dmknght / rkcheck Goto Github PK

View Code? Open in Web Editor NEW

13.0 2.0 1.0 689 KB

A malware scanner with Yara and ClamAV binding

Makefile 0.33% YARA 21.74% Nim 77.24% C 0.69%

antivirus clamav-antivirus yara-scanner

rkcheck's People

Contributors

Stargazers

Watchers

Forkers

gnusec

rkcheck's Issues

LibClamAV can't decompress .deb file

Procedure steps:

Get .deb package (apt download apt)
Scan downloaded file -> binary with rules are not matched

Can I use your rules? Also use my machine learning etc.

Here is the antivirus https://sourceforge.net/projects/xylent/

New workflow design for better perfomance and accuracy

The ClamAV scan is slower than Yara when scan ELF files. Also, the Yara's modules are more effective than ClamAV getting metadata of PE, ELF file. Create a proper file / process scanner that gives the Yara's higher scan priority

If file is PE, ELF, ... -> Scan with Yara
If the file is clean, call ClamAV scan (at this point, the Yara callback shouldn't be called)
Handle other file formats with both engines. Set Yara as pre-scan will increase performance

LibClamAV can't decompress .deb file

Procedure steps:

Get .deb package (apt download apt)
Scan downloaded file -> binary with rules are not matched

--path-yaradb should support dir

if kind.yaradb == pcDir:
  walkDir(yaradb) -> check yara rules
 combine all rules and load

Allow wildcard for file or dir name

Example: rkscanmal --list-files /usr/lib/x86-64_linux_gnu/lib*.so

ClamAV doesn't process inner files of archive

If there's no clamav's signatures, libclam refuses process inner files

Use ClamAV engine to scan Linux's memory

[x] Scan memory chunk
[ ] Detection passed the test
Relate to #4

ClamAV leaves tmp folder after scan

clamav leaves a lot of tmp folders. Must find a way to clean them.

Add support for sigma scan (if there's any library)

Use sigma to detect suspicious logs in Linux system

Disable cache and disable other scan options to improve performances

ClamAV cache will calculate checksum and so on. It's better to disable it if the Clam's Engine is not used

Improve memory Linux's scan

Current tool failed to detect some basic tests
Source code

#include <stdio.h>

int main() {
  char buf[64];
  printf("HelloWorld\n");
  gets(buf);
  return 0;
}

-> Compile and execute
Yara rule

private rule elf_magic {
  strings:
    $magic = {7f 45 4c 46 [12] (00 | 01 | 02 | 03 | 04 )}
  condition:
    $magic and not defined uint8(@magic[1] - 1)
}


rule Hello {
  strings:
    $ = "HelloWorld"
  condition:
    elf_magic and any of them
}

ClamAV logical signature

Hello;Target:6;0;48656c6c6f576f726c64

When scan with original Yara, the Yara rule detected

yara rule.yara 3507070                
Hello 3507070

When try with rkcheck, it failed to detect either using Yara or ClamAV
-> Must rewrite the memory scan to improve scan progress

ClamAV doesn't use cli_scanelf therefore no signature matched

In latest commits in dev, I tried improving scan performance by disabling certain modules. However, it caused ClamAV doesn't use the scan engine.