[Clamav-devel] Is this how clamAV is intended to work?
tyler at hack.ink
Thu Mar 5 13:52:49 EST 2015
Okay, that sounds like the right approach. I thought it surely was
something simple like that. I'm glad to hear that everything's ok :)
On 03/05/15, Andy Singer wrote:
> It depends on how the signature was written. In the case of eicar, it is
> so it will only be detected only if the eicar pattern is at position 0 of
> the file. If you change the signature to
> the file will be detected regardless of where the pattern appears. In the
> case of WIN.Trojan.DarkKomet, the signature is,
> This can be present anywhere in a file, but only if it's a PE file. If you
> prepend random data to the file, it will no longer have an MZ header, and
> ClamAV will not recognize it as a PE file, so the signature will be
> ignored. In the signature, change the target (1= PE) to (0= any) and you
> can prepend random data.
> ClamAV was designed for scanning files, not shellcode. If a file doesn't
> have an MZ header, Windows won't execute it, so there's no need for ClamAV
> to continue checking for PE signatures.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: not available
More information about the clamav-devel