Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format

[Schroeffu via clamav-users]

Hi Ged &  ClamAV Users, 

you are right about eicar, the unofficial signatures are detected in a
.ar archive format.
Beside of this, unfortunately, real malware code and eicar is not
detected in a .tar.gz (gzip) inside of an .ar archive file (like .deb
packages are). 

How to reproduce:
- Download my testfile
gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (6MB) (download
here at your own risk!) and run a scan like this:
- wget https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1 -O
/tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan
-z /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (no virus
found) *1) 
- unpack & scan gzip file (data.tar.zst) inside, now this way unpacked
.ar archive, viruses are found inside .tar.zst (gzip):
- ar x /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb &&
clamdscan -z /tmp/data.tar.zst (virus will be found) *2)  

--> Is this my handling failure, like not configured scan
archive-in-archive, or a bugreport worth? 

https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1

*1) 

clamdscan -z gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb 
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb:
OK 

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 3.508 sec (0 m 3 s)
Start Date: 2022:07:11 10:11:49
End Date: 2022:07:11 10:11:53 

*2) 

clamdscan -z data.tar.zst 
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
Win.Dropper.Corebot-7599208-0 FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
{HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
{HEX}EICAR.TEST.UNOFFICIAL FOUND 

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 21.519 sec (0 m 21 s)
Start Date: 2022:07:11 10:11:18
End Date: 2022:07:11 10:11:39_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat