Re: [clamav-users] Signature not detected
Hi there, On Tue, 18 Jul 2017, Alex wrote: Hi guys, just submitted an "ace" archive with a .cmd inside. # sha1sum PROFORMA\ INVOICE_xls.ace 97757622d5d568b01faa9d662818eebd40b1e0c0 PROFORMA INVOICE_xls.ace We've now disabled "ace" files (who even knew they existed?) ... mail6:~$ >>> grep bad.*ace /etc/mail/mimedefang-filter | cut -b 1-40 $bad_exts = '(7z|ace|ade|adp|app|arc :) -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
Am 18.07.2017 um 19:21 schrieb Paul Kosinski: "...the worst thing that might happen would involve crashing the player..." No, the worst thing that might happen is that a buffer overflow results in code execution in the player's security context. With deliberate malicious code added to the MP3 data stream, this could even lead to encrypting the user's files for ransom. and that happened often enough for several file formats like images, if some malicious crashs a player you have a problem and multimedia fromats are *well known* for security relevant bugs phrases starting with "the worst thing that might happen" are known as "the last famous words" and have no place in any security context at all On Mon, 17 Jul 2017 23:21:13 -0700 Al Varnell wrote: True MP3 files contain sounds that a media player plays. Anything executable can't be handled by the player and the worst thing that might happen would involve crashing the player, if that's even possible. Most, if not all scanners ignore such files. They take a long time to scan with a high probability of zero results. The only example I can locate that comes close to maliciousness would is one that contacts an Internet site capable of downloading actual malware. Such a site would not last long and the actual malware will likely be found before the download completes. Feel free to locate or better yet submit a sample of anything else and you stand a chance of convincing someone that it would be worthy of changing the policy. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
"...the worst thing that might happen would involve crashing the player..." No, the worst thing that might happen is that a buffer overflow results in code execution in the player's security context. With deliberate malicious code added to the MP3 data stream, this could even lead to encrypting the user's files for ransom. This sort of buffer overflow execution flaw has surfaced in other situations where "mere" passive data has led to security problems due to buggy processing, and is often being patched in various application programs. Of course, executable files (incl. less obvious ones like PDFs) pose a worse threat, but why single out MP3 among passive data formats? They are not the only big "passive" files -- TIFs can be really big these days, and various video formats even bigger (H.264, MPEG-2 etc.). On Mon, 17 Jul 2017 23:21:13 -0700 Al Varnell wrote: > True MP3 files contain sounds that a media player plays. Anything > executable can't be handled by the player and the worst thing that > might happen would involve crashing the player, if that's even > possible. > > Most, if not all scanners ignore such files. They take a long time to > scan with a high probability of zero results. The only example I can > locate that comes close to maliciousness would is one that contacts > an Internet site capable of downloading actual malware. Such a site > would not last long and the actual malware will likely be found > before the download completes. > > Feel free to locate or better yet submit a sample of anything else > and you stand a chance of convincing someone that it would be worthy > of changing the policy. > > Sent from Janet's iPad > > -Al- ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
Paul, I don't know how an MP3 file would contain malware, other than possible exploits of MP3 player/processor flaws. If you want to have MP3 files scanned anyway, it is possible to change the file type signatures for MP3 so they are not ignored. Also, I don't know of any signatures for MP3. Steve On Mon, Jul 17, 2017 at 11:45 PM, Paul Kosinski wrote: > Are MP3 files ignored because it is impossible that MP3 software ever > has buffer overflows or other security flaws??? > > Or is it because MP3 files are compressed (i.e., random-looking) and > thus may cause false positives? What about all the other compressed or > encrypted file types which might do the same? > > In other words, I don't understand why they all would be ignored. > > > On Mon, 17 Jul 2017 17:22:52 -0400 > Steven Morgan wrote: > > > Rosika, > > > > The reason the MP3 file is not scanned is because the file type > > signatures for MP3 direct that they are ignored. Particularly: > > > > "0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" > > and > > "0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" > > > > These definitions are in the daily.ftm file of the ClamAV virus > > database. > > > > Steve > > > > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
