While reading-up on ClamAV and YARA, I came across something I wanted to try for some time: have ClamAV decrypt and scan a password protected ZIP file.
It can be done by creating a .pwdb password signature file, as explained in section 3.12 of Creating signatures for ClamAV.
I created one signature for password “infected”:
ZipPasswordInfected;Engine:81-255;0;infected
ZipPasswordInfected is the name I gave to the signature.
Engine:81-255 defines the required functionality level of the ClamAV engine. If I’m not mistaken, 81 is version 0.99.
0 indicates that the password is in ASCII.
infected is the password to attempt ZIP decryption.
And then I can pass the password signature file to clamscan with option -d. Or I can put the password signature file in the database directory.
In this example, notepad.exe is stored in a password protected ZIP file (password infected), and is_pe_file.yara is a YARA rule to detect PE files.
clamscan.exe -d is_pe_file.yara -d passwords.pwdb notepad.exe.zip notepad.exe.zip: YARA.is_PE_File.UNOFFICIAL FOUND----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.21 MB
Data read: 0.14 MB (ratio 1.50:1)
Time: 0.063 sec (0 m 0 s)
Article Link: https://blog.didierstevens.com/2017/02/15/quickpost-clamav-and-zip-file-decryption/