Help answer threads with 0 replies.
Go Back > Blogs > unSpawn
User Name


Rate this Entry

Rootkit Hunter alternative for suspscan

Posted 07-25-2011 at 06:16 PM by unSpawn

I've been mulling (yes, mulling) replacements for RKH's suspscan for a while now. Suspscan was an experiment to see if there could be a more generic, less name-based way of finding malware. The resultant monstrosity is resource-intensive, impossible to configurable and rarely used. Researching something else (as usual) I came across this rather good presentation (PDF) about creating ones own AV signatures: Writing ClamAV Signatures and not long after that I found R-fx Networks' Linux Malware Detect.

While installing it may be your cup of $BEVERAGE currently I'm only interested in the databases: 'tar -C /path/to/somedir -f maldetect-current.tar.gz -x maldetect-1.4.0/files/sigs/rfxn.*'. The results of running 'clamscan --recursive --bytecode --heuristic-scan-precedence=no --algorithmic-detection --scan-elf --scan-archive /path/to/targetdir' and 'clamscan --official-db-only=no --recursive --bytecode --heuristic-scan-precedence=no --algorithmic-detection --scan-elf --scan-archive -d /path/to/rfxn.hdb -d /path/to/rfxn.ndb /path/to/targetdir' on 1336 plain files, tarballs, etc as AVAST reported them is interesting.

For reference: AVAST:
# scanned files: 	112237
# scanned directories: 	618
# infected files: 	1010
# total file size: 	18.0 GB
# virus database: 	110724-1 24.07.2011
Known viruses: 1006533
Engine version: 0.97.1
Scanned directories: 606
Scanned files: 6818
Infected files: 150
Data scanned: 3283.48 MB
Time: 660.400 sec (11 m 0 s)
ClamAV with RFX databases:
Known viruses: 7825
Engine version: 0.97.1
Scanned directories: 618
Scanned files: 6971
Infected files: 163
Data scanned: 3409.94 MB
Time: 271.305 sec (4 m 31 s)
So while the used databases provide less signatures (as opposed to the "regular" ones and $DEITIES know why using "--official-db-only=no" doesn't result in using all databases) the hit rate clearly is greater (see 4.6K attached plain text report with obfuscated file names). Since the databases are focused on Linux malware this certainly is an improvement over any commercial AV (those of you been here long enough know my opinion) and as such, even if it isn't going to be updated regularly, would be a worthy addition for those of you running web servers exposed to the 'net.

Needless to say I'll be experimenting with ClamAV signatures creation.
Posted in Uncategorized
Views 2813 Comments 0
« Prev     Main     Next »


All times are GMT -5. The time now is 03:55 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration