autopsy icon indicating copy to clipboard operation
autopsy copied to clipboard

Published 20 hours ago verified publisher icon sleuthkit

antivirus module needed

Open bcarrier opened this issue 12 years ago • 5 comments

We should have a module that integrates an anit-virus solution. Files that are found to have viruses should have a TSK_MALWARE_DETECTED attribute added in the blackboard.

bcarrier avatar Jun 01 '13 00:06 bcarrier

Importing ClamAV databases and comparing MD5 values might work. ClamAV checks against MD5 for known malware, and stores an MD5 for each entry in it's signature databases. Using ClamAV databases as lists of known malware, combined with cross referencing in a manner similar to the known file filter might be a feasible solution.

peterclemenko avatar Jun 10 '13 16:06 peterclemenko

ClamAV library / java bindings is also a possibility. Not as fast since we'd need to rescan the file and ClamAv will probably recalculate the hash, but might return more info / detect other malware than pure hash db solution.

adam-m avatar Jun 10 '13 18:06 adam-m

Also, OpenIOC and Yara support might be useful as well.

peterclemenko avatar Jun 10 '13 19:06 peterclemenko

In the absence of a real "send to AV for scanning", I used the mentioned trick by aoighost. Not very agile as you have to do the updates manually every time, but still some way of getting it done. Check https://www.mpauli.de/create-clamav-hash-set-for-autopsy.html for me simple way.

icepaule avatar Apr 25 '19 12:04 icepaule

@bcarrier Please look at my ClamPsy file ingest module that uses ClamAV antivirus to scan disk. If the community is interested, then I will continue development of this module. P.S. This module does not use TSK_MALWARE_DETECTED to flag malware, but it will be added in the future.

dyussekeyev avatar Aug 12 '22 14:08 dyussekeyev