[clamav-users] Clamav cannot detect a malware using a signature based on html comment

Alain Zidouemba azidouemba at sourcefire.com
Tue Jan 26 07:43:54 EST 2016


Arnaud:

Did you normalize your file? I.e. Clamscan--leave-temps?

- Alain

-Alain

> On Jan 26, 2016, at 6:55 AM, Arnaud Jacques / SecuriteInfo.com <webmaster at securiteinfo.com> wrote:
>
> Hello Steve,
>
>> I've seen the same.... sometimes I've had to end up using type 0, instead
>> of 3/4/7 which isn't ideal.
>
> Even with filetype 0 this doesn't match :
>
> # cat test.ndb
> test:7:*:3c212d2d20546869732069732061206d616c77617265202d2d3e
> test:7:*:3c212d2d20746869732069732061206d616c77617265202d2d3e
> test:3:*:3c212d2d20546869732069732061206d616c77617265202d2d3e
> test:3:*:3c212d2d20746869732069732061206d616c77617265202d2d3e
> test:0:*:3c212d2d
>
> # clamscan -d test.ndb test.html
> test.html: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 5
> Engine version: 0.98.7
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 0.004 sec (0 m 0 s)
>
> --
> Best regards,
>
> Arnaud Jacques
> SecuriteInfo.com
>
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list