[clamav-users] WSF viruses, and other issues

John T. Bryan john at johnbryan.us
Mon Oct 24 12:57:07 EDT 2016

I’ve been running ClamAV now for some years as the virus-checking plug-in on
my main multi-client mail server.  For a long time, I was very pleased with
it and how easily I was able to integrate it into the custom software back
when I first switched to it.

Lately, however, ClamAV never seems to catch any of the viruses that are
coming at my server.  My custom-built spam-checking software is
inadvertently catching the majority of them after ClamAV has passed them.  I
have noticed two primary patterns to the viruses that are coming through
these days:

* ZIP files containing a WSF (Windows Script File) and possibly some small
distractor files

* ZIP files containing a JavaScript file and possibly some small distractor

As for the WSF files, my primary issue there is that ClamAV seems to refuse
to check them at all; I have added literally hundreds of signatures for
these to my local signatures file but ClamAV still does not identify them as
viruses afterwards.

As for the JavaScript files, these are being obfuscated in various ways,
mostly just by altering the names of variables in the script and similar
obvious non-semantic alterations.  The obfuscation is almost certainly being
done by automated processes of some sort.  As a result, even multiple copies
of the same script produce different signatures due to the non-semantic
changes in the script.  I have added literally thousands of these to my
signature files but, of course, I rarely see the same obfuscated version
again and virtually none of them are getting caught.

The only malware that is being consistently caught these days is stuff
identified by the heuristics as OLE documents containing macros and spoofed
domains; I have had about a dozen of those in the last 30 days.  Alas, the
spoofed domains checking produces almost as many false positives as real

I dutifully send a copy of each new false negative that shows up on my
server off to your evaluation team.  I have no idea if you’re even looking
at them but I do send them.  Hopefully that’s helping.

As a programmer myself, I understand the difficulty in identifying an
obfuscated script, but is anything being done to address this?  And what can
be done about the WSF files that aren’t being checked at all?  Not that I
expect it will matter much; the ones I have examined by hand appear to be
obfuscated in ways similar to the JavaScript files.


More information about the clamav-users mailing list