Hi, Some viruses eg WScr.Unsafe.D for which a hexdump signature exists and which used to be detected by 0.91.2 are no longer detected by 0.93 .
eg WScr.Unsafe.D arrives in html file embedded in a "HTML comment tag" enclosed by HTML script tags. eg <HTML> <BODY> <SCRIPT> <!-- virus script --> </SCRIPT> </BODY> </HTML> When clamav processes this it creates 2 files notags.html and nocomments.html and appears to only scan these files. It doesn't appear to scan the unprocessed html file. Any file that looks like it contains html appears to be processed into notags and nocomments before any scanning is done. When notags.html is created the embedded virus is treated as a comment tag and removed. When nocomment.html is created the virus is not treated as a comment tag, but all the whitespace is removed and the text lowercased which would cause matching to a hexdump signature, if it were done, to fail. eg part of the script text from WScr.Unsafe.D var mye=new Enumerator becomes: varmye=newenumerator in the nocomment.html file. My question is: Are all files matched, unaltered, against the entire database or are html files always preprocessed into nocomment.html and notags.html and only these files scanned ? If so, are these files only scanned against a subset of the signatures and not the hexdump signatures ? What has changed in 0.93 to cause WScr.Unsafe.D (and presumeably other viuses) to no longer be detected and is there a fix for this ? -- David Shrimpton _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
