Maarten, can you help us track this by adding a bug at https://bugzilla.clamav.net/?
Thanks, Matt On Tue, Oct 23, 2012 at 2:18 PM, Maarten Broekman <mbroek...@maileig.com> wrote: > One thing I'm seeing more and more of is malware code (be it PHP or ASP) > embedded after GIF headers. ClamAV sees the GIF header and treats it > like an image (properly), but then ClamAV sees an HTML signature later > in the file. However, it doesn't do any normalization on that HTML > data. Would it be possible to add an option to clamscan that does > normalize the HTML data and analyzes it as usual? > > > > Example: > > LibClamAV debug: Recognized GIF file > > LibClamAV debug: in cli_check_jpeg_exploit() > > LibClamAV debug: Matched signature for file type HTML data at 4197 > > > > Problem: > > I have signatures that would match the normalized HTML data, but > because the GIF header is there, clamscan doesn't normalize the HTML > data. This means that I have to create unique signatures for each file > with a GIF header that contains different non-normalized HTML data. > > > > Thanks, > > Maarten > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
