[clamav-users] Multiple Streams embedded as base64 inside xml
G.W. Haywood
clamav at jubileegroup.co.uk
Fri Apr 24 17:12:53 UTC 2020
Hi there,
On Fri, 24 Apr 2020, Kris Deugau wrote:
> G.W. Haywood via clamav-users wrote:
>> It's quite possible that a scan could catch some
>> known problem in *any* file, no matter how compressed, containerized
>> and obfuscated, if there's already a signature which matches something
>> in the raw file (that is, before any extraction and/or decoding takes
>> place);
>
> That's not entirely true, although I'd be happy to be proven wrong.
>
> I've tried a couple of times to create signatures for Javascript malware (and
> asked for pointers on this list a couple of times), based on an obfuscation
> pattern in a series of raw files. I have yet to find a way to actually match
> on the actual raw file in those cases.
I see some posts from you in 2016 which seemed to be basically about
normalization. Normalization was causing signatures for those things
to fail to match, but switching normalization off would have the same
effect on signatures which needed to work on normalized text. Absent
a signature type which calls for non-normalized text, I think the way
I'd approach that would be to run two instances of clamd - one for the
bulk of the signatures, and one for the (few?) custom signatures which
need to work on the raw files. In 2015 you said that you had trouble
getting signatures of the form
AB??CD??EF??...
to work. I don't know if that's still a problem, but if I were going
to look for such things I'd find it much quicker and easier to add a
Perl regex to my milter configuration than to write ClamAV signatures.
4-5 years ago I was heavily overworked with a new milter, otherwise I
might have piped up at the time. For the omissions I apologize.
I've remarked before that the bodies of mail which you and I seem to
see are very different. I don't recall ever seeing any of the kind of
obfuscation which has bothered you, but then I probably drop the mails
before they get as far as body scanning. That's a luxury I can afford
which perhaps you can't, but anything from a Yahoo server which claims
a gmail sender address is, in my view, fair game...
--
73,
Ged.
More information about the clamav-users
mailing list