[clamav-users] Match on raw .wsf file?

Steven Morgan smorgan at sourcefire.com
Thu Sep 1 21:26:14 EDT 2016


Please try clamscan --scan-html=no to turn off normalization.

Hope this helps,
Steve

On Tue, Aug 30, 2016 at 4:36 PM, Kris Deugau <kdeugau at vianet.ca> wrote:

> Is there a way to force matching on the raw file, or at least control
> the normalization to some degree so that formatting and details in the
> original code aren't lost?
>
> I've been coming across .wsf files in .zip files, which are essentially
> Javascript wrapped in a very thin wrapper:
>
> <job><script language="JScript" width=100>
> [insert nasty Javascript here]
> </script></job>
>
> However, signatures I've created based on the raw file never match, and
> I finally figured out a few months ago that I'd have to use clamscan
> --leave-temps to dig up the normalized text Clam was actually running
> pattern matches against.
>
> Unfortunately I've just discovered a flaw in this process, in that the
> normalizing process is also stripping off some of the key JS-obfuscation.
>
> I've posted the raw first ~8 lines of one of these files, and the
> normalized version of that same chunk of text:
>
> http://deepnet.cx/clamfrags/raw-wsf-01
> http://deepnet.cx/clamfrags/norm-wsf-01
>
> In this case, one of the key things I'd like to match on is the
> "br"+"o"+"ken" strings in their broken form, but that information is
> wiped away in the normalized version.
>
> -kgd
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-users mailing list