Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector virus
|
From: Alex N. <ajn...@cs...> - 2014-08-20 19:27:05
|
I think it would be $MBR you'd want to feed to clamscan. I don't suppose you're looking at the XML output from Fiwalk, and see some <byte_runs> elements for $MBR? I recall that being something I wanted to add to Fiwalk when making other tools populate virtual files. --Alex On Wed, Aug 20, 2014 at 3:12 PM, Christie Peterson <cpe...@jh...> wrote: > Hi Alex, > > > > Thanks for the response & the explanation of how Fiwalk runs plugins. > > > > From the Fiwalk XML output, it looks like $MBR, $FAT1, $FAT2 and > $OrphanFiles are being exposed as virtual files, but the plugin is not > running over them. I don’t have anything called $Boot. > > > > Christie > > > > > > *From:* Alex Nelson [mailto:ajn...@cs...] > *Sent:* Tuesday, August 19, 2014 11:21 AM > *To:* Christie Peterson > *Cc:* sle...@li... > *Subject:* Re: [sleuthkit-users] Fiwalk clam scripts miss boot sector > virus > > > > Fiwalk runs plugins against individual files, not against the entire disk > image. For your floppy, is the boot sector being exposed as a virtual > file, like a FAT file system's allocation table is exposed as $FAT1 or > $FAT2? (Offhand I recall Fiwalk doesn't do this for floppies, but I don't > have a floppy handy to test. Fiwalk usually creates all its virtual and > non-virtual files starting at the scope of the file system, after the > partition table is processed.) If the boot sector isn't exposed as a > virtual file, Fiwalk won't clamscan it. > > > > Could you post the names of files with a $ at the beginning? The boot > sector would be $Boot or something similar if it existed. > > > > --Alex > > > > On Mon, Aug 18, 2014 at 3:35 PM, Christie Peterson <cpe...@jh...> > wrote: > > I have some floppy disks known to be infected with the boot sector virus > AntiCMOS.B but when I run ficlam.sh/clamconfig.txt ( > https://github.com/sleuthkit/sleuthkit/tree/master/tools/fiwalk/plugins) against > images of these disks, it returns nothing found. > > > > I’m wondering if this is because of how fiwalk “walks” disk images – would > a malware scan using fiwalk to access the contents of a disk image ever > find something in the boot sector? I’d appreciate any explanation that you > could provide. > > > > Thanks in advance, > > > > > > Christie Peterson > > > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > |
