SigmaHQ/rules/linux/lnx_clamav.yml

title: Relevant ClamAV Message
id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
description: Detects relevant ClamAV messages
author: Florian Roth
date: 2017/03/01
references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
logsource:
    product: linux
    service: clamav
detection:
    keywords:
        - 'Trojan*FOUND'
        - 'VirTool*FOUND'
        - 'Webshell*FOUND'
        - 'Rootkit*FOUND'
        - 'Htran*FOUND'
    condition: keywords
falsepositives:
    - Unknown
level: high
Rule: ClamAV 2017-03-01 09:00:03 +00:00			`title: Relevant ClamAV Message`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb`
Rule: ClamAV 2017-03-01 09:00:03 +00:00			`description: Detects relevant ClamAV messages`
fix: fixed missing date fields in other files 2020-01-30 14:32:39 +00:00			`author: Florian Roth`
			`date: 2017/03/01`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml`
Rule: ClamAV 2017-03-01 09:00:03 +00:00			`logsource:`
			`product: linux`
			`service: clamav`
			`detection:`
			`keywords:`
			`- 'Trojan*FOUND'`
			`- 'VirTool*FOUND'`
			`- 'Webshell*FOUND'`
			`- 'Rootkit*FOUND'`
			`- 'Htran*FOUND'`
			`condition: keywords`
			`falsepositives:`
Bug and typo fixes 2017-03-14 13:52:28 +00:00			`- Unknown`
Rule: ClamAV 2017-03-01 09:00:03 +00:00			`level: high`