Ive been running ClamAV now for some years as the virus-checking plug-in on my main multi-client mail server. For a long time, I was very pleased with it and how easily I was able to integrate it into the custom software back when I first switched to it.
Lately, however, ClamAV never seems to catch any of the viruses that are coming at my server. My custom-built spam-checking software is inadvertently catching the majority of them after ClamAV has passed them. I have noticed two primary patterns to the viruses that are coming through these days: * ZIP files containing a WSF (Windows Script File) and possibly some small distractor files * ZIP files containing a JavaScript file and possibly some small distractor files As for the WSF files, my primary issue there is that ClamAV seems to refuse to check them at all; I have added literally hundreds of signatures for these to my local signatures file but ClamAV still does not identify them as viruses afterwards. As for the JavaScript files, these are being obfuscated in various ways, mostly just by altering the names of variables in the script and similar obvious non-semantic alterations. The obfuscation is almost certainly being done by automated processes of some sort. As a result, even multiple copies of the same script produce different signatures due to the non-semantic changes in the script. I have added literally thousands of these to my signature files but, of course, I rarely see the same obfuscated version again and virtually none of them are getting caught. The only malware that is being consistently caught these days is stuff identified by the heuristics as OLE documents containing macros and spoofed domains; I have had about a dozen of those in the last 30 days. Alas, the spoofed domains checking produces almost as many false positives as real ones. I dutifully send a copy of each new false negative that shows up on my server off to your evaluation team. I have no idea if youre even looking at them but I do send them. Hopefully thats helping. As a programmer myself, I understand the difficulty in identifying an obfuscated script, but is anything being done to address this? And what can be done about the WSF files that arent being checked at all? Not that I expect it will matter much; the ones I have examined by hand appear to be obfuscated in ways similar to the JavaScript files. Thanks! _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
