Mailing List Archive

Heuristic Scans
Hi guys,

I dug a little bit in the mailing list and official documentation but didn't get to understand quite well how ClamAV heuristics work

So my questions are:


1. From what I understood, the .ldb are not the rules for heuristics right?
2. Is the heuristic scan only working for email protection? Is it running when I do a normal clamscan?
3. If heuristic rules are not the ones in .ldb files where are they? Can we see them like with the signature db's? With sigtool as well?

Thank you in advance for your help ????
Re: Heuristic Scans [ In reply to ]
Heuristic signatures exist for a variety of file types. They are hardcoded into the clamav application. A grep of the source code reveales the following:

~/workspace/clamav-devel • grep -r "Heuristics\." ./libclamav
./libclamav/pe.c: ret = cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/pe.c: ret = cli_append_virus(ctx, "Heuristics.W32.Parite.B");
./libclamav/pe.c: ret = cli_append_virus(ctx, "Heuristics.W32.Kriz");
./libclamav/pe.c: ret = cli_append_virus(ctx, dam ? "Heuristics.W32.Magistr.A.dam" : "Heuristics.W32.Magistr.A");
./libclamav/pe.c: ret = cli_append_virus(ctx, dam ? "Heuristics.W32.Magistr.B.dam" : "Heuristics.W32.Magistr.B");
./libclamav/pe.c: ret = cli_append_virus(ctx, "Heuristics.W32.Polipos.A");
./libclamav/pe.c: ret = cli_append_virus(ctx, "Heuristics.Trojan.Swizzor.Gen");
./libclamav/c++/llvm/utils/TableGen/ARMDecoderEmitter.cpp: // Heuristics. See also doFilter()'s "Heuristics" comment when num of
./libclamav/macho.c: if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Broken.Executable")) \
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Phishing.Email.Cloaked.NumericIP");
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Phishing.Email.Cloaked.Null"); /*fakesite%01%00@fake.example.com*/
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Phishing.Email.SSL-Spoof");
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Phishing.Email.Cloaked.Username"); /*http://banksite@fake.example.com*/
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net");
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Phishing.URL.Blacklisted");
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net");
./libclamav/phishcheck.c: cli_append_possibly_unwanted(ctx, "Heuristics.Phishing.Email.SpoofedDomain");
./libclamav/unzip.c: *ret = cli_append_virus(ctx, "Heuristics.Encrypted.Zip");
./libclamav/yc.c: cli_append_virus(ctx, "Heuristics.BoundsCheck");
./libclamav/special.c: return cli_append_virus(ctx, "Heuristics.Worm.Mydoom.M.log");
./libclamav/pdf.c: status = cli_append_virus(pdf->ctx, "Heuristics.Encrypted.PDF");
./libclamav/pdf.c: cli_append_possibly_unwanted(ctx, "Heuristics.PDF.ObfuscatedNameObject");
./libclamav/mbox.c: retcode = cli_append_virus(ctx, "Heuristics.Phishing.Email");
./libclamav/7z_iface.c: found = cli_append_virus(ctx, "Heuristics.Encrypted.7Zip");
./libclamav/7z_iface.c: found = cli_append_virus(ctx, "Heuristics.Encrypted.7Zip");
./libclamav/tiff.c: return cli_append_virus(ctx, "Heuristics.TIFF.OutOfBoundsAccess");
./libclamav/others.c: cli_append_virus(ctx, "Heuristics.Limits.Exceeded");
./libclamav/scanners.c: if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Encrypted.RAR")) {
./libclamav/scanners.c: ret = cli_append_virus(ctx, "Heuristics.XZ.DicSizeLimit");
./libclamav/scanners.c: ret = cli_append_virus(ctx, "Heuristics.OLE2.ContainsMacros");
./libclamav/scanners.c: ret = cli_append_virus(ctx, "Heuristics.Exploit.W32.MS05-002");
./libclamav/scanners.c: ret = cli_append_virus(ctx, "Heuristics.Exploit.W32.MS04-028");
./libclamav/scanners.c: if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Structured.CreditCardNumber")) {
./libclamav/scanners.c: if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Structured.SSN")) {
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");
./libclamav/elf.c: cli_append_virus(ctx, "Heuristics.Broken.Executable");

Hope that helps,
Micah

From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of asda adafs via clamav-users <clamav-users@lists.clamav.net>
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
Date: Friday, May 31, 2019 at 12:51 PM
To: "clamav-users@lists.clamav.net" <clamav-users@lists.clamav.net>
Cc: asda adafs <ragnarok_sword@hotmail.com>
Subject: [clamav-users] Heuristic Scans

Hi guys,

I dug a little bit in the mailing list and official documentation but didn't get to understand quite well how ClamAV heuristics work

So my questions are:


1. From what I understood, the .ldb are not the rules for heuristics right?
2. Is the heuristic scan only working for email protection? Is it running when I do a normal clamscan?
3. If heuristic rules are not the ones in .ldb files where are they? Can we see them like with the signature db's? With sigtool as well?

Thank you in advance for your help ????