Sometimes you just need to figure out what ClamAV is looking for…
First, run clamav in a docker container:
docker run --rm -d --name clamav clamav/clamav:latest
Then connect to it:
docker exec -it clamav sh
Swap to the data dir:
cd /var/lib/clamav
We’re looking for a particular signature, let’s use sigtool to look for it:
/var/lib/clamav # sigtool --find-sigs Html.Exploit.CVE_2017_0008-5897278
[main.ndb] Html.Exploit.CVE_2017_0008-5897278-0:3:*:6D68746D6C3A7265733A2F2F
Now to look at a human-readable definition of this signature, there’s two ways to do it, either just echo the signature definition in:
echo 'Html.Exploit.CVE_2017_0008-5897278-0:3:*:6D68746D6C3A7265733A2F2F' | sigtool --decode
VIRUS NAME: Html.Exploit.CVE_2017_0008-5897278-0
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
mhtml:res://
Or pipe your find-sigs command through it:
# sigtool --find-sigs CVE_2017_0008 | sigtool --decode
VIRUS NAME: Html.Exploit.CVE_2017_0008-5897278-0
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
mhtml:res://
Tadaaaaaaaa! In this case, it’s looking for the string mhtml:res:// anywhere in the file. The signature’s in the end of the line, and you can use CyberChef to decode it
