Using Antivirus to Look for Vulnerable Log4j and Apply Mitigation

Posted: December 14th, 2021 | Author: | Filed under: IT Related | Tags: , , , , | 1 Comment »

In my previous post, I did share a bash script to help you to search for vulnerable log4j and delete the JndiLookup.class

When it come to Windows, it became a bit tricky because zip command/cli is not there and make it a bit difficult for massive deployment. However, today I’ve experimented with Antivirus(es) solution to perform search of the vulnerable log4j (or inventory purposes) and to apply mitigation by removing the JndiLookup.class

For inventory purposes, you may use the hashes of the vulnerable log4j below as custom indicator in your antivirus solution, in audit mode (not block/delete mode) and perform scanning. Whenever you receive alert from this custom rule, you know which machine are running the vulnerable version and may plan for the next action from there.

While for “auto mitigation”, you may use the hashes of the vulnerable JndiLookup.class below as custom indicator in your antivirus solution, in block/delete mode and perform scanning. Antivirus will be able to parse the JAR (zip) file and delete on specific hashes (JndiLookup.class) while ignoring other files. As per my testing with Microsoft Defender, Kaspersky, and Symantec SEP, only the specific hash/file will be remove and the JAR (zip) file will not be deleted. However it might be different for different configuration and please consult your antivirus vendor for confirmation

Hope it helps. Good luck and all the best

 

Vulnerable Log4j hashes:

Log4j JAR version,md5,sha1,sha256
log4j-core-2.0-beta9.jar,152ecb3ce094ac5bc9ea39d6122e2814,678861ba1b2e1fccb594bb0ca03114bb05da9695,dcde6033b205433d6e9855c93740f798951fa3a3f252035a768d9f356fde806d
log4j-core-2.0-rc1.jar,088df113ad249ab72bf19b7f00b863d5,4363cdf913a584fe8fa72cf4c0eaae181ef7d1eb,db3906edad6009d1886ec1e2a198249b6d99820a3575f8ec80c6ce57f08d521a
log4j-core-2.0-rc2.jar,de8d01cc15fd0c74fea8bbb668e289f5,2e8d52acfc8c2bbbaa7baf9f3678826c354f5405,ec411a34fee49692f196e4dc0a905b25d0667825904862fdba153df5e53183e0
log4j-core-2.0.jar,cd70a1888ecdd311c1990e784867ce1e,7621fe28ce0122d96006bdb56c8e2cfb2a3afb92,85338f694c844c8b66d8a1b981bcf38627f95579209b2662182a009d849e1a4c
log4j-core-2.0.1.jar,fbfa5f33ab4b29a6fdd52473ee7b834d,895130076efaf6dcafb741ed7e97f2d346903708,a00a54e3fb8cb83fab38f8714f240ecc13ab9c492584aa571aec5fc71b48732d
log4j-core-2.0.2.jar,8c0cf3eb047154a4f8e16daf5a209319,13521c5364501478e28c77a7f86b90b6ed5dbb77,c584d1000591efa391386264e0d43ec35f4dbb146cad9390f73358d9c84ee78d
log4j-core-2.1.jar,8d331544b2e7b20ad166debca2550d73,31823dcde108f2ea4a5801d1acc77869d7696533,8bdb662843c1f4b120fb4c25a5636008085900cdf9947b1dadb9b672ea6134dc
log4j-core-2.2.jar,5e4bca5ed20b94ab19bb65836da93f96,c707664e020218f8529b9a5e55016ee15f0f82ac,c830cde8f929c35dad42cbdb6b28447df69ceffe99937bf420d32424df4d076a
log4j-core-2.3.jar,110ab3e3e4f3780921e8ee5dde3373ad,58a3e964db5307e30650817c5daac1e8c8ede648,6ae3b0cb657e051f97835a6432c2b0f50a651b36b6d4af395bbe9060bb4ef4b2
log4j-core-2.4.jar,0079c907230659968f0fc0e41a6abcf9,0d99532ba3603f27bebf4cdd3653feb0e0b84cf6,535e19bf14d8c76ec00a7e8490287ca2e2597cae2de5b8f1f65eb81ef1c2a4c6
log4j-core-2.4.1.jar,f0c43adaca2afc71c6cc80f851b38818,a5334910f90944575147fd1c1aef9f407c24db99,42de36e61d454afff5e50e6930961c85b55d681e23931efd248fd9b9b9297239
log4j-core-2.5.jar,dd0e3e0b404083ec69618aabb50b8ac0,7ed845de1dfe070d43511fab321784e6c4118398,4f53e4d52efcccdc446017426c15001bb0fe444c7a6cdc9966f8741cf210d997
log4j-core-2.6.jar,5523f144faef2bfca08a3ca8b2becd6a,a7cb258b9c36f49c148834a3a35b53fe73c28777,df00277045338ceaa6f70a7b8eee178710b3ba51eac28c1142ec802157492de6
log4j-core-2.6.1.jar,48f7f3cda53030a87e8c387d8d1e4265,2b557bf1023c3a3a0f7f200fafcd7641b89cbb83,28433734bd9e3121e0a0b78238d5131837b9dbe26f1a930bc872bad44e68e44e
log4j-core-2.6.2.jar,472c8e1fbaa0e61520e025c255b5d168,00a91369f655eb1639c6aece5c5eb5108db18306,cf65f0d33640f2cd0a0b06dd86a5c6353938ccb25f4ffd14116b4884181e0392
log4j-core-2.7.jar,2b63e0e5063fdaccf669a1e26384f3fd,a3f2b4e64c61a7fc1ed8f1e5ba371933404ed98a,5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4
log4j-core-2.8.jar,c6d233bc8e9cfe5da690059d27d9f88f,2be463a710be42bb6b4831b980f0d270b98ff233,ccf02bb919e1a44b13b366ea1b203f98772650475f2a06e9fac4b3c957a7c3fa
log4j-core-2.8.1.jar,547bb3ed2deb856d0e3bbd77c27b9625,4ac28ff2f1ddf05dae3043a190451e8c46b73c31,815a73e20e90a413662eefe8594414684df3d5723edcd76070e1a5aee864616e
log4j-core-2.8.2.jar,4a5177a172764bda6f4472b94ba17ccb,979fc0cf8460302e4ffbfe38c1b66a99450b0bb7,10ef331115cbbd18b5be3f3761e046523f9c95c103484082b18e67a7c36e570c
log4j-core-2.9.0.jar,fab646257f945b0b2a7ce3e1c3e3ce5f,052f6548ae1688e126c29b5dc400929dc0128615,fb086e42c232d560081d5d76b6b9e0979e5693e5de76734cad5e396dd77278fd
log4j-core-2.9.1.jar,942f429eacb8015e18d8f59996cfbee6,c041978c686866ee8534f538c6220238db3bb6be,dc435b35b5923eb05afe30a24f04e9a0a5372da8e76f986efe8508b96101c4ff
log4j-core-2.10.0.jar,dc99011f047e63dcc741b5ab68d116db,c90b597163cd28ab6d9687edd53db601b6ea75a1,22b58febab566eddd5d4863f09dad4d5cc57677b6d4be745e3c6ce547124a66d
log4j-core-2.11.0.jar,2abec2ce665e0d529a3f28fffbbb2dd3,e6b751e02120c08702d98750f6a80bc25343b7f5,c32029b32da3d8cf2feca0790a4bc2331ea7eb62ab368a8980b90c7d8c8101e0
log4j-core-2.11.1.jar,b2242de0677be6515d6cefbf48e7e5d5,592a48674c926b01a9a747c7831bcd82a9e6d6e4,a20c34cdac4978b76efcc9d0db66e95600bd807c6a0bd3f5793bcb45d07162ec
log4j-core-2.11.2.jar,c8bd8b5c5aaaa07a3dcbf57de01c9266,6c2fb3f5b7cd27504726aef1b674b542a0c9cf53,d4748cd5d8d67f513de7634fa202740490d7e0ab546f4bf94e5c4d4a11e3edbc
log4j-core-2.12.0.jar,5c527821d1084a7ef3e03d40144ff532,01723837573e4c5dbc8840f9f6e8f79b245b94bb,8818f82570d3f509cfb27c209b9a8df6f188857b7462951a61a137be09cf3463
log4j-core-2.12.1.jar,0138ba1c191d5c754fd0e3c3a61c0307,4382e93136c06bfb34ddfa0bb8a9fb4ea2f3df59,885e31a14fc71cb4849e93564d26a221c685a789379ef63cb2d082cedf3c2235
log4j-core-2.13.0.jar,b71a13fd5df251694fca116240003b22,57b8b57dac4c87696acb4b8457fd8cbf4273d40d,82e91afe0c5628b32ae99dd6965878402c668773fbd49b45b2b8c06a426c5bbb
log4j-core-2.13.1.jar,d365e48221414f93feef093a1bf607ef,533f6ae0bb0ce091493f2eeab0c1df4327e46ef1,88ebd503b35a0debe18c2707db9de33a8c6d96491270b7f02dd086b8072426b2
log4j-core-2.13.2.jar,0ac5b3e6e69ba7765683798e669a30b2,8eb1fc1914eb2550bf3ddea26917c9a7cbb00593,268dc17d3739992d4d1ca2c27f94630fb203a40d07e9ad5dfae131d4e3fa9764
log4j-core-2.13.3.jar,cc7d55ed69cc5fd34035b15c6edf79a0,4e857439fc4fe974d212adaaaa3b118b8b50e3ec,9529c55814264ab96b0eeba2920ac0805170969c994cc479bd3d4d7eb24a35a8
log4j-core-2.14.0.jar,862c00b2e854f9c0f1e8d8409d23d899,e257b0562453f73eabac1bc3181ba33e79d193ed,f04ee9c0ac417471d9127b5880b96c3147249f20674a8dbb88e9949d855382a8
log4j-core-2.14.1.jar,948dda787593340a7af1a18e328b7b7f,9141212b8507ab50a45525b545b39d224614528b,ade7402a70667a727635d5c4c29495f4ff96f061f12539763f6f123973b465b0

 

Vulnerable JndiLookup.class hashes:

JndiLookup.class for Log4J version,md5sum,sha1sum,sha256sum
2.0-beta9,662118846c452c4973eca1057859ad61,9799470c2cca80f047f6b0d1588dacae9aae26fc,39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8
2.0-rc1,662118846c452c4973eca1057859ad61,9799470c2cca80f047f6b0d1588dacae9aae26fc,39a495034d37c7934b64a9aa686ea06b61df21aa222044cc50a47d6903ba1ca8
2.0-rc2,1daf21d95a208cfce994704824f46fae,ec9326bae452f2d2e8a4852b24799d6458d11d46,a03e538ed25eff6c4fe48aabc5514e5ee687542f29f2206256840e74ed59bcd2
2,62c82ad7c1ec273a683de928c93abbe9,e605ca8be62f8f26c43d906f392090231e96edfd,fd6c63c11f7a6b52eff04be1de3477c9ddbbc925022f7216320e6db93f1b7d29
2.0.1,2365c12b4a7c5fa5d7903dd90ca9e463,040c7583735f58988635563b0b6c0f009d5ae5c0,964fa0bf8c045097247fa0c973e0c167df08720409fd9e44546e0ceda3925f3e
2.0.2,5c727238e74ffac28315c36df27ef7cc,7d403e7e7208e4d9ebaf2b32ddc90a04170580c5,9626798cce6abd0f2ffef89f1a3d0092a60d34a837a02bbe571dbe00236a2c8c
2.1,8ededbb1646c1a4dd6cdb93d9a01f43c,1b0283f98e00f04be9b8cf655f881e767c8bb386,a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307
2.2,8ededbb1646c1a4dd6cdb93d9a01f43c,1b0283f98e00f04be9b8cf655f881e767c8bb386,a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307
2.3,8ededbb1646c1a4dd6cdb93d9a01f43c,1b0283f98e00f04be9b8cf655f881e767c8bb386,a768e5383990b512f9d4f97217eda94031c2fa4aea122585f5a475ab99dc7307
2.4,da195a29e34e02e9e4c6663ce0b8f243,fb5cf0c358b50de4fcf6dc09bcb0ff7eccf2843a,a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7
2.4.1,da195a29e34e02e9e4c6663ce0b8f243,fb5cf0c358b50de4fcf6dc09bcb0ff7eccf2843a,a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7
2.5,da195a29e34e02e9e4c6663ce0b8f243,fb5cf0c358b50de4fcf6dc09bcb0ff7eccf2843a,a534961bbfce93966496f86c9314f46939fd082bb89986b48b7430c3bea903f7
2.6,766bf6b755adee673838fdf968c15079,f76a5c3b6aa75faa3dbbee93d776334c32dd102b,e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45
2.6.1,766bf6b755adee673838fdf968c15079,f76a5c3b6aa75faa3dbbee93d776334c32dd102b,e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45
2.6.2,766bf6b755adee673838fdf968c15079,f76a5c3b6aa75faa3dbbee93d776334c32dd102b,e8ffed196e04f81b015f847d4ec61f22f6731c11b5a21b1cfc45ccbc58b8ea45
2.7,4618c4bea52a4e2e2693b7d91b019c71,9d62849523dc3efbbe8b289e34f7cd84a6c37275,cee2305065bb61d434cdb45cfdaa46e7da148e5c6a7678d56f3e3dc8d7073eae
2.8,fe963defc63d2df86d3d4e2f160939ab,2e81d183edf1a8951b13a2f62de86e71d97e0d14,66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442
2.8.1,fe963defc63d2df86d3d4e2f160939ab,2e81d183edf1a8951b13a2f62de86e71d97e0d14,66c89e2d5ae674641138858b571e65824df6873abb1677f7b2ef5c0dd4dbc442
2.8.2,641fd7ae76e95b35f02c55ffbf430e6b,f5f55d34272b0ed9971943c35857dbca092c990f,d4ec57440cd6db6eaf6bcb6b197f1cbaf5a3e26253d59578d51db307357cbf15
2.9.0,88568653545359ace753f19a72b18208,ff0abd9cf6f6b59208251ef1ea0ff1509eba1924,0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e
2.9.1,88568653545359ace753f19a72b18208,ff0abd9cf6f6b59208251ef1ea0ff1509eba1924,0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e
2.10.0,88568653545359ace753f19a72b18208,ff0abd9cf6f6b59208251ef1ea0ff1509eba1924,0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e
2.11.0,88568653545359ace753f19a72b18208,ff0abd9cf6f6b59208251ef1ea0ff1509eba1924,0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e
2.11.1,88568653545359ace753f19a72b18208,ff0abd9cf6f6b59208251ef1ea0ff1509eba1924,0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e
2.11.2,88568653545359ace753f19a72b18208,ff0abd9cf6f6b59208251ef1ea0ff1509eba1924,0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e
2.12.0,4cb3a0271f77c02fd2de3144a729ab70,1dee0b0a29a7a2c13d4a7a12374038616cc1de89,5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279
2.12.1,4cb3a0271f77c02fd2de3144a729ab70,1dee0b0a29a7a2c13d4a7a12374038616cc1de89,5c104d16ff9831b456e4d7eaf66bcf531f086767782d08eece3fb37e40467279
2.13.0,7b2cf8f2e9d85014884add490878a600,0d502b6db6947e5b0c82725a65d719f0a8b16564,2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f
2.13.1,7b2cf8f2e9d85014884add490878a600,0d502b6db6947e5b0c82725a65d719f0a8b16564,2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f
2.13.2,7b2cf8f2e9d85014884add490878a600,0d502b6db6947e5b0c82725a65d719f0a8b16564,2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f
2.13.3,7b2cf8f2e9d85014884add490878a600,0d502b6db6947e5b0c82725a65d719f0a8b16564,2b32bfc0556ea59307b9b2fde75b6dfbb5bf4f1d008d1402bc9a2357d8a8c61f
2.14.0,737b430fac6caef7c485c9c47f0f9104,3aeb386c7ada3bd936bc20698b6d64e4e1643293,84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f
2.14.1,737b430fac6caef7c485c9c47f0f9104,3aeb386c7ada3bd936bc20698b6d64e4e1643293,84057480ba7da6fb6d9ea50c53a00848315833c1f34bf8f4a47f11a14499ae3f

One Comment on “Using Antivirus to Look for Vulnerable Log4j and Apply Mitigation”

  1. 1 E.J. said at 1:34 PM on June 19th, 2022:

    Not sure what im doing but i think you may have helped me. ty


Leave a Reply