Hi there,
On Fri, 24 Apr 2020, Kris Deugau wrote:
G.W. Haywood via clamav-users wrote:
It's quite possible that a scan could catch some
known problem in *any* file, no matter how compressed, containerized
and obfuscated, if there's already a signature which matches something
in the raw file (that is, before any extraction and/or decoding takes
place);
That's not entirely true, although I'd be happy to be proven wrong.
I've tried a couple of times to create signatures for Javascript malware (and
asked for pointers on this list a couple of times), based on an obfuscation
pattern in a series of raw files. I have yet to find a way to actually match
on the actual raw file in those cases.
I see some posts from you in 2016 which seemed to be basically about
normalization. Normalization was causing signatures for those things
to fail to match, but switching normalization off would have the same
effect on signatures which needed to work on normalized text. Absent
a signature type which calls for non-normalized text, I think the way
I'd approach that would be to run two instances of clamd - one for the
bulk of the signatures, and one for the (few?) custom signatures which
need to work on the raw files. In 2015 you said that you had trouble
getting signatures of the form
AB??CD??EF??...
to work. I don't know if that's still a problem, but if I were going
to look for such things I'd find it much quicker and easier to add a
Perl regex to my milter configuration than to write ClamAV signatures.
4-5 years ago I was heavily overworked with a new milter, otherwise I
might have piped up at the time. For the omissions I apologize.
I've remarked before that the bodies of mail which you and I seem to
see are very different. I don't recall ever seeing any of the kind of
obfuscation which has bothered you, but then I probably drop the mails
before they get as far as body scanning. That's a luxury I can afford
which perhaps you can't, but anything from a Yahoo server which claims
a gmail sender address is, in my view, fair game...
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
