LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Blogs > unSpawn
User Name
Password

Notices

Rate this Entry

Rootkit Hunter alternative for suspscan

Posted 07-25-2011 at 06:16 PM by unSpawn

I've been mulling (yes, mulling) replacements for RKH's suspscan for a while now. Suspscan was an experiment to see if there could be a more generic, less name-based way of finding malware. The resultant monstrosity is resource-intensive, impossible to configurable and rarely used. Researching something else (as usual) I came across this rather good presentation (PDF) about creating ones own AV signatures: Writing ClamAV Signatures and not long after that I found R-fx Networks' Linux Malware Detect.

While installing it may be your cup of $BEVERAGE currently I'm only interested in the databases: 'tar -C /path/to/somedir -f maldetect-current.tar.gz -x maldetect-1.4.0/files/sigs/rfxn.*'. The results of running 'clamscan --recursive --bytecode --heuristic-scan-precedence=no --algorithmic-detection --scan-elf --scan-archive /path/to/targetdir' and 'clamscan --official-db-only=no --recursive --bytecode --heuristic-scan-precedence=no --algorithmic-detection --scan-elf --scan-archive -d /path/to/rfxn.hdb -d /path/to/rfxn.ndb /path/to/targetdir' on 1336 plain files, tarballs, etc as AVAST reported them is interesting.

For reference: AVAST:
Code:
# scanned files: 	112237
# scanned directories: 	618
# infected files: 	1010
# total file size: 	18.0 GB
# virus database: 	110724-1 24.07.2011
ClamAV:
Code:
Known viruses: 1006533
Engine version: 0.97.1
Scanned directories: 606
Scanned files: 6818
Infected files: 150
Data scanned: 3283.48 MB
Time: 660.400 sec (11 m 0 s)
ClamAV with RFX databases:
Code:
Known viruses: 7825
Engine version: 0.97.1
Scanned directories: 618
Scanned files: 6971
Infected files: 163
Data scanned: 3409.94 MB
Time: 271.305 sec (4 m 31 s)
So while the used databases provide less signatures (as opposed to the "regular" ones and $DEITIES know why using "--official-db-only=no" doesn't result in using all databases) the hit rate clearly is greater (see 4.6K attached plain text report with obfuscated file names). Since the databases are focused on Linux malware this certainly is an improvement over any commercial AV (those of you been here long enough know my opinion) and as such, even if it isn't going to be updated regularly, would be a worthy addition for those of you running web servers exposed to the 'net.

Needless to say I'll be experimenting with ClamAV signatures creation.
Posted in Uncategorized
Views 1291 Comments 0
« Prev     Main     Next »

  



All times are GMT -5. The time now is 03:11 AM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration