> -----Original Message----- > From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users- > boun...@lists.clamav.net] On Behalf Of Matt Olney > Sent: Tuesday, October 23, 2012 2:58 PM > To: ClamAV users ML > Subject: Re: [clamav-users] Deep scanning of image files > > Maarten, can you help us track this by adding a bug at > https://bugzilla.clamav.net/? > > Thanks, > > Matt
Done. Bug 5978. Thanks, Maarten > > On Tue, Oct 23, 2012 at 2:18 PM, Maarten Broekman > <mbroek...@maileig.com> wrote: > > One thing I'm seeing more and more of is malware code (be it PHP or > > ASP) embedded after GIF headers. ClamAV sees the GIF header and > > treats it like an image (properly), but then ClamAV sees an HTML > > signature later in the file. However, it doesn't do any > normalization > > on that HTML data. Would it be possible to add an option to clamscan > > that does normalize the HTML data and analyzes it as usual? > > > > > > > > Example: > > > > LibClamAV debug: Recognized GIF file > > > > LibClamAV debug: in cli_check_jpeg_exploit() > > > > LibClamAV debug: Matched signature for file type HTML data at 4197 > > > > > > > > Problem: > > > > I have signatures that would match the normalized HTML data, but > > because the GIF header is there, clamscan doesn't normalize the HTML > > data. This means that I have to create unique signatures for each > > file with a GIF header that contains different non-normalized HTML > data. > > > > > > > > Thanks, > > > > Maarten > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: visit > > http://wiki.clamav.net http://www.clamav.net/support/ml > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit > http://wiki.clamav.net http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
