clamav-devel February 2012 archive
Main Archive Page > Month Archives  > clamav-devel archives
clamav-devel: Re: [Clamav-devel] Plz help me!!

Re: [Clamav-devel] Plz help me!!

From: Török Edwin <edwin_at_nospam>
Date: Sat Feb 11 2012 - 16:21:52 GMT
To: clamav-devel@lists.clamav.net

On 02/11/2012 06:16 PM, infant deepak wrote:
> Hi,
>
> I am doing project on clamAV . I have chosen from
>
> http://wiki.clamav.net/bin/view/Main/GoogleSummerOfCode2011
> 4. DOCX
>
> Add support for parsing docx based MS Office files.
>
> Main purpose is extracting embedded files. You will need to parse the XML,
> locate the embedded data, then decode(base64/OLE?) / and decompress
> (deflate?) it.
>
> So I did analysis of how clamAV currently scanning a .DOCX file . From my
> understanding it treats as a ZIP file and extracts to a temporary folder,
> and scanning each xml file and inserted media files such pictures,video
> etc.(If I am not correct, kindly explain me).
>
> After that, I tried embedding a EICAR test virus in a picture file by using
> Steghide tool. Then I scanned that picture file ,but clamav didnt recognize
> it. Reason may be steghide encrypts the virus file.
>
> So I like to know following things,
>
> 1. Why clamav didnt recognize encrypted virus?

Because once you've hidden it inside an image with steghide it is no longer executable,
and no longer capable of infecting.

You should embed/insert the EICAR as is inside a .DOCX, not hide it inside a picture!
i.e. when you double click on the EICAR inside the DOCX you should get the eicar executed.

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net