Schroeffu, Ged, ClamAV does not include support for parsing the old AR archive format used for DEB archives ( https://en.wikipedia.org/wiki/Ar_(Unix) ). Adding AR archive parsing would be a new feature. You are welcome to create a feature request issue using the bug report queue on Github https://github.com/Cisco-Talos/clamav/issues/new?assignees=&labels=&template=bug_report.md&title=. But I can't promise if or when we'll add support for DEB-style AR archives.
Ged, the unofficial eicar signature that you shared targets any file (target type 0) at any offset (offset: *): {HEX}EICAR.TEST.3:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a For a format like AR or TAR, this signature will match if those eicar bytes are found anywhere in the file. The AR format does not do any compression, so it makes sense that this signature would alert. But this is not the intended use case for the EICAR test file because it doesn't demonstrate any unpacking of the archive. Regards, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. ________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Schroeffu via clamav-users <clamav-users@lists.clamav.net> Sent: Monday, July 11, 2022 1:27 AM To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net> Cc: i...@schroeffu.ch <i...@schroeffu.ch> Subject: Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format Hi Ged & ClamAV Users, you are right about eicar, the unofficial signatures are detected in a .ar archive format. Beside of this, unfortunately, real malware code and eicar is not detected in a .tar.gz (gzip) inside of an .ar archive file (like .deb packages are). How to reproduce: - Download my testfile gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (6MB) (download here at your own risk!) and run a scan like this: - wget https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1 -O /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan -z /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (no virus found) *1) - unpack & scan gzip file (data.tar.zst) inside, now this way unpacked .ar archive, viruses are found inside .tar.zst (gzip): - ar x /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan -z /tmp/data.tar.zst (virus will be found) *2) --> Is this my handling failure, like not configured scan archive-in-archive, or a bugreport worth? https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1 *1) clamdscan -z gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb /tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb: OK ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 3.508 sec (0 m 3 s) Start Date: 2022:07:11 10:11:49 End Date: 2022:07:11 10:11:53 *2) clamdscan -z data.tar.zst /tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst: Win.Dropper.Corebot-7599208-0 FOUND /tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND /tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst: {HEX}EICAR.TEST.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 21.519 sec (0 m 21 s) Start Date: 2022:07:11 10:11:18 End Date: 2022:07:11 10:11:39
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat