On 02/11/2012 06:16 PM, infant deepak wrote: > Hi, > > I am doing project on clamAV . I have chosen from > > http://wiki.clamav.net/bin/view/Main/GoogleSummerOfCode2011 > 4. DOCX > > Add support for parsing docx based MS Office files. > > Main purpose is extracting embedded files. You will need to parse the XML, > locate the embedded data, then decode(base64/OLE?) / and decompress > (deflate?) it. > > So I did analysis of how clamAV currently scanning a .DOCX file . From my > understanding it treats as a ZIP file and extracts to a temporary folder, > and scanning each xml file and inserted media files such pictures,video > etc.(If I am not correct, kindly explain me). > > After that, I tried embedding a EICAR test virus in a picture file by using > Steghide tool. Then I scanned that picture file ,but clamav didnt recognize > it. Reason may be steghide encrypts the virus file. > > So I like to know following things, > > 1. Why clamav didnt recognize encrypted virus?
Because once you've hidden it inside an image with steghide it is no longer executable, and no longer capable of infecting. You should embed/insert the EICAR as is inside a .DOCX, not hide it inside a picture! i.e. when you double click on the EICAR inside the DOCX you should get the eicar executed. Best regards, --Edwin _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net