|Main Archive Page > Month Archives > clamav-devel archives|
On 02/11/2012 06:16 PM, infant deepak wrote:
> I am doing project on clamAV . I have chosen from
> 4. DOCX
> Add support for parsing docx based MS Office files.
> Main purpose is extracting embedded files. You will need to parse the XML,
> locate the embedded data, then decode(base64/OLE?) / and decompress
> (deflate?) it.
> So I did analysis of how clamAV currently scanning a .DOCX file . From my
> understanding it treats as a ZIP file and extracts to a temporary folder,
> and scanning each xml file and inserted media files such pictures,video
> etc.(If I am not correct, kindly explain me).
> After that, I tried embedding a EICAR test virus in a picture file by using
> Steghide tool. Then I scanned that picture file ,but clamav didnt recognize
> it. Reason may be steghide encrypts the virus file.
> So I like to know following things,
> 1. Why clamav didnt recognize encrypted virus?
Because once you've hidden it inside an image with steghide it is no longer executable,
and no longer capable of infecting.
You should embed/insert the EICAR as is inside a .DOCX, not hide it inside a picture!
i.e. when you double click on the EICAR inside the DOCX you should get the eicar executed.