[clamav-users] Dynamic engine module for scanning media files (e.g., MP3, MP4, etc.)?

Tue Sep 19 06:45:20 UTC 2017

I'm not aware of a specific module devoted to JPEG files, although there are a handful of Jpeg related signatures, there is no mention of a separate module or engine in the Signatures documentation. Can you tell us where you learned of it?

The topic of .MP3's has been discussed here before. They are being purposely ignored as evidenced by this section of the database:
daily.ftm
0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED
0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED

I don't believe anybody could come up with a malware sample to support changing this decision, but I don't believe anybody from the ClamAV stepped up to defend it.

You can find a lot of speculation on how media files could contain malware, but the only description of actual malware involved files that were disguised with an .mp3 file name extension that were actually something like an windows .exe file.

A search of VirusTotal shows over 2,000 hits, but after running through the top 20 hits, all actual media files were found to be clean by all scanners or simply had the letters mp3 in the file name of a non-media file. I've seen reports of several other scanners that purposely ignore .mp3 files, so that could be one reason.

I was able to locate three signatures for MP4 malware in the database, but only one uses the byte code engine. The other two are hash values:
BC.Mp4.Exploit.CVE_2017_2992-5819336-0
Mp4.Exploit.CVE_2015_8658-1
Mp4.Exploit.CVE_2016_1096-1

I was not able to locate any AVI specific signatures.

That's all I have time for tonight.

-Al-

On Sep 18, 2017, at 10:28 PM, Crystalslave <harlequin738 at gmail.com> wrote:

> Good evening, all.
> 
> First off, my thanks to the development team for creating and
> maintaining this great tool.
> 
> This message is being sent out to express my concern over a potential
> vulnerability that Clamscan doesn't currently seem to address. It is
> particularly alarming, because, as far as I can tell, ClamAV is the
> premiere malware scanner available for Linux (or at least for
> Debian--my personal OS).
> 
> For those Linux users who may have a substantial amount of old audio
> and video files in their possession (many of them from their Windows
> days), what is the suggested solution for retroactive scanning?
> 
> I know there is a Clamscan module for JPEG files. To me, that seems to
> constitute a tacit acknowledgement of the possibility that trojans can
> be disguised within media files. But there isn't any equivalent module
> for scanning MP3's, MP4's, AVI's, and other such files, is there? I've
> seen no indication of such.
> 
> As a stopgap measure for such Linux users, any newly-acquired files
> could be sent to VirusTotal to be scanned there. But dependence upon a
> cloud-based service hardly seems ideal to me, especially for those who
> may have substantial numbers of old files already in
> possession--mostly music, ponies, and anime that have all been legally
> acquired over the years.
> 
> I'm sure there must be some sort of significant hurdle associated with
> this proposition.  Would someone be willing to enlighten me to this
> end? It seems too common-sense to ignore for frivolous reasons,
> especially since such a media module would be useful for more than
> just personal files. Enterprises could benefit as well.
> 
> Thank you so much for your time.