Using ClamAV to Prevent Malware and Data Loss

23 March 2012
Maximizing the use of existing resources and bundling capabilities is becoming an increasingly common trend in information security. Using the applications and data sources that you have to their fullest capabilities and trying to limit the number of applications deployed in support of an information security program streamlines processes, reduces complexity and overhead, lowers cost, and ensures maximum return on investment for existing solutions. This concept can be extended to many products, from desktop security suites to log management software. ClamAV is a free, open source, antivirus product that is installed on many Unix and Linux operating systems. Commonly used for scanning e-mail attachments, ClamAV boasts a broad feature set that can be used to increase the security posture of many installations.

Use Case Scenario

Many web application compromises start with an application vulnerability and result in an attacker uploading or installing a remote access tool, like a web based command execution script. These tools usually consist of a single file that may be hidden or obfuscated in the web directory. Using the file the attacker can take control of the web server and perform further attacks. Detecting these files can be a key step to mitigating the damage caused by an attack. Detecting malicious scripts by hand is extremely difficult and time consuming. However, if ClamAV is already installed on the system it can be used to quite accurately identify these malware files. Scheduling a check on a set interval to have the ClamAV look at all the files on a filesystem would be far too resource intensive and cumbersome. However, scheduling a task to have ClamAV scan new files each day places much lower resource demands on the system and saves time by skipping repetitive computations. A simple BASH script such as the one listed below can accomplish this task:
#!/bin/bash
/bin/find /var/www/html -type f -mtime 1 | xargs /usr/bin/clamscan -i

Alternate Use Case

Data Loss Prevention (DLP) solutions were all the rage a few years ago. Touted as the solution to loss of sensitive data, DLP solutions are designed to detect confidential data at rest and in transit in order to ensure appropriate protections are applied to the data. ClamAV actually has a rudimentary DLP solution build in that scans files for Social Security numbers and Credit Card numbers. This can be extremely useful when scanning e-mail attachments, but can also be put to use on filesystems. Detecting new data in user home directories or shares can be crucial to preventing data loss. Similar to the above listed job, we can schedule a scan to regularly check for new files in user home directories and report on confidential data in files.
#!/bin/bash
/bin/find /home -type f -mtime 1 | xargs /usr/bin/clamscan -i -r --detect-structured=yes
Sample output of this script is illuminating and surprisingly accurate:
$ /usr/bin/clamscan -r -i --detect-structured=yes /home
/home/justin/Documents/test data.zip: Heuristics.Structured.CreditCardNumber FOUND
/home/justin/Documents/ssn.txt: Heuristics.Structured.SSN FOUND
/home/justin/Documents/kgd.dic: Heuristics.Structured.CreditCardNumber FOUND
/home/justin/Documents/DefinedDataSearch.results: Heuristics.Structured.SSN FOUND

Conclusion

ClamAV is a popular, and free malware detection tool that works extremely well at identifying malware and dangerous files other than e-mail attachments. Looking for remote access tools, sensitive data, and other infected files on the filesystem is a simple way to extend the power of ClamAV beyond e-mail scanning. This utilization allows administrators to extend the usage of a tool that is likely already installed on their systems. Although antivirus has been show to be less than 25% effective, it is still better than nothing, and if the tool already exists on a system there is no reason to not run scans during otherwise idle times.