> -----Original Message----- > From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users- > boun...@lists.clamav.net] On Behalf Of Henri Salo > Subject: [clamav-users] Problems detecting PHP bots > > Hello, > > Is there a way to configure ClamAV to scan also files with starting > GIF87a/GIF89a? We get attacks like this daily. > > fgeek@example:~/samples-2012-05-09$ clamdscan x.php* > /home/fgeek/samples-2012-05-09/x.php: OK > /home/fgeek/samples-2012-05-09/x.php.2: PHP.Bot FOUND > > ----------- SCAN SUMMARY ----------- > Infected files: 1 > Time: 0.008 sec (0 m 0 s) > fgeek@example:~/samples-2012-05-09$ diff x.php x.php.2 > 1c1 > < GIF89a?????ÿÿÿ!ù????,???????D?;? > --- > > <?php > 514c514 > < ?> > \ No newline at end of file > --- > > ?>
You need to create a signature based on the non-normalized content of the PHP file. The GIF header causes ClamAV to treat it as an image file, which doesn't get normalized the way regular PHP files do. However, if you take a bit of the content and run it through sigtool --hex-dump, you can use that signature in your own ndb file to catch the files. I've had to do that a number of times. --Maarten _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
