Hi, Some viruses eg WScr.Unsafe.D for which a hexdump signature exists and which used to be detected by 0.91.2 are no longer detected by 0.93 .
WScr.Unsafe.D arrives in email embedded in a "HTML comment tag" enclosed by HTML script tags. eg <HTML> <BODY> <SCRIPT> <!-- entities');sbf=fl.SubFolders;for(var mye=new Enumerator(sbf);!mye.atEnd();mye.moveNext())idd=mye.item();ids=ne --> </SCRIPT> </BODY> </HTML> When clamav processes this it creates 2 files notags.html and nocomments.html and appears to only scan these files. When notags.html is created the embedded virus is treated as a comment tag and removed. When nocomment.html is created the virus is not treated as a comment tag, but all the whitespace is removed and the text lowercased which breaks the hexdump signature as it requires an exact match. eg var mye=new Enumerator becomes: varmye=newenumerator in the nocomment.html so is no longer matched by the WScr.Unsafe.D signature. If you take the "comment" tag delimiters away the whitespace is not removed in nocomment.html but the virus text is lowercased in both nocomment.html and notag.html and is again not detected (unless you create a signature from a lower case version of the virus text) The implication of the above is that clamav 0.93 would now no longer detect many once prevalent viruses for which it only has hexdump signatures. -- David Shrimpton _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
