Skip to content

How to use

Nong Hoang Tu edited this page Jan 8, 2024 · 9 revisions

Help menu

The help menu is very simple:

$ rkscanmal -h

Engine options:
 --use-clamdb                  Use ClamAV's default sigs (/var/lib/clamav/)
 --clam-debug                  Enable libclam debug mode
 --path-clamdb  <file or dir>  Set custom ClamAV's signatures
 --path-yaradb  <file>         Set custom Yara's rules

Scan options:
 --scan-files  <file1 file2>  Scan files and dirs
 --scan-procs  <pid1 pid2>    Scan processes. Skip if --all-procs is used
 --scan-mem                   Scan all running proccesses

Run basic scan

To scan files or directories

$ rkscanmal --scan-files <path_to_file_1> <path_to_file_2>

Example:

$ rkscanmal --scan-files /usr/bin/ls /home/myuser

To scan processes:

$ rkscanmal --scan-procs <pid 1> <pid 2>

Example:

$ rkscanmal --scan-procs 12 34567

Or if you want to scan all running processes, run

$ rkscanmal --scan-mem

Root privilege is required to scan root's processes or files / directories ;). You can run scan files and memories with 1 command

$ rkscanmal --scan-procs <pid 1> <pid 2> --scan-files <file 1> <dir 2>

or

$ rkscanmal --scan-mem --scan-files <file 1> <dir 2>

Scan with external signatures

Use ClamAV's signatures

  • Option --use-clamdb is a quick option to tell the tool use ClamAV's signature at /var/lib/clamav/. Use must run $ sudo freshclam to download databases. Please note that the database of ClamAV is huge. LibClamAV requires about 1.2Gb RAM to load all signatures.
$ rkcheck --scan-procs <pid> --scan-files <file or dir> --use-clamdb
  • If you want to use custom databases of ClamAV, use --path-clamdb <path to your signature>. This option support both file and directory. This example bellow is as same as --use-clamdb
$ rkcheck --scan-files /usr/bin/ --path-clamdb /var/lib/clamav/
  • Or a custom signature
$ rkcheck --scan-mem --path-clamdb /home/user/development/custom_rule.ldb

Use Yara's rules

  • You can use --path-yaradb. It's similar to --path-clamdb.

Use external variables for Yara rule.

  • My tool provides some external variables during process scan for heuristic detection. It might be changed so I'll update in the future ;).

Debug mode

  • Add --clam-debug will enable LibClamAV's debug mode, which print a lot of messages.
  • There's no debug messages for Yara (for now)
Clone this wiki locally