Kris Deugau wrote:
For some types of content, just allowing a plain ASCII string instead of
the hex-coded version of the same would be a big help. Or an
enhancement in the current file formats allowing embedded comments -
I've lost track of how many times I've created something complex, and
had to reconstruct whatever logic I used to create it to make a tweak or
refinement - or just gave up and created a new signature - because
there's no way to document it in-band. Ignoring empty lines -
especially at the end of the signature file! - instead of just claiming
"invalid signature" would ease editing.
One other pain point I've run into fairly regularly is that there's no
way to have a *specific signature* match on the raw file - either you
run your entire Clam instance without all of the content unpacking and
normalization, and *all* your signatures need to be based on the raw
files, or you run with the content unpacking enabled and have to bend
and contort to match a perfectly simple chunk of data that's been
variously mangled by one or both of the unpacking and normalization.
I've just found a new case - some malware spewer has embedded a
password-protected .zip as the base-64-encoded data attribute of an
iframe tag in a .html attachment. (Ow.) One of the chunks I want to
match on is:
<iframe src[equals]"data:application/x-zip-compressed;
(lightly obfuscated in case of someone else who's already been here),
but the entire unpacked/normalized "nocomment.html" from clamscan
--leave-temps is:
<head><title>img0457600xls</title></head><body><p>password is
52266</p><iframe src="data"style="border:none;
height:100%;width:100%;"</iframe></body></html>
The normalized HTML and the bit that indicates this is a .zip are in
complete separate files in the unpacked/normalized data, so matching all
the pieces I want to match at the same time is going to be tricky at best.
This particular sample is small enough that the message would be passed
to SpamAssassin (the whole original message is about 26k), where I can
match what I want to match on quite easily. But that's not always the case.
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
