I'm having problems scanning some files that have image headers at the beginning and embedded scripts afterwards. ClamAV says the file is OK when the image header is in place, but if I strip the image header, ClamAV detects the file as PHP.Remoteadmin-1. Is there anything I can do (options to clamscan) that would make it detect the malicious content even with the image header in place?
Here is the image header when parsed through the 'strings' command: # strings external_5548c15fe6fe96f0ef79cb14222fd748.php-20120717163046 GIF89a ??????????!? ????,???? >From the 'more' command, it shows up as a single line: GIF89a???????????!?????,???????D?;? I've already run clamscan with --debug --leave-temps --tempdir ./, but it doesn't actually leave anything. Yet, when I strip the image header, the resulting file is detected as malicious... # scan-bot tmp.php tmp.php: PHP.Remoteadmin-1 FOUND # scan-bot external_5548c15fe6fe96f0ef79cb14222fd748.php-20120717163046 external_5548c15fe6fe96f0ef79cb14222fd748.php-20120717163046: OK # diff external_5548c15fe6fe96f0ef79cb14222fd748.php-20120717163046 tmp.php 1d0 < GIF89a???????????!?????,???????D?;? Any help with this would be much appreciated... --Maarten Broekman _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
