Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format

[Schroeffu via clamav-users]

Hi Ged &  ClamAV Users, 


you are right about eicar, the unofficial signatures are detected in a
.ar archive format.
Beside of this, unfortunately, real malware code and eicar is not
detected in a .tar.gz (gzip) inside of an .ar archive file (like .deb
packages are). 


How to reproduce:

- Download my testfile
gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (6MB) (download
here at your own risk!) and run a scan like this:
- wget https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1 -O
/tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan
-z /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (no virus
found) *1) 
- unpack & scan gzip file (data.tar.zst) inside, now this way unpacked

.ar archive, viruses are found inside .tar.zst (gzip):
- ar x /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb &&
clamdscan -z /tmp/data.tar.zst (virus will be found) *2)  


--> Is this my handling failure, like not configured scan
archive-in-archive, or a bugreport worth? 


https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1

*1) 

clamdscan -z gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb 
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb:
OK 


--- SCAN SUMMARY ---
Infected files: 0
Time: 3.508 sec (0 m 3 s)
Start Date: 2022:07:11 10:11:49
End Date: 2022:07:11 10:11:53 

*2) 

clamdscan -z data.tar.zst 
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:

Win.Dropper.Corebot-7599208-0 FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
{HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
{HEX}EICAR.TEST.UNOFFICIAL FOUND 


--- SCAN SUMMARY ---
Infected files: 1
Time: 21.519 sec (0 m 21 s)
Start Date: 2022:07:11 10:11:18
End Date: 2022:07:11 10:11:39___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV does not detect viruses in "ar archive" file format

[Schroeffu via clamav-users]

Hey clamav users, 


I am trying to scan "ar archive" format like .deb packages are. ClamAV
unfortunately does not detect the eicar inside the ar archive. 


Do I miss something to configure so clamav scans/unpacks "ar archive"
formats correctly?

##Virus not found
##clam(d)scan does not detect any virus in ar archive file type
root@vmdxyz:/tmp# clamdscan testvirus.deb
/tmp/gimp/gimp2/gimp3/testvirus.deb: OK 

Informations: 


## ar file type
root@vmdxyz:/tmp# file testvirus.deb 
testvirus.deb: current ar archive 


#ar file list with eicar.txt inside
root@vmdxyz:/tmp# ar t testvirus.deb 
eicar.txt
debian-binary 


#for comparison: .tar.gz eicar inside is detected
root@vmdxyz:/tmp# clamdscan eicar.txt.tar.gz
/tmp/eicar.txt.tar.gz: Eicar-Signature FOUND

Thanky for any help to detect viruses in "ar archive" formats with
clamav :-o :-) 


All the best
Schroeffu___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat