G.W. Haywood via clamav-users wrote:
It's quite possible that a scan could catch some
known problem in *any* file, no matter how compressed, containerized
and obfuscated, if there's already a signature which matches something
in the raw file (that is, before any extraction and/or decoding takes
place);
That's not entirely true, although I'd be happy to be proven wrong.
I've tried a couple of times to create signatures for Javascript malware
(and asked for pointers on this list a couple of times), based on an
obfuscation pattern in a series of raw files. I have yet to find a way
to actually match on the actual raw file in those cases.
-kgd
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
