search

evild3ad / MemProcFS-Analyzer

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
https://lethal-forensics.com
GNU General Public License v3.0
462 stars 53 forks source link

ClamAV #3

Closed antmar904 closed 3 years ago

antmar904 commented 3 years ago

Hi.

I performed (3) different memory analysis and I've been getting the following error in the "ClamAV\LogFile.txt" file:

ERROR: Could not connect to clamd on 127.0.0.1: Connection refused

----------- SCAN SUMMARY ----------- Infected files: 0 Total errors: 1 Time: 2.047 sec (0 m 2 s) Start Date: 2021:06:04 06:42:53 End Date: 2021:06:04 06:42:56

Just wanted to make sure that it is successfully scanning the files.

evild3ad commented 3 years ago

Sure. You need to do the First Time Set-Up of ClamAV. Check out "Prerequisites": https://github.com/evild3ad/MemProcFS-Analyzer

antmar904 commented 3 years ago

Yes I've done this already during the initial setup days ago. :) It successfully updated today just not sure it successfully scanned the files.

Snippet from the Update.txt log:

ClamAV update process started at Fri Jun 4 06:42:13 2021 daily database available for update (local version: 26189, remote version: 26190) Current database is 1 version behind. Downloading database patch # 26190... Time: 0.2s, ETA: 0.0s [========================>] 30.61KiB/30.61KiB Testing database: 'C:\Program Files\ClamAV\database\tmp.e8933a7d70\clamav-ec39a7b7ec48394c7c4477173985cc26.tmp-daily.cld' ... Database test passed. daily.cld updated (version: 26190, sigs: 3986205, f-level: 63, builder: raynman) main.cvd database is up-to-date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr) bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

evild3ad commented 3 years ago

ClamAV Daemon is not running. Two minimized windows of ClamAV should be there.

May test it on your other VM...where IP2ASN Mapping via Team Cymru was working.

antmar904 commented 3 years ago

Looks like I had to increase the "sleep" time to 60 from the default of 20 because it was taking much longer for clamd.exe to initialize.

# Start ClamAV Daemon
Write-Output "[Info]  Starting ClamAV Daemon ..."
Start-Process powershell.exe -FilePath "$clamd" -WindowStyle Minimized
Start-Sleep 60 # <-- Changed from 20
Write-Output "[Info]  ClamAV Daemon is running ..."

All is working good now.

evild3ad commented 3 years ago

Nice!

antmar904 commented 3 years ago

Question, can you explain to me what this mean?

"X:\name\MsMpEng.exe-4596\vmemd\0x000001ca00b60000.vvmem: Win.Exploit.Shellcode-1 FOUND"

MsMpEng.exe is the process, 4596 is the PID, not sure what "vmemd" is, "0x000001ca00b60000.vvmem" is the address space?

antmar904 commented 3 years ago

Sorry to keep using the "Issues" section in the repo for questions, maybe you can enable the "Discussions" section?

evild3ad commented 3 years ago

Yes. But keep in mind that MsMpEng.exe is Microsoft Defender. ClamAV detections in AV related processes can be ignored. I added a filter for MsMpEng.exe: "$OUTPUT_FOLDER\ClamAV\Infected\InfectedFiles-filtered.txt"