’t have to be from the start of the file. In theory, you need to take a signature of a unique portion of the file. We have saved the generated signature in customsig.ndb. In this case, testfile is your undesirable file and we have taken a signature of the first 2KB, otherwise the signature would be huge and therefore scanning would be inefficient. Next create a signature of the file using ClamAV’s sigtool:Ĭat testfile | sigtool –hex-dump | head -c 2048 > customsig.ndb If it’s zipped, compressed or in any other kind of container then unzip it or extract it as ClamAV can see inside these archives if you configured it to do so and you have the right tools installed (like unzip under Linux for example). What you now have is the file you want to block. If you saved the email attachment to your PC from your mail client, you can start to pay attention now. The output will give you the paths to the text portion and the attachment portion of the email. ![]() Then run it with an argument of the file to strip such as: Save it as or something and make it executable. You need Perl and the MIME::Parser module from CPAN (sudo cpan install MIME::Parser for Ubuntu users). If you have a file containing the email rather than having saved the attachment from within your mail client, you need to split the text and attachment parts out from each other. If you use mboxes you need to take a copy of the mail somehow so it’s in a file of it’s own (look at csplit for example). If it’s still on the mail server, either download the mail and save the file or if you have shell access to the server, copy the entire mail file itself to your PC which is easy if you’re using maildirs. If you have an email with your attachment or file in, you need to save the attachment to your PC. It helps if you’re not running Windows so you don’t infect yourself with whatever it is you are trying to detect and running the following commands will be easy for you. It might be a virus, some other piece of malware or maybe just a nuisance application installer. The first thing you need is something which you want to detect. Aside from being an on-demand virus scanner, ClamAV comes with a suite of tools for creating your own anti-virus signatures which can then be used as part of the regular AV definitions when running a scan. ![]() ![]() ClamAV is an anti-virus toolkit for Unix and Windows. As a Linux user, most virus and malware threats mean little to me, however if you are responsible for Windows users then you need to be on top of the game.Įven though viral email attachments aren’t the major attack vector for Windows PCs that they were a few years ago, a few times recently I’ve found the need to block viral emails which the major AV engines weren’t catching or they were sufficiently behind the curve that I’ve had to create my own signatures to block viral attachments while I waited for the AV vendors to catch up.Įnter ClamAV. I use ClamAV on my own mail servers, I’ve also used it at work alongside several commercial AV engines and every now and again there will be a viral attachment that none of the AV engines catch, especially when a new threat is released. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |