clamav-devel February 2012 archive
Main Archive Page > Month Archives  > clamav-devel archives
clamav-devel: Re: [Clamav-devel] Plz help me!!

Re: [Clamav-devel] Plz help me!!

From: Török Edwin <edwin_at_nospam>
Date: Sat Feb 11 2012 - 16:21:52 GMT

On 02/11/2012 06:16 PM, infant deepak wrote:
> Hi,
> I am doing project on clamAV . I have chosen from
> 4. DOCX
> Add support for parsing docx based MS Office files.
> Main purpose is extracting embedded files. You will need to parse the XML,
> locate the embedded data, then decode(base64/OLE?) / and decompress
> (deflate?) it.
> So I did analysis of how clamAV currently scanning a .DOCX file . From my
> understanding it treats as a ZIP file and extracts to a temporary folder,
> and scanning each xml file and inserted media files such pictures,video
> etc.(If I am not correct, kindly explain me).
> After that, I tried embedding a EICAR test virus in a picture file by using
> Steghide tool. Then I scanned that picture file ,but clamav didnt recognize
> it. Reason may be steghide encrypts the virus file.
> So I like to know following things,
> 1. Why clamav didnt recognize encrypted virus?

Because once you've hidden it inside an image with steghide it is no longer executable,
and no longer capable of infecting.

You should embed/insert the EICAR as is inside a .DOCX, not hide it inside a picture!
i.e. when you double click on the EICAR inside the DOCX you should get the eicar executed.

Best regards,
Please submit your patches to our Bugzilla: