Hi, I occasionally get Oversized.Zip false positives with clamscan 0.90 (and clamav-milter) when the actual compression ratio of the zip archive is not overly large, say 250. If I put "ArchiveMaxCompressionRatio 0" in clamd.conf, that has no effect. I have appended the output of "clamscan --debug" for a solaris 9 host (but it also happens under linux), if that is any help. Is there anything else I can check before submitting this as a false positive?
Thanks Fletcher cs.utexas.edu$ clamscan --debug z.zip LibClamAV debug: Initializing the engine structure LibClamAV debug: cli_loaddbdir: Acquiring dbdir lock LibClamAV debug: Loading databases from /lusr/share/clamav LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = eb2702736e04b00af9ba46c9e2e3b95d LibClamAV debug: cli_versig: Decoded signature: eb2702736e04b00af9ba46c9e2e3b95d LibClamAV debug: cli_versig: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d/COPYING LibClamAV debug: Unpacking /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d/main.db LibClamAV debug: Unpacking /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d/main.hdb LibClamAV debug: Unpacking /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d/main.ndb LibClamAV debug: Unpacking /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d/main.zmd LibClamAV debug: Unpacking /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d/main.fp LibClamAV debug: Unpacking /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d/main.info LibClamAV debug: cli_loaddbdir: Acquiring dbdir lock LibClamAV debug: Loading databases from /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d LibClamAV debug: Initializing engine->root[0] LibClamAV debug: Initialising AC pattern matcher of root[0] LibClamAV debug: Initializing BM tables of root[0] LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Initializing engine->root[1] LibClamAV debug: Initialising AC pattern matcher of root[1] LibClamAV debug: Initializing BM tables of root[1] LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Initializing engine->root[2] LibClamAV debug: Initialising AC pattern matcher of root[2] LibClamAV debug: Initializing BM tables of root[2] LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Initializing engine->root[3] LibClamAV debug: Initialising AC pattern matcher of root[3] LibClamAV debug: Initializing BM tables of root[3] LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Initializing engine->root[4] LibClamAV debug: Initialising AC pattern matcher of root[4] LibClamAV debug: Initializing BM tables of root[4] LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Initializing engine->root[5] LibClamAV debug: Initialising AC pattern matcher of root[5] LibClamAV debug: Initializing BM tables of root[5] LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Initializing engine->root[6] LibClamAV debug: Initialising AC pattern matcher of root[6] LibClamAV debug: Initializing BM tables of root[6] LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d/main.db loaded LibClamAV debug: Initializing md5 list structure LibClamAV debug: /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d/main.hdb loaded LibClamAV debug: /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d/main.ndb loaded LibClamAV debug: /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d/main.zmd loaded LibClamAV debug: /var/tmp//clamav-b8f24cc3544e860f4883b0af0595f11d/main.fp loaded LibClamAV debug: Dynamic engine configuration settings: LibClamAV debug: -------------------------------------- LibClamAV debug: Module PE: On LibClamAV debug: * Submodule PARITE: On LibClamAV debug: * Submodule KRIZ: On LibClamAV debug: * Submodule MAGISTR: On LibClamAV debug: * Submodule POLIPOS: On LibClamAV debug: * Submodule MD5SECT: On LibClamAV debug: * Submodule UPX: On LibClamAV debug: * Submodule FSG: On LibClamAV debug: * Submodule SUE: On LibClamAV debug: * Submodule PETITE: On LibClamAV debug: * Submodule PESPIN: On LibClamAV debug: * Submodule YC: On LibClamAV debug: * Submodule WWPACK: On LibClamAV debug: * Submodule NSPACK: On LibClamAV debug: * Submodule MEW: On LibClamAV debug: * Submodule UPACK: On LibClamAV debug: Module ELF: On LibClamAV debug: Module ARCHIVE: On LibClamAV debug: * Submodule RAR: On LibClamAV debug: * Submodule ZIP: On LibClamAV debug: * Submodule GZIP: On LibClamAV debug: * Submodule BZIP: On LibClamAV debug: * Submodule SZDD: On LibClamAV debug: * Submodule CAB: On LibClamAV debug: * Submodule CHM: On LibClamAV debug: * Submodule OLE2: On LibClamAV debug: * Submodule TAR: On LibClamAV debug: * Submodule BINHEX: On LibClamAV debug: * Submodule SIS: On LibClamAV debug: Module DOCUMENT: On LibClamAV debug: * Submodule HTML: On LibClamAV debug: * Submodule RTF: On LibClamAV debug: * Submodule PDF: On LibClamAV debug: Module MAIL: On LibClamAV debug: * Submodule MBOX: On LibClamAV debug: * Submodule TNEF: On LibClamAV debug: * Submodule PST: On LibClamAV debug: Module OTHER: On LibClamAV debug: * Submodule UUENCODED: On LibClamAV debug: * Submodule SCRENC: On LibClamAV debug: * Submodule RIFF: On LibClamAV debug: * Submodule JPEG: On LibClamAV debug: * Submodule CRYPTFF: On LibClamAV debug: /lusr/share/clamav/main.cvd loaded LibClamAV debug: /lusr/share/clamav/foo.hdb loaded LibClamAV debug: cli_loaddbdir: Acquiring dbdir lock LibClamAV debug: Can't open Lock file for Database Directory: /lusr/share/clamav/daily.inc LibClamAV debug: Loading databases from /lusr/share/clamav/daily.inc LibClamAV debug: /lusr/share/clamav/daily.inc/daily.db loaded LibClamAV debug: /lusr/share/clamav/daily.inc/daily.hdb loaded LibClamAV debug: /lusr/share/clamav/daily.inc/daily.ndb loaded LibClamAV debug: /lusr/share/clamav/daily.inc/daily.zmd loaded LibClamAV debug: /lusr/share/clamav/daily.inc/daily.fp loaded LibClamAV debug: /lusr/share/clamav/daily.inc/daily.mdb loaded LibClamAV debug: /lusr/share/clamav/daily.inc/daily.cfg loaded LibClamAV debug: Dynamic engine configuration settings: LibClamAV debug: -------------------------------------- LibClamAV debug: Module PE: On LibClamAV debug: * Submodule PARITE: On LibClamAV debug: * Submodule KRIZ: On LibClamAV debug: * Submodule MAGISTR: On LibClamAV debug: * Submodule POLIPOS: On LibClamAV debug: * Submodule MD5SECT: On LibClamAV debug: * Submodule UPX: On LibClamAV debug: * Submodule FSG: On LibClamAV debug: * Submodule SUE: On LibClamAV debug: * Submodule PETITE: On LibClamAV debug: * Submodule PESPIN: On LibClamAV debug: * Submodule YC: On LibClamAV debug: * Submodule WWPACK: On LibClamAV debug: * Submodule NSPACK: On LibClamAV debug: * Submodule MEW: On LibClamAV debug: * Submodule UPACK: On LibClamAV debug: Module ELF: On LibClamAV debug: Module ARCHIVE: On LibClamAV debug: * Submodule RAR: On LibClamAV debug: * Submodule ZIP: On LibClamAV debug: * Submodule GZIP: On LibClamAV debug: * Submodule BZIP: On LibClamAV debug: * Submodule SZDD: On LibClamAV debug: * Submodule CAB: On LibClamAV debug: * Submodule CHM: On LibClamAV debug: * Submodule OLE2: On LibClamAV debug: * Submodule TAR: On LibClamAV debug: * Submodule BINHEX: On LibClamAV debug: * Submodule SIS: On LibClamAV debug: Module DOCUMENT: On LibClamAV debug: * Submodule HTML: On LibClamAV debug: * Submodule RTF: ** Off ** LibClamAV debug: * Submodule PDF: On LibClamAV debug: Module MAIL: On LibClamAV debug: * Submodule MBOX: On LibClamAV debug: * Submodule TNEF: On LibClamAV debug: * Submodule PST: On LibClamAV debug: Module OTHER: On LibClamAV debug: * Submodule UUENCODED: On LibClamAV debug: * Submodule SCRENC: On LibClamAV debug: * Submodule RIFF: On LibClamAV debug: * Submodule JPEG: On LibClamAV debug: * Submodule CRYPTFF: On LibClamAV debug: Recognized ZIP file LibClamAV debug: in scanzip() LibClamAV debug: Unzip: __zip_find_disk_trailer: found file header at 36760, shift 0 LibClamAV debug: Zip: ADisk$ADiskCallback.class, crc32: 0x2c60e077, offset: 0, encrypted: 0, compressed: 370, normal: 620, method: 8, ratio: 1 (max: 250) LibClamAV debug: Zip: File decompressed to /var/tmp//clamav-cc24800d90a10e07eca3e2ceeedc07ee LibClamAV debug: Zip: ADisk$Transaction.class, crc32: 0xeff84205, offset: 446, encrypted: 0, compressed: 286, normal: 400, method: 8, ratio: 1 (max: 250) LibClamAV debug: Zip: File decompressed to /var/tmp//clamav-1ccc2b11d55faedb319d230439a21112 LibClamAV debug: Zip: ADisk.class, crc32: 0xf0114609, offset: 806, encrypted: 0, compressed: 1306, normal: 2416, method: 8, ratio: 1 (max: 250) LibClamAV debug: Zip: File decompressed to /var/tmp//clamav-7521ef3c539f800c5bf92d02f2d8fa97 LibClamAV debug: Signature offset: 393, expected: 0 (Trojan.Downloader.Bat.Ftp.gen-6) LibClamAV debug: Signature offset: 393, expected: 0 (Trojan.Downloader.Bat.Ftp.gen-5) LibClamAV debug: Signature offset: 393, expected: 0 (Trojan.Downloader.Bat.Ftp.gen-4) LibClamAV debug: Signature offset: 393, expected: 0 (Trojan.Downloader.Bat.Ftp.gen-3) LibClamAV debug: Signature offset: 393, expected: 0 (Trojan.Downloader.Bat.Ftp.gen-2) LibClamAV debug: Signature offset: 393, expected: 0 (Trojan.Downloader.Bat.Ftp.gen-1) LibClamAV debug: Signature offset: 393, expected: 0 (Trojan.Downloader.BAT.Ftp.gen) LibClamAV debug: Zip: ADisk.java, crc32: 0x1d5c3935, offset: 2174, encrypted: 0, compressed: 1688, normal: 6719, method: 8, ratio: 3 (max: 250) LibClamAV debug: Zip: File decompressed to /var/tmp//clamav-da843ca09e40ba2dfdbf164c9a1caec5 LibClamAV debug: Signature offset: 1258, expected: 0 (Trojan.Downloader.Bat.Ftp.gen-6) LibClamAV debug: Signature offset: 1258, expected: 0 (Trojan.Downloader.Bat.Ftp.gen-5) LibClamAV debug: Signature offset: 1258, expected: 0 (Trojan.Downloader.Bat.Ftp.gen-4) LibClamAV debug: Signature offset: 1258, expected: 0 (Trojan.Downloader.Bat.Ftp.gen-3) LibClamAV debug: Signature offset: 1258, expected: 0 (Trojan.Downloader.Bat.Ftp.gen-2) LibClamAV debug: Signature offset: 1258, expected: 0 (Trojan.Downloader.Bat.Ftp.gen-1) LibClamAV debug: Signature offset: 1258, expected: 0 (Trojan.Downloader.BAT.Ftp.gen) LibClamAV debug: Zip: ADiskUnit.class, crc32: 0x8fe64896, offset: 3923, encrypted: 0, compressed: 442, normal: 702, method: 8, ratio: 1 (max: 250) LibClamAV debug: Zip: File decompressed to /var/tmp//clamav-63344debbbbb50ba6b21c071c7c34b6a LibClamAV debug: Zip: ADiskUnit.java, crc32: 0x74b2e920, offset: 4431, encrypted: 0, compressed: 249, normal: 669, method: 8, ratio: 2 (max: 250) LibClamAV debug: Zip: File decompressed to /var/tmp//clamav-aca34350f470a50bf81899341015dce3 LibClamAV debug: Zip: DISK.dat, crc32: 0xe77e3796, offset: 4745, encrypted: 0, compressed: 10485, normal: 8371712, method: 8, ratio: 798 (max: 250) z.zip: Oversized.Zip FOUND ----------- SCAN SUMMARY ----------- Known viruses: 105671 Engine version: 0.90 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Time: 11.448 sec (0 m 11 s) cs.utexas.edu$ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
