Yep, archive bombs are a huge threat since it only takes one message to
kill a server that doesn't possess detection. Most AV programs have
detection, but apparently ClamAV allows you to tune it.
I would search for a value that approximated more than 99.9% compression
if possible and block on that. I figure that a setting of 250 is 250:1
or 99.75% compression if I am reading things right, so maybe making it
1000 instead (i.e. 1000:1 or 99.9% compression) would be safer.
The goal of a compression bomb is to just simply fill disk space and
therefore impact a server's ability to function, typically by having
many GB of data that decompresses from a zip/rar/etc. that is tiny in
comparison.
Matt
Scott Fisher wrote:
I think it is in their to defend against an "archive bomb".
Archive bomb:
This is a seemingly small archive file that is actually highly
compressed and expands into a huge file or several identical files.
Such archives typically take quite a long time to scan, thus
potentially forming a DDoS attack on an anti-virus program that tries
to scan them. Good anti-virus programs include a smart algorithm to
avoid extracting such files
----- Original Message ----- From: "Colbeck, Andrew"
<[EMAIL PROTECTED]>
To: <declude.virus@declude.com>
Sent: Thursday, September 07, 2006 1:26 PM
Subject: RE: [Declude.Virus] Oversized.RAR FOUND in ClamAV
Disclaimer: I haven't implemented ClamAV with Declude, so I'm guessing
here...
It sounds like the max-ratio solution is a red herring.
It sounds like ClamAV returned an error because it couldn't scan the
overlarge file (compressed or not).
It sounds like Gary's configuration is quarantining emails based on any
non-zero return code from ClamAV and that this is not the behaviour he
really wants.
Comments? Flames?
Andrew 8)
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Scott Fisher
Sent: Thursday, September 07, 2006 7:02 AM
To: declude.virus@declude.com
Subject: Re: [Declude.Virus] Oversized.RAR FOUND in ClamAV
I used (and probably posted the --max-ratio 0 ).
The max-ratio defines the "maximum compression ratio for
scanned files." I kept getting legit text files that were
zipped that were over ratio, so that's why I why I went to
the max-ration 0.
----- Original Message -----
From: "Gary Steiner" <[EMAIL PROTECTED]>
To: <declude.virus@declude.com>
Sent: Wednesday, September 06, 2006 9:31 PM
Subject: [Declude.Virus] Oversized.RAR FOUND in ClamAV
I have an email that was held as a virus after ClamAV was
triggered with the
result "Oversized.RAR FOUND". I looked for an explanation
but couldn't find
anything detailed. Apparently this is due to some type of
bug in ClamAV
that shows up with certain RAR or ZIP files.
I found one posting that suggested that the problem could be fixed by
adjusting the max-ratio value. The default max-ratio value
for ClamAV is
250. The suggested value for running it with Declude is 0.
What would be
the safest value to run with and why?
Gary
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
