@donb cool, please share with me earlier if you can.
Other off the top of the head tricks (some need a different sig):
Password: quarantine pw files that aren't encrypted
syslog to local/remote: zorch certain logs based on log level etc.
Browser strings: logs
DNS additional records: local lookup caches
SMTP X-headers: mail files/spools
Anything across the net to bork IDSes running AV.
This is a gift that keeps on giving!
@Mudge At a high level is you insert the EICAR test string into the Erlang virtual machine's memory.
When BEAM (the VM) crashes, it automatically writes out a crash file (not a core dump, an Erlang specific format file). The EICAR sig will be written into it, causing it to be auto-deleted in certain A/V.
This is a useful in environments where you can get code execution within Erlang, but you can't alter files outside of the VM, and you can't maintain persistence once the VM exits.
@Mudge @cynicalsecurity a few years back said you can use it to catch files as they are being exfiltrated: https://twitter.com/cynicalsecurity/status/481827710072000513
@Tanuki @Mudge yes, if you plant the EICAR string in files then when they cross the boundaries you can see them trigger even basic rules on clamAV (i.e. use ClamAV purely as an exfiltration detection mechanism without the other rules).
It is similar in concept to CanaryTokens (https://canarytokens.org/).
The original server operated by the Mastodon gGmbH non-profit