RE: [Clamav-users] RAR module failure even with external unrar

2005-03-22 Thread Rick Cooper 


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Alexander
> Lelyakin
> Sent: Tuesday, March 22, 2005 8:15 AM
> To: clamav-users@lists.clamav.net
> Subject: [Clamav-users] RAR module failure even with external unrar
>
>
> I have just encountered a problem:
> clamscan --unrar
> works good only if archive has extension .rar
> This behavior was found on Debian sarge and on SUSE9.0:
> here follows some example:
>
> $ clamscan --unrar clam-error.rar
> /home/lel/tmp/clam-error.rar: RAR module failure
>
> UNRAR 3.30 freeware  Copyright (c) 1993-2004 Eugene Roshal
>
>
> Extracting from /home/lel/tmp/clam-error.rar
>
> Extracting  clam.exe  OK
> All OK
> /tmp/clamav-ff80a84a8d55f11d/clam.exe: ClamAV-Test-File FOUND
> /home/lel/tmp/clam-error.rar: Infected Archive FOUND
>
> --- SCAN SUMMARY ---
> Known viruses: 31812
> Scanned directories: 1
> Scanned files: 2
> Infected files: 1
> Data scanned: 0.00 MB
> I/O buffer size: 131072 bytes
> Time: 0.749 sec (0 m 0 s)
>
> Everything OK sofar.
> Let's rename file:
> $ mv clam-error.rar 999
>
> What we can get now:
> $ clamscan --unrar 999
> /home/lel/tmp/999: RAR module failure
>
> --- SCAN SUMMARY ---
> Known viruses: 31812
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> I/O buffer size: 131072 bytes
> Time: 0.764 sec (0 m 0 s)
>

Looking through the code in manager.c it would appear that without the
specific .rar extension the external rar command is not called (as a matter
of design). This would exclude self extracting rar files with a .exe
extension as well.

My question is why would clam ever bother to use it's internal rar code if
the --rar=/path/unrar is given since it's not very likely a virus author is
going to hunt down and use a nearly extinct version 2.0 archiver in the
first place? Especially since everyone knows that clam cannot handle a 3.+
rar file internally.

Wouldn't it make more sense if the clamav authors strongly recommend using
an external unrar and only use the internal code when there is no external
available... or better yet, just require an external unrar to handle rar
files (by magic string as both rar and exe) and drop the internal unrar code
which is next to useless in today's world?

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] RAR module failure even with external unrar

2005-03-22 Thread Alexander Lelyakin 
I have just encountered a problem:
clamscan --unrar
works good only if archive has extension .rar
This behavior was found on Debian sarge and on SUSE9.0:
here follows some example:
$ clamscan --unrar clam-error.rar
/home/lel/tmp/clam-error.rar: RAR module failure
UNRAR 3.30 freeware  Copyright (c) 1993-2004 Eugene Roshal
Extracting from /home/lel/tmp/clam-error.rar
Extracting  clam.exe  OK
All OK
/tmp/clamav-ff80a84a8d55f11d/clam.exe: ClamAV-Test-File FOUND
/home/lel/tmp/clam-error.rar: Infected Archive FOUND
--- SCAN SUMMARY ---
Known viruses: 31812
Scanned directories: 1
Scanned files: 2
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.749 sec (0 m 0 s)
Everything OK sofar.
Let's rename file:
$ mv clam-error.rar 999
What we can get now:
$ clamscan --unrar 999
/home/lel/tmp/999: RAR module failure
--- SCAN SUMMARY ---
Known viruses: 31812
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.764 sec (0 m 0 s)
___
http://lurker.clamav.net/list/clamav-users.html