ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Clamwin and etc AV bypass with gzip archive file.
freebyte


Joined: 16 Feb 2014
Posts: 1
Location: Azerbaijan
Reply with quote
Hi guys.Today i bypassed ClamWin Clamscan with gzip archived file.
First i add Eicat test file in archive.
ClamAV is detected.
Second.I modify gzip file.

Response:
clamscan(and etc) cant detect this file.
Archive is runing)
virustotal.
https://www.virustotal.com/ru/file/ca11e7673206521a51467a65416dbdc796e85f5bde6e6341e06bbed250c81ae0/analysis/1392558040/[/img]

For full tutorial[Azerbaijan]
Site is Azeri Language.
Clik Yukle+url
http://www.boxca.com/crv1wupdh80u/bypass_clamwin_redhatz.org.pdf.html
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4226
Location: USA
Reply with quote
You should tell Clam AV about this--since ClamWin merely uses the scan engine/signature database provided by the Clam AV project. They are the ones that can fix this.

My first thought, however: make sure you have ClamWin set to scan archive files and that the zipped file size is under the ClamWin scan size limit (100 MB, I think--but not many self-respecting new viruses would be in a file that large).

My second thought: an unscanned archive file doesn't matter too much unless it contains a virus that is self-executing. If it contains a virus for which ClamWin has a signature, it will be detected when/if it is unzipped into a folder that is later scanned by ClamWin. And... if it meets a virus profile, it will probably be detected by the Clam Sentinel front-end to ClamWin at the moment when it is unzipped to a folder where it can do some damage.

Regards,
View user's profileSend private message
Clamwin and etc AV bypass with gzip archive file.
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic