[clamav-users] Match on raw .wsf file?
smorgan at sourcefire.com
Thu Sep 1 21:26:14 EDT 2016
Please try clamscan --scan-html=no to turn off normalization.
Hope this helps,
On Tue, Aug 30, 2016 at 4:36 PM, Kris Deugau <kdeugau at vianet.ca> wrote:
> Is there a way to force matching on the raw file, or at least control
> the normalization to some degree so that formatting and details in the
> original code aren't lost?
> I've been coming across .wsf files in .zip files, which are essentially
> <job><script language="JScript" width=100>
> However, signatures I've created based on the raw file never match, and
> I finally figured out a few months ago that I'd have to use clamscan
> --leave-temps to dig up the normalized text Clam was actually running
> pattern matches against.
> Unfortunately I've just discovered a flaw in this process, in that the
> normalizing process is also stripping off some of the key JS-obfuscation.
> I've posted the raw first ~8 lines of one of these files, and the
> normalized version of that same chunk of text:
> In this case, one of the key things I'd like to match on is the
> "br"+"o"+"ken" strings in their broken form, but that information is
> wiped away in the normalized version.
> Help us build a comprehensive ClamAV guide:
More information about the clamav-users