Trog wrote:
Thomas Lamy wrote:A small update: Mr. Marx is not allowed to upload viruses from the WildList Collection anywhere, because he had to sign an NDA. Therefore I tried (and continue to try) to get in touch with The WildList Organization itself, but as most (if not all) members of the orgranization are employees/owners of the great AV vensors, I only see very small chances.
I didn't compare clam's signature database against that WildList, and have only a couple of the mentioned viri in my quarantine directories. I'll write
to > Mr. Marx personally, trying to convince him to submit samples of these
uncaught viri.
(just subscribed, catching up)
I someone does get a list of these alledged uncaught WildList viruses, please send it to me, as I probably have quite a few of them.
Cheers, -trog
I also did not get an _exact_ list of which viruses where not caught by clamav, but he said it were "mostly VBA and/or polymorphic" viruses. So what we really need is:
- OLE2 handling
There _are_ OLE2 libraries out there for Unix, but (as far as I googled around) they can't decode the VBA streams propery. The OpenOffice folks work(ed) quite hard on that, but I have no reports of how stable their code is. Also, from looking at their source, it's quite hard (albeit not impossible) to separate from the rest of the OOo sources and port to standard C. I'll work on that as time permits.
Decoding the VBA stream is a first step (perhaps we can build signatures for the PCode stream and issue at least a warning if malicious operations are detected).
But the better solution is:
- VBA Engine
After we can extract the VBA stuff from the OLE2 container, we need a VBA emulator which evaluates the various code paths normally executed when a document is opened.
Other things that come to mind: - Support for compressed malware (UPX et al). I have no specs ;-) - X86 code emulator? Likely a bit too much...
And FYI: A week ago I checked clamd for leaks (again). I'm happy to say that clamd now (as of 2003-12-04) is _completely_ leak free (memory and file descriptors), as long as no threads time out. I didn't have the time to check process based operation, though.
Clamav-milter needed no work, so it was leak-free out of the box (I presume since 0.65p or earlier).
Thomas
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
