Papers no image

Published on April 7th, 2011 | by NJ Ouchn


Malware Analysis: Classifying with ClamAV and YARA


Mourad Ben Lakhoua


On a daily basis,we are encountering thousands of new types of malware with unknown content. This malware can come from honeypots, infected websites or even be submitted by users.Analyzing all these binaries will take any malware analyst a long time. That’s why it’s critical to have an automated way to classify different types of malicious code.

Open source tools like ClamAV and YARA we can tell us if an unknown file has already been classified as malicious. If we have a fresh database with the latest signatures, we will not spend time analyzing binaries other researchers have already identified. That lets us spend our time analyzing other new or unique types of malware.

Installing ClamAV:

ClamAV is an open source (GPL) anti-virus toolkit, the AV tasks are handled by three processes:

  • freshclam automatically update virus definitions by connecting to http://www.clamav.net/mirrors.html— the configuration file is located under/etc/freshclam.conf
  • clamd is a multi-threaded antivirus daemon — the configuration file is located in /etc/clamd.conf
  • clamscan a command line antivirus scanner.

We need to install the latest release of ClamAV or we will have a warning message about a reduced functionality and this mean that you may not be able to use all the available virus signatures.

The most recent version of ClamAV is available from http://www.clamav.net/download/sources/. But you can also use a package manager to install it. OnaUbuntu machine, type the following commands:

$ sudo apt-get install clamav clamav-freshclam

First you can start by updating ClamAV signatures:

$ sudo freshclam

Then you run a scan on any suspicious file to check if it is infected or not:

$ sudo Clamscan

Scanning a folder with infected files


Read More

Tags: , , , ,

About the Author

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"

Back to Top ↑