Hi there,
On Tue, 4 Feb 2020, Ntek, SIA Janis wrote:
I have Debian 9.7 w/ postfix and ClamAV 0.100.2 I have made custom
definition file /var/lib/clamav/archive_exe.cdb containing:
Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
So that every archive packed with exe would be treated as a virus.
Please explain exactly what you mean by "every archive packed with exe".
Do you mean "every archive which contains an executable file"? Please
be aware that very many executable files do not have names like '*.exe'
This works with .zip files and .7zip files but not with .rar files. I
installed unrar package and libclamunrar9, restarted daemons and the
system but still .rar files containing exe are let through.
Have you scanned the test files which the ClamAV sources provide?
mail6:~/src/net/mail/clamav-devel-dev-0.102/test$ >>> clamdscan ./clam-v3.rar
/home/ged/src/net/mail/clamav-devel-dev-0.102/test/./clam-v3.rar: PUA.Win.Packer.AcprotectUltraprotect-1 FOUND
You might get some help with your signatures from e.g. this one.
Do you see anything apart from executable files compressed with RAR?
You might consider simply blocking all .rar files. That's what I do,
but then I'm the BOFH. There are very many other ways of compressing
and/or obfuscating executable files, so if you want protection from
this route of sneaking past scanners you really need to recognize all
of them. Perhaps it would be easier to recognize instead just those
things which are _not_ compressed and/or obfuscated.
I read that at some point unrar code was removed from ClamAV and now it
only supports rar versions 1-2 but not 3. How to work around this?
Please check dates on information you read on the Internet. You may
find that those comments were dated around December 2007 (yes, that's
over 12 years ago). As far as the Debian distribution is concerned,
there was a fundamental issue with the licences but I believe that it
was essentially resolved by repackaging the software so the libunrar
code could be separated.
As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5,
although I see no test files distributed for V5 RAR archives. Perhaps
you will need to upgrade to Debian 10 (Buster) to make use of v101.x;
I use Debian a great deal but not the packaged ClamAV - I always build
from source. Amongst other things this avoids noise in the logs about
outdated software (which could potentially hide some kinds of problem,
a bit like hiding an elephant).
Someone suggested using --unrar option, but where do I put it? Conf file
syntax doesn't seem to support this.
The --unrar option is deprecated, and is ignored by any recent ClamAV.
Perhaps the suggestion was in a very old document, or perhaps it was a
mistake, and the _configure_ option --enable-unrar was what was meant.
This would mean that the discussion was about building ClamAV from
source, but as Mr. Kitterman says it is not normally necessary to do
that on Debian as the binaries are built with unrar already enabled.
As an aside there is a potential issue with incompatibility with old
libraries but I do not think you will come across it - see for example
the ClamAV blog for Friday, December 21, 2018:
https://blog.clamav.net/2018/
Please take a look at the documentation for more information.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
