Hi, I found some problems with the way clamav handles OLE2 containers. This is causing many macro virus sigatures to not work and many viruses to be missed:
If ScanOLE2 is set to yes, clamav only appears to scan the decompressed macro files in OLE2 containers. It does not scan any of the other files in the container. If ScanOLE2 is set to no, clamav does not appear to extract any files from the OLE2 container. It just runs signatures against the container file itself. This can be tested with clamav --debug --leave-temps and --scan-ole2 yes or no and writing some signatures against the uncompressed macro files and the other files in the container. This behaviour contradicts signatures.pdf: 2 = file inside OLE2 container (e.g. image, embedded executable, VBA script) which implies signatures for file type 2 will be run against files extracted from OLE2 containers. Which implies files ought be extracted from OLE2 containers and scanned. But this is not the case, whether ScanOLE2 is yes or no. All file type 2 appears to denote for a signature is that that signature should only be run against files recognized as an OLE2 container. It does not mean that the the signatures will be run against each file in an OLE2 container. Setting ScanOLE2 yes, disables the running of signatures of type 2 or any type at all ie type 0, against the OLE2 container itself and causes only signatures of type 2 or 0 to be run against decompressed macros from the OLE2 container. But most of the badmacro or other unofficial virus signatures written to detect macro virus are written against the container itself which has the compressed macro code in it. They are not written against the uncompressed macro code, so setting ScanOLE2 yes will disable these signatures. A check of some macro viruses received in last 6 months shows none detected by clamav official signatures. The work going into macro virus detection appears to be in the unofficial databases. But the signatures in these databases are simple byte matching signatures and not based upon detecting actual VBA code and looking for the patterns of logic used by virus writers in their code. The signatures will fail when matching uncompressed actual vba code when ScanOLE2 is yes. The signatures won't match at all when ScanOLE2 is yes. They only match if ScanOLE2 is no. But then signatures written against vba code in the uncomressed macros are not matched. We are seeing OLE2 virus files where the macros extract the malicious code from other files in the ole container at run time. These viruses are completely missed when ScanOLE2 is yes , no matter what signature you write, as the non macro files in the OLE2 container are not scanned and the scanned files ie the uncompressed macro vba code, don't contain the malicious code. The non scanning of 'other' files in OLE containers if ScanOLE2 is yes or the non scanning of decompressed macros if ScanOLE2 is no is causing macro viruses to be not detected and this appears to be a bug or limitation of clamav (or maybe a misconfiguration ?). Ideally clamav would scan the OLE2 container itself, all the contained files and also the uncompressed macros . Also there is some confusion as to what file type 2 means. Should this denote run signatures against a file recognized as OLE2 or should it mean run signatures against files within an OLE2 container. eg a signature of type 2 would not be expected to be run against a file inside an OLE2 unless that file is also an OLE2 container. signatures.pdf is misleading in its description of file type 2. It seems the OLE2 handling needs to be split into 2 parts , 1 . scanning of the container and all the contained files. 2. Scanning of uncompressed macros . If this were done a special file type to restrict scanning to only uncompressed macros would be useful to prevent false positive. If it can't be fixed then ome clearer explanation of the OLE2 scanning would be helpful as its misleading at present. -- David Shrimpton Information Technology Services | The University of Queensland _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
