[clamav-users] Multiple Streams embedded as base64 inside xml

[Kris Deugau]

G.W. Haywood via clamav-users wrote:
>  It's quite possible that a scan could catch some
> known problem in *any* file, no matter how compressed, containerized
> and obfuscated, if there's already a signature which matches something
> in the raw file (that is, before any extraction and/or decoding takes
> place);

That's not entirely true, although I'd be happy to be proven wrong.

I've tried a couple of times to create signatures for Javascript malware 
(and asked for pointers on this list a couple of times), based on an 
obfuscation pattern in a series of raw files.  I have yet to find a way 
to actually match on the actual raw file in those cases.

-kgd