[clamav-users] WSF viruses, and other issues

Kris Deugau kdeugau at vianet.ca
Mon Oct 24 14:30:15 EDT 2016


John T. Bryan wrote:
> I’ve been running ClamAV now for some years as the virus-checking plug-in on
> my main multi-client mail server.  For a long time, I was very pleased with
> it and how easily I was able to integrate it into the custom software back
> when I first switched to it.
> 
> Lately, however, ClamAV never seems to catch any of the viruses that are
> coming at my server.  My custom-built spam-checking software is
> inadvertently catching the majority of them after ClamAV has passed them.  I
> have noticed two primary patterns to the viruses that are coming through
> these days:
> 
> * ZIP files containing a WSF (Windows Script File) and possibly some small
> distractor files
> 
> * ZIP files containing a JavaScript file and possibly some small distractor
> files
> 
> As for the WSF files, my primary issue there is that ClamAV seems to refuse
> to check them at all; I have added literally hundreds of signatures for
> these to my local signatures file but ClamAV still does not identify them as
> viruses afterwards.

.wsf files are not pattern-matched as-is, they're decoded and normalized
first.  Run clamscan --leave-temps foo.wsf, and inspect the files left
in /tmp/clamav* (or wherever ClamAV leaves its temporary working files)
for the actual content ClamAV does its matching against.

Note that this actually strips off some of the obfuscation, making it a
little tricky if the pattern you're trying to match is, in and of
itself, the obfuscation.

I'd guess you're just using hash signatures from sigtool --md5 (or
--sha1, or --sha256), since if you collect a number of examples from a
single run you *can* find similarities in the files to create
pattern-based sigs that match a range of files.

I've posted one of the crude utilities I've been using under
http://www.deepnet.cx/~kdeugau/clamtools/.  This takes several files,
grabs a more or less arbitrary block of 8K hex characters (based on the
$baseoffset and $fromstart variables - I keep the script open in a text
editor and change these as I go), and spits out a pattern, with ?? or
{nn} bits for variant character runs, formatted for a .ndb signature.  I
tend to manually copy-paste an extract of that as a signature rather
than using the whole thing.  You can use this on any set of files you
think are likely to be similar, and if they're not as similar as you
thought (or the segment you set it up to extract isn't) you'll get
either something like "{2345}abf3{3243}", or possibly a couple of blank
lines, as output.

The other thing to try is an archive-contents filename signature.  I
haven't had much luck with the newer "any archive type" version, but
I've had decent luck with the older-style .zip-only .zmd signature file.
 I still see hits on some of those signatures I've added locally coming
up on several years after first adding them.

-kgd



More information about the clamav-users mailing list