Hi there, On Thu, 23 Apr 2020, Görkem ÇINAR via clamav-users wrote:
I have an xml file which has list of pdf files embedded as base64. When I scan that xml file, does it also scans those base64 content inside that xml or do i need to convert those base64 contents into different streams and scan them individually?
If ClamAV recognizes that there's base64 encoded text to be scanned it will try to scan it, but it's not as simple as that. See for example https://blog.talosintelligence.com/2013/01/the-0-day-that-wasnt-dissecting-highly.html To get an answer in one particular case - but perhaps _only_ in that particular case, see http://www.clamav.net/documents/creating-signatures-for-clamav especially the part about half way down the page which talks about clamscan --debug and saving temporary files to show how ClamAV has processed the file. A signature is just something which matches a string of bytes in the data being scanned. It's quite possible that a scan could catch some known problem in *any* file, no matter how compressed, containerized and obfuscated, if there's already a signature which matches something in the raw file (that is, before any extraction and/or decoding takes place); so it might not be necessary for ClamAV to do any processing on the file before scanning. Some signatures look specifically for strings which have been obfuscated; try for example sigtool -l | grep Obfuscated for what's in your ClamAV database. While ClamAV is of course capable of decoding base64 text, there are caveats. There's a tradeoff between scan times and the probability that something detectable might be present in what's being scanned, and the signatures themselves contain a field which determines their applicability so that ClamAV doesn't waste its time scanning for some threat which cannot be present in the scanned data. If a signature is restricted to a certain kind of data (it doesn't have to be, but many are), then no matter whether or not it would match anything in the scanned data, it won't be used in the scan if ClamAV believes that it is not scanning that kind of data. One of the things many malicious authors try (sometimes quite hard, as you've seen) to do is hide the real intent of their creation. Sometimes they're successful, so even if the answer to your question was a simple "yes", you couldn't really rely on it. Not only are you to some extent at the mercy of the malware authors, you also to some extent depend on the whims of the signature writers. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
