[clamav-users] Match on raw .wsf file?
kdeugau at vianet.ca
Wed Aug 31 15:16:35 EDT 2016
Kris Deugau wrote:
> Is there a way to force matching on the raw file, or at least control
> the normalization to some degree so that formatting and details in the
> original code aren't lost?
As a complement to that question, is there a way to *force* other
the obfuscation as in the examples I posted is all the ways you can
split those strings, plus all the variations on whitespace in between
the string fragments and operators.
> I've been coming across .wsf files in .zip files, which are essentially
> <job><script language="JScript" width=100>
> However, signatures I've created based on the raw file never match, and
> I finally figured out a few months ago that I'd have to use clamscan
> --leave-temps to dig up the normalized text Clam was actually running
> pattern matches against.
> Unfortunately I've just discovered a flaw in this process, in that the
> normalizing process is also stripping off some of the key JS-obfuscation.
> I've posted the raw first ~8 lines of one of these files, and the
> normalized version of that same chunk of text:
> In this case, one of the key things I'd like to match on is the
> "br"+"o"+"ken" strings in their broken form, but that information is
> wiped away in the normalized version.
> Help us build a comprehensive ClamAV guide:
More information about the clamav-users