One thing I'm seeing more and more of is malware code (be it PHP or ASP) embedded after GIF headers. ClamAV sees the GIF header and treats it like an image (properly), but then ClamAV sees an HTML signature later in the file. However, it doesn't do any normalization on that HTML data. Would it be possible to add an option to clamscan that does normalize the HTML data and analyzes it as usual?
Example: LibClamAV debug: Recognized GIF file LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Matched signature for file type HTML data at 4197 Problem: I have signatures that would match the normalized HTML data, but because the GIF header is there, clamscan doesn't normalize the HTML data. This means that I have to create unique signatures for each file with a GIF header that contains different non-normalized HTML data. Thanks, Maarten _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
