Re: [clamav-users] Match on raw .wsf file?

2016-09-01 Thread Steven Morgan 
Please try clamscan --scan-html=no to turn off normalization.

Hope this helps,
Steve

On Tue, Aug 30, 2016 at 4:36 PM, Kris Deugau  wrote:

> Is there a way to force matching on the raw file, or at least control
> the normalization to some degree so that formatting and details in the
> original code aren't lost?
>
> I've been coming across .wsf files in .zip files, which are essentially
> Javascript wrapped in a very thin wrapper:
>
> 
> [insert nasty Javascript here]
> 
>
> However, signatures I've created based on the raw file never match, and
> I finally figured out a few months ago that I'd have to use clamscan
> --leave-temps to dig up the normalized text Clam was actually running
> pattern matches against.
>
> Unfortunately I've just discovered a flaw in this process, in that the
> normalizing process is also stripping off some of the key JS-obfuscation.
>
> I've posted the raw first ~8 lines of one of these files, and the
> normalized version of that same chunk of text:
>
> http://deepnet.cx/clamfrags/raw-wsf-01
> http://deepnet.cx/clamfrags/norm-wsf-01
>
> In this case, one of the key things I'd like to match on is the
> "br"+"o"+"ken" strings in their broken form, but that information is
> wiped away in the normalized version.
>
> -kgd
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] "Signatures Published" frequency

2016-09-01 Thread Joel Esler (jesler) 
These are automated publish jobs.  Right now, the signature system is 
processing at a comfortable level, and we’d prefer not to raise the rate of 
publish.

--
Joel Esler
Manager
Talos Group
http://www.talosintelligence.com 


> On Sep 1, 2016, at 4:42 AM, Axb  wrote:
> 
> Atm, the ClamAV is publishing around 300 sigs or more every 4 hours.
> 
> Why so many signatures only every four hours instead of frequently releasing 
> much smaller batches.
> 
> 
> 
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] "Signatures Published" frequency

2016-09-01 Thread Axb 

Atm, the ClamAV is publishing around 300 sigs or more every 4 hours.

Why so many signatures only every four hours instead of frequently 
releasing much smaller batches.





___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml