Valkyrie Verdict Daemon Service for Linux
One of the key benefits of Valkyrie Verdict is its ability to give a trusted verdict within 45 seconds on 92% of files (after automated analysis), and 4 hours on the remaining 8% (after human analysis). Our industry leading auto-analysis consists of several static and dynamic techniques, including state-of-the-art machine learning, precise detectors and dynamic behavior signatures.
Nevertheless, it is impossible to provide 100% threat visibility using automated techniques alone as many problems in malware analysis have been shown to be undecidable [1, 2]. Many of these results are based on the fact that precisely deciding whether a given program/input satisfies a certain post-condition, for an arbitrary post-condition, is undecidable. The proofs are based on two general techniques:
* Either they build a self-contradictory program assuming the existence of a decider for the given problem, similar to [3]
* They give a reduction from a well-known undecidable problem, such as the Halting Problem, similar to [4]
The 8% of unclassified files that require further testing are then analyzed by human experts who specialize in identifying complex and zero-day malware samples. Verdicts on these files are available to our users after 4-hours according to our SLA. Valkyrie customers can be confident that 100% of threats have been correctly identified after this 4 hour period. This isn’t some wild marketing claim - it is a scientific ‘100%’ built on the candid recognition that even the most advanced automatic tests available today cannot provide the correct verdict on all files. For those that remain, human analysis is absolutely essential. Users should always beware vendors that claim total protection based on automated mechanisms alone.
Customers who also use Comodo security solutions on their network are, of course, completely safe during this four-hour period. The 8% of unknown files will be isolated in a secure virtual container which cannot access other processes, system files or user data.
Now with Valkyrie Verdict Daemon Service you can scan any file / folder in your server using commands over TCP, get latest analysis results of unknown files located in your environment. Moreover, by integrating scanner to other applications or processes, it is possible to develop any kind of next-generation verdicting application easily. Valkyrie Verdict Daemon supports same command-line interface with popular open-source malware detection tool ClamAV Daemon service, so it requires short amount of time to replace it with Valkyrie Verdict.
How it Works
Verdict Daemon Service (VVDaemon) listens incoming connections under TCP socket and scans files or directories on demand. VVDaemon supports similar commands with its command-line scanner alternative and reads default configuration file before starting background service. Daemon service is being distributed as Debian package and currently tested in Ubuntu 16.04 OS. VVDaemon reads default configuration from /etc/vvdaemon/vvdaemon.conf file and you can update any of the configuration and restart the service.
Supported Commands
VVDaemon supports following commands over TCP port (default port:9999):
| Command | Details |
|---|---|
| PING | Checks the daemon's stats (should reply with "PONG"). |
| VERSION | Print program version. |
| SHUTDOWN | Perform a clean exit. |
| SCAN file / directory | Scan file or directory (recursively) with archive support enabled (a full path is required). |
| RAWSCAN file/directory | Scan file or directory (recursively) with archive and special file support disabled (a full path is required). |
| CONTSCAN file/directory | Scan file or directory (recursively) with archive support enabled and don’t stop the scanning when a virus is found. |
| MULTISCAN file/directory | Scan file in a standard way or scan directory (recursively) using multiple threads (to make the scanning faster on SMP machines). |
| ALLMATCHSCAN file/directory | ALLMATCHSCAN works just like SCAN except that it sets a mode where, after finding a virus within a file, continues scanning for additional viruses. |
Configuration
VVDaemon reads configuration values from: /etc/vvdaemon/vvdaemon.conf:
| Configuration Value | Default Value | Details |
|---|---|---|
| Example BOOL | no | If this option is set vvdaemon will not run. |
| LogFile STRING | disabled | Save all reports to a log file. |
| LogFileUnlock BOOL | no | By default the log file is locked for writing and only a single daemon process can write to it. This option disables the lock. |
| LogFileMaxSize SIZE | 1048576 | Maximum size of the log file. Value of 0 disables the limit. In Megabytes. |
| LogTime BOOL | no | Log time for each message. |
| LogClean BOOL | no | Log all clean files. Useful in debugging but drastically increases the log size. |
| LogSyslog BOOL | no | Use the system logger (can work together with LogFile). |
| LogFacility STRING | LOG_LOCAL6 | Type of syslog messages. Please refer to 'man syslog' for facility names. |
| LogVerbose BOOL | no | Enable verbose logging. |
| LogRotate BOOL | no | Rotate log file. Requires LogFileMaxSize option set prior to this option. |
| ExtendedDetectionInfo BOOL | no | Log additional information about the infected file, such as its size and hash, together with the virus name. |
| TemporaryDirectory STRING | system specific (usually /tmp or /var/tmp). | This option allows you to change the default temporary directory. |
| TCPSocket NUMBER | disabled | TCP port number the daemon will listen on. |
| TCPAddr STRING | disabled | By default clamd binds to INADDR_ANY. This option allows you to restrict the TCP address and provide some degree of protection from the outside world. This option can be specified multiple times in order to listen on multiple IPs. IPv6 is now supported. |
| MaxThreads NUMBER | 10 | Maximum number of threads running at the same time. |
| ExcludePath REGEX | disabled | Don't scan files and directories matching REGEX. This directive can be used multiple times. |
| MaxDirectoryRecursion NUMBER | 15 | Maximum depth directories are scanned at. |
| Debug BOOL | no | Enable debug messages. |
| LeaveTemporaryFiles BOOL | no | Do not remove temporary files (for debugging purpose). |
| DetectPUA BOOL | yes | Detect Possibly Unwanted Applications. |
| ScanPE BOOL | yes |
PE stands for Portable Executable - it's an executable file format used in all 32 and 64-bit versions of Windows operating systems. This option allows ClamAV to perform a deeper analysis of executable files and it's also required for decompression of popular executable packers such as UPX. If you turn off this option, the original files will still be scanned, but without additional processing. |
| MaxScanSize SIZE | 100M | Sets the maximum amount of data to be scanned for each input file. Archives and other containers are recursively extracted and scanned up to this value. The size of an archive plus the sum of the sizes of all files within archive count toward the scan size. For example, a 1M uncompressed archive containing a single 1M inner file counts as 2M toward the max scan size. Warning: disabling this limit or setting it too high may result in severe damage to the system. |
| MaxFileSize SIZE | 25M | Files larger than this limit won't be scanned. Affects the input file itself as well as files contained inside it (when the input file is an archive, a document or some other kind of container). Warning: disabling this limit or setting it too high may result in severe damage to the system. |
| MaxRecursion NUMBER | 16 | Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR file, all files within it will also be scanned. This options specifies how deeply the process should be continued. Warning: setting this limit too high may result in severe damage to the system. |
| MaxFiles NUMBER | 10M | Number of files to be scanned within an archive, a document, or any other kind of container. MaxEmbeddedPE SIZE This option sets the maximum size of a file to check for embedded PE. Files larger than this value will skip the additional analysis step. Negative values are not allowed. |
File Verdicts
VVDaemon prints following file verdicts given by analysis results log file:
Possible Verdicts
| Verdict | Explanation |
| MALWARE | File is malware |
| CLEAN | File is Clean (Safe to execute) |
| PUA | File is Potentially Unwanted Application |
| NOT-SUPPORTED | File format is not supported by Valkyrie Verdict |
| UNKNOWN (In Analysis) | File verdict is still Unknown and analysis is in progress |
| UNKNOWN | File verdict is Unknown and no analysis is being performed |
| REQUEST-LIMIT-REACHED | Your request limit for this API Key is reached in Valkyrie Verdict |
Download Debian Package
Latest Daemon service package v1.2.0Package SHA-256: 6c0cb6f7727b11ca905fda305b2f18aa4767881c304fb15dbe0075f7bc4cdc94
[1] Ali A. Selçuk, Fatih Orhan, Berker Batur, "Undecidable Problems in Malware Analysis", 12th International Conference for Internet Technology and Secured Transactions (ICITST), 2017.
Online version: https://comodemia.comodo.com/Undecidable_Problems_in_Malware_Analysis.pdf
[2] David Evans, "On the Impossibility of Virus Detection", 2017.
Online version: https://enterprise.comodo.com/whitepaper/Impossibility_of_Virus_Detection_WP.pdf
[3] Fred Cohen, “Computer viruses: theory and experiments”, Computers and Security, 6(1):22-35, 1987
[4] Fred Cohen, “Computational aspects of computer viruses”, Computers and Security, 8(4):325-344, 1989.