Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Custom Database Match Priority

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


ngseclists at gmail

Jun 6, 2012, 4:37 PM

Post #1 of 3 (464 views)
Permalink
Custom Database Match Priority

Folks,

I'm using clamscan 0.97.4 on Centos 5.8.

Hello, I'm trying to accomplish something specific using my custom
databases. I have two custom databases, one matching on MD5 sums and
another matching on hex strings. When I run a scan using these databases,
it always matches the hex strings first and doesn't match the md5 strings.
I know the md5 strings match and also the hex strings match as I've tested
to ensure it's not a stupid mistake on my part.

I've tested differing filenames, and passing one first to the CLI vs
another and there's no change.

My question is, is there a way to force database priority, i.e. if there's
a match in the md5 database, skip checking that file in the hex database.
It really doesn't even have to exclusively match on the md5, if it matched
both that would be fine too. The debug output for running the scan with
only the md5 then only with the hex databases doesn't appear any different
when it gets to the file matching section.

Is this even possible or will I have to run the scan twice, first matching
md5 and next matching hex?

Why do I want to do this? Because I'm working on a project with
requirements to do it this way. Other suggestions would be helpful, however
I need to match on md5 first, then match on hex.

If this isn't clear or if any additional information is required, please
let me know.

Thanks in advance,

Nathan
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


draynor at sourcefire

Jun 7, 2012, 7:36 AM

Post #2 of 3 (439 views)
Permalink
Re: Custom Database Match Priority [In reply to]

Nathan,

The scanning functions inside libclamav run in a certain order, and once it
detects an infection inside a file it short-circuits further scanning. For
example, smaller offsets are checked before larger offsets. There is no way
to change the order by changing configuration.

Dave R.

--
Dave Raynor
Senior Research Engineer, VRT

On Wed, Jun 6, 2012 at 7:37 PM, ng seclists <ngseclists [at] gmail> wrote:

> Folks,
>
> I'm using clamscan 0.97.4 on Centos 5.8.
>
> Hello, I'm trying to accomplish something specific using my custom
> databases. I have two custom databases, one matching on MD5 sums and
> another matching on hex strings. When I run a scan using these databases,
> it always matches the hex strings first and doesn't match the md5 strings.
> I know the md5 strings match and also the hex strings match as I've tested
> to ensure it's not a stupid mistake on my part.
>
> I've tested differing filenames, and passing one first to the CLI vs
> another and there's no change.
>
> My question is, is there a way to force database priority, i.e. if there's
> a match in the md5 database, skip checking that file in the hex database.
> It really doesn't even have to exclusively match on the md5, if it matched
> both that would be fine too. The debug output for running the scan with
> only the md5 then only with the hex databases doesn't appear any different
> when it gets to the file matching section.
>
> Is this even possible or will I have to run the scan twice, first matching
> md5 and next matching hex?
>
> Why do I want to do this? Because I'm working on a project with
> requirements to do it this way. Other suggestions would be helpful, however
> I need to match on md5 first, then match on hex.
>
> If this isn't clear or if any additional information is required, please
> let me know.
>
> Thanks in advance,
>
> Nathan
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


ngseclists at gmail

Jun 7, 2012, 8:10 AM

Post #3 of 3 (435 views)
Permalink
Re: Custom Database Match Priority [In reply to]

Dave,

Thank you for the information. I'll proceed with an alternative mechanism
to accomplish this (basically run the scan twice, one with md5 db and one
with the hex db).

Cheers!

Nathan

On Thu, Jun 7, 2012 at 7:36 AM, David Raynor <draynor [at] sourcefire> wrote:

> Nathan,
>
> The scanning functions inside libclamav run in a certain order, and once it
> detects an infection inside a file it short-circuits further scanning. For
> example, smaller offsets are checked before larger offsets. There is no way
> to change the order by changing configuration.
>
> Dave R.
>
> --
> Dave Raynor
> Senior Research Engineer, VRT
>
> On Wed, Jun 6, 2012 at 7:37 PM, ng seclists <ngseclists [at] gmail> wrote:
>
> > Folks,
> >
> > I'm using clamscan 0.97.4 on Centos 5.8.
> >
> > Hello, I'm trying to accomplish something specific using my custom
> > databases. I have two custom databases, one matching on MD5 sums and
> > another matching on hex strings. When I run a scan using these databases,
> > it always matches the hex strings first and doesn't match the md5
> strings.
> > I know the md5 strings match and also the hex strings match as I've
> tested
> > to ensure it's not a stupid mistake on my part.
> >
> > I've tested differing filenames, and passing one first to the CLI vs
> > another and there's no change.
> >
> > My question is, is there a way to force database priority, i.e. if
> there's
> > a match in the md5 database, skip checking that file in the hex database.
> > It really doesn't even have to exclusively match on the md5, if it
> matched
> > both that would be fine too. The debug output for running the scan with
> > only the md5 then only with the hex databases doesn't appear any
> different
> > when it gets to the file matching section.
> >
> > Is this even possible or will I have to run the scan twice, first
> matching
> > md5 and next matching hex?
> >
> > Why do I want to do this? Because I'm working on a project with
> > requirements to do it this way. Other suggestions would be helpful,
> however
> > I need to match on md5 first, then match on hex.
> >
> > If this isn't clear or if any additional information is required, please
> > let me know.
> >
> > Thanks in advance,
> >
> > Nathan
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> > http://www.clamav.net/support/ml
> >
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.