[Clamav-devel] Is this how clamAV is intended to work?

Tyler Manson tyler at hack.ink
Thu Mar 5 13:52:49 EST 2015


Hi,

Okay, that sounds like the right approach. I thought it surely was
something simple like that. I'm glad to hear that everything's ok :)


On 03/05/15, Andy Singer wrote:
> Hi,
> It depends on how the signature was written. In the case of eicar, it is
> Eicar-Test-Signature:0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
> 
> so it will only be detected only if the eicar pattern is at position 0 of
> the file. If you change the signature to
> 
> Eicar-Test-Signature:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
> 
> the file will be detected regardless of where the pattern appears. In the
> case of WIN.Trojan.DarkKomet, the signature is,
> 
> WIN.Trojan.DarkKomet:1:*:657473746174202d61202d6e202d6f00000000ffffffff0d00000044444f5348545450464c4f4f44000000ffffffff0c00000044444f5353594e464c4f4f4400000000ffffffff0c00000044444f53554450464c4f4f4400000000ffffffff0a0000005b436861
> 
> This can be present anywhere in a file, but only if it's a PE file. If you
> prepend random data to the file, it will no longer have an MZ header, and
> ClamAV will not recognize it as a PE file, so the signature will be
> ignored. In the signature, change the target (1= PE) to (0= any) and you
> can prepend random data.
> 
> ClamAV was designed for scanning files, not shellcode. If a file doesn't
> have an MZ header, Windows won't execute it, so there's no need for ClamAV
> to continue checking for PE signatures.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-devel/attachments/20150305/ffe55362/attachment.sig>


More information about the clamav-devel mailing list