[clamav-users] 0.98-exp / LibClamAV Warning
Hi, i am new here. I refer my email to this thread: http://lurker.clamav.net/message/20130929.101600.e8530842.en.html I got a similar warning message of Jamen McGranahan on every scan that cron run. And i like to understand what's happen. $ clamscan juzni_kriz.swf swf_log --- SCAN SUMMARY --- Known viruses: 3034997 Engine version: 0.98-exp Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.68 MB Data read: 0.68 MB (ratio 1.01:1) Time: 24.583 sec (0 m 24 s) LibClamAV Warning: SWF: Invalid tag length. juzni_kriz.swf: OK $ file juzni_kriz.swf juzni_kriz.swf: Macromedia Flash data, version 6 If it's needed i can upload (tell me where) that file. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] 0.98-exp / LibClamAV Warning
On Mon, Dec 23, 2013 at 9:08 AM, gin(e) g...@riseup.net wrote: Hi, i am new here. I refer my email to this thread: http://lurker.clamav.net/message/20130929.101600.e8530842.en.html I got a similar warning message of Jamen McGranahan on every scan that cron run. And i like to understand what's happen. $ clamscan juzni_kriz.swf swf_log --- SCAN SUMMARY --- Known viruses: 3034997 Engine version: 0.98-exp Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.68 MB Data read: 0.68 MB (ratio 1.01:1) Time: 24.583 sec (0 m 24 s) LibClamAV Warning: SWF: Invalid tag length. juzni_kriz.swf: OK $ file juzni_kriz.swf juzni_kriz.swf: Macromedia Flash data, version 6 If it's needed i can upload (tell me where) that file. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ClamAV is scanning the Flash file and is finding a tag that has a length that is too long for the file. This would most commonly occur if file is truncated. Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] 0.98-exp / LibClamAV Warning
On 12/23/2013 04:55 PM, David Raynor wrote: ClamAV is scanning the Flash file and is finding a tag that has a length that is too long for the file. This would most commonly occur if file is truncated. yes, it's written here too: http://lurker.clamav.net/message/20131002.164725.9f59324b.en.html But why file programm doesn't say that? I have pasted the output for that reason. Is it possible that a truncated swf works? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] 0.98-exp / LibClamAV Warning
On Mon, Dec 23, 2013 at 11:23 AM, gin(e) g...@riseup.net wrote: On 12/23/2013 04:55 PM, David Raynor wrote: ClamAV is scanning the Flash file and is finding a tag that has a length that is too long for the file. This would most commonly occur if file is truncated. yes, it's written here too: http://lurker.clamav.net/message/20131002.164725.9f59324b.en.html But why file programm doesn't say that? I have pasted the output for that reason. Is it possible that a truncated swf works? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml file does type detection, not type validation. As for possible that it works? Yes, it's possible. Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] 0.98-exp / LibClamAV Warning
On Dec 23, 2013, at 11:23, gin(e) g...@riseup.net wrote: But why file programm doesn't say that? I have pasted the output for that reason. File only looks at certain parts of a file to determine the type of file. For flash it only has to look at the first three characters of the file. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
