While reading-up on ClamAV and YARA, I came across something I wanted to try for some time: have ClamAV decrypt and scan a password protected ZIP file.
It can be done by creating a .pwdb password signature file, as explained in section 3.12 of Creating signatures for ClamAV.
I created one signature for password “infected”:
ZipPasswordInfected;Engine:81-255;0;infected
ZipPasswordInfected is the name I gave to the signature.
Engine:81-255 defines the required functionality level of the ClamAV engine. If I’m not mistaken, 81 is version 0.99.
0 indicates that the password is in ASCII.
infected is the password to attempt ZIP decryption.
And then I can pass the password signature file to clamscan with option -d. Or I can put the password signature file in the database directory.
In this example, notepad.exe is stored in a password protected ZIP file (password infected), and is_pe_file.yara is a YARA rule to detect PE files.
clamscan.exe -d is_pe_file.yara -d passwords.pwdb notepad.exe.zip notepad.exe.zip: YARA.is_PE_File.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Known viruses: 1 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.21 MB Data read: 0.14 MB (ratio 1.50:1) Time: 0.063 sec (0 m 0 s)
Didier Stevens 
[…] Quickpost: ClamAV and ZIP File Decryption […]
Pingback by Overview of Content Published In February | Didier Stevens — Saturday 4 March 2017 @ 0:00