ClamAV

Question

ClamAV

antmar904 opened this issue 3 years ago · comments

Hi.

I performed (3) different memory analysis and I've been getting the following error in the "ClamAV\LogFile.txt" file:

ERROR: Could not connect to clamd on 127.0.0.1: Connection refused

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 2.047 sec (0 m 2 s)
Start Date: 2021:06:04 06:42:53
End Date: 2021:06:04 06:42:56

Just wanted to make sure that it is successfully scanning the files.

Martin Willing commented 3 years ago

Nice!

Martin Willing · Answer 1 · Fri Jun 04 2021 20:48:38 GMT+0800 (China Standard Time)

Sure. You need to do the First Time Set-Up of ClamAV. Check out "Prerequisites":
https://github.com/evild3ad/MemProcFS-Analyzer

antmar904 · Answer 2 · Fri Jun 04 2021 20:58:52 GMT+0800 (China Standard Time)

Yes I've done this already during the initial setup days ago. :) It successfully updated today just not sure it successfully scanned the files.

Snippet from the Update.txt log:

ClamAV update process started at Fri Jun 4 06:42:13 2021
daily database available for update (local version: 26189, remote version: 26190)
Current database is 1 version behind.
Downloading database patch # 26190...
Time: 0.2s, ETA: 0.0s [========================>] 30.61KiB/30.61KiB
Testing database: 'C:\Program Files\ClamAV\database\tmp.e8933a7d70\clamav-ec39a7b7ec48394c7c4477173985cc26.tmp-daily.cld' ...
Database test passed.
daily.cld updated (version: 26190, sigs: 3986205, f-level: 63, builder: raynman)
main.cvd database is up-to-date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Martin Willing · Answer 3 · Fri Jun 04 2021 21:02:19 GMT+0800 (China Standard Time)

ClamAV Daemon is not running. Two minimized windows of ClamAV should be there.

May test it on your other VM...where IP2ASN Mapping via Team Cymru was working.

antmar904 · Answer 4 · Fri Jun 04 2021 23:04:55 GMT+0800 (China Standard Time)

Looks like I had to increase the "sleep" time to 60 from the default of 20 because it was taking much longer for clamd.exe to initialize.

# Start ClamAV Daemon
Write-Output "[Info]  Starting ClamAV Daemon ..."
Start-Process powershell.exe -FilePath "$clamd" -WindowStyle Minimized
Start-Sleep 60 # <-- Changed from 20
Write-Output "[Info]  ClamAV Daemon is running ..."

All is working good now.

antmar904 · Answer 5 · Sat Jun 05 2021 03:09:36 GMT+0800 (China Standard Time)

Question, can you explain to me what this mean?

"X:\name\MsMpEng.exe-4596\vmemd\0x000001ca00b60000.vvmem: Win.Exploit.Shellcode-1 FOUND"

MsMpEng.exe is the process, 4596 is the PID, not sure what "vmemd" is, "0x000001ca00b60000.vvmem" is the address space?

antmar904 · Answer 6 · Sat Jun 05 2021 03:11:40 GMT+0800 (China Standard Time)

Sorry to keep using the "Issues" section in the repo for questions, maybe you can enable the "Discussions" section?

Martin Willing · Answer 7 · Sat Jun 05 2021 12:59:40 GMT+0800 (China Standard Time)

Yes. But keep in mind that MsMpEng.exe is Microsoft Defender. ClamAV detections in AV related processes can be ignored. I added a filter for MsMpEng.exe: "$OUTPUT_FOLDER\ClamAV\Infected\InfectedFiles-filtered.txt"