Re: [clamav-users] ClamXav and Compressed Files
I have a feeling that that is what ClamXav is la On 27/03/2015, at 8:10 pm, Al Varnell alvarn...@mac.com wrote: On Thu, Mar 26, 2015 at 11:17PM, Dennis Peterson wrote: Forgot to include dmg files are as described when mounted - else they are disk images (cpio). I don't know what the clam product does with unmounted disk images. dp That’s correct. There have been a handful (nine) .dmg hash signatures quite awhile ago and I’ve handled a couple of false positives, but there is no attempt to check the image contents which would almost certainly require mounting. I believe they are simply scanned as a generic file. -Al- On 3/26/15 11:09 PM, Dennis Peterson wrote: The dmg files are logical structures. They are comprised of Unix directories and files and clam doesn't need to treat them differently than any other directory tree. if you have support compiled in for zip, RAR, TAR, and several other archiving formats it should decompose them and scan each of the the contents. You should be able to explore the log to see what clamXav did while scanning. dp On 3/26/15 10:44 PM, Jinwon Lee wrote: Hi I am a new member. I am a Mac user and so I use ClamXav to scan my files. My question is: ‘Does ClamXav scan what’s inside Compressed files like .RAR, .zip…. and Package files like .dmg?’Because I feel ClamXav takes considerably longer to scan the extracted file/s compared to the compressed versions and wonder if it really scans them. Kind Regards Jinwon ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
I ran some tests after my last posting to answer just this question, but results were mixed so I was waiting for an authoritative answer. Since we haven’t heard yet, I’ll post my results. First I made my own .dmg with an eicar test file on-board. Running clamscan —debut on the file did not detect any infection nor did it identify the file as a DMG: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized binary data LibClamAV debug: cache_check: ff8fdbcdb89e9474452237677b5f09e9 is negative LibClamAV debug: in cli_check_mydoom_log() LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 LibClamAV debug: cache_add: ff8fdbcdb89e9474452237677b5f09e9 (level 0) /Volumes/Macintosh HD/Users/avarnell/Documents/EicarTest.dmg: OK LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up --- SCAN SUMMARY --- Known viruses: 3778735 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 7.62 MB Data read: 7.55 MB (ratio 1.01:1) Time: 7.553 sec (0 m 7 s) When I mounted the EicarTest.dmg ClamXav Sentry (real-time process using clamd) caught it immediately. === Next I scanned download.dmg which was known to contained the FkCodec adware. It detected the hash value as expected and also matched three ZIP segments and the DMG container: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized binary data LibClamAV debug: cache_check: b4ece10d1e706b87b065523a654d48a7 is negative LibClamAV debug: in cli_check_mydoom_log() LibClamAV debug: Matched signature for file type ZIP-SFX at 376602 LibClamAV debug: Matched signature for file type ZIP-SFX at 407295 LibClamAV debug: Matched signature for file type ZIP-SFX at 563034 LibClamAV debug: Matched signature for file type DMG container file at 626691 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: Adware.OSX found LibClamAV debug: FP SIGNATURE: b4ece10d1e706b87b065523a654d48a7:627203:Adware.OSX LibClamAV debug: cli_magic_scandesc: returning 1 at line 2470 /Users/avarnell/Desktop/•Download/Malware/FkCodec-A/download.dmg: Adware.OSX FOUND LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up --- SCAN SUMMARY --- Known viruses: 3778290 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.60 MB Data read: 0.60 MB (ratio 1.01:1) Time: 7.419 sec (0 m 7 s) When I mounted the download.dmg Sentry caught Codec-M Installer.app/Contents/MacOS/Installer: Osx.Trojan.Fakecodecs-1 immediately. = Last I scanned CleanApp 4.0.8 Mac 中文版.dmg which was known to contain the Machook or WireLurker malware. I also knew that an unofficail has signature was available only to ClamXav users. It detects the hash value as expected but also was able to decompose 13 segments each with several sections. Apologies for the length: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized binary data LibClamAV debug: cache_check: 819dfe85859c382bfc80a5537b5241c1 is negative LibClamAV debug: in cli_check_mydoom_log() LibClamAV debug: Matched signature for file type ZIP-SFX at 11333950 LibClamAV debug: Matched signature for file type ZIP-SFX at 12084165 LibClamAV debug: Matched signature for file type ZIP-SFX at 12131902 LibClamAV debug: Matched signature for file type ZIP-SFX at 12196825 LibClamAV debug: Matched signature for file type ZIP-SFX at 12215589 LibClamAV debug: Matched signature for file type ZIP-SFX at 12371083 LibClamAV debug: Matched signature for file type ZIP-SFX at 12383952 LibClamAV debug: Matched signature for file type ZIP-SFX at 12912356 LibClamAV debug: Matched signature for file type ZIP-SFX at 12952749 LibClamAV debug: Matched signature for file type ZIP-SFX at 13016886 LibClamAV debug: Matched signature for file type ZIP-SFX at 13016948 LibClamAV debug: Matched signature for file type ZIP-SFX at 13040734 LibClamAV debug: Matched signature for file type DMG container file at 25615107 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: ZIP/ZIP-SFX signature found at 11333950 LibClamAV debug: in cli_unzip_single LibClamAV debug: cli_unzip: lh - ZMDNAME:0:dylib/libiconv.2.dylib:1048064:750135:21d33511:8:0:1 LibClamAV debug: CDBNAME:CL_TYPE_ZIP:750135:dylib/libiconv.2.dylib:750135:1048064:0:0:567489809:0x0 LibClamAV debug: cli_unzip: extracted to /var/folders/95/mfq7sh888xl0c_008k8bty_hgv/T//clamav-33964e3ca2809fa9233a7d9c36f0e5b4.tmp LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16) LibClamAV debug: Recognized Mach-O LE 64-bit file LibClamAV debug: cache_check: 94f9882f5db1883e7295b44c440eb44c is
Re: [clamav-users] ClamXav and Compressed Files
On Mar 29, 2015, at 7:57 AM, Dennis Peterson denni...@inetnw.commailto:denni...@inetnw.com wrote: On 3/29/15 4:55 AM, TR Shaw wrote: On Mar 29, 2015, at 1:45 AM, Dennis Peterson denni...@inetnw.commailto:denni...@inetnw.com wrote: On 3/28/15 10:43 PM, Jinwon Lee wrote: Thanks for that. I guess ‘Hash Value’ refers to the ClamAV identifying the .dmg as a known file that contains virus/es. Jinwon That was the case too for password protected zip files. If you can't burst the contents you condemn the wrapper. Not entirely complete as you can tell ClamAV to mark encrypted zip and rar's as viruses without having a sig. Many milters will do the same without invoking clamav, so that's of limited value. A feature is a feature to someone. Not everyone finds it useful, but for the 10 people that do, it’s the most important thing to them. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
Al, Could you please open a ticket at bugzilla.clamav.net and attach your EicarTest.dmg and also the command used to create it? We'll take a look at what's going on. Thanks, Steve On Sat, Mar 28, 2015 at 6:21 PM, Al Varnell alvarn...@mac.com wrote: I sent this out last night, but it must have been rejected for length or something, so I’ll remove the lengthy results of the third test and quotes to see if that works. -Al- == I ran some tests after my last posting to answer just this question, but results were mixed so I was waiting for an authoritative answer. Since we haven’t heard yet, I’ll post my results. First I made my own .dmg with an eicar test file on-board. Running clamscan —debut on the file did not detect any infection nor did it identify the file as a DMG: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized binary data LibClamAV debug: cache_check: ff8fdbcdb89e9474452237677b5f09e9 is negative LibClamAV debug: in cli_check_mydoom_log() LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 LibClamAV debug: cache_add: ff8fdbcdb89e9474452237677b5f09e9 (level 0) /Volumes/Macintosh HD/Users/avarnell/Documents/EicarTest.dmg: OK LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up --- SCAN SUMMARY --- Known viruses: 3778735 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 7.62 MB Data read: 7.55 MB (ratio 1.01:1) Time: 7.553 sec (0 m 7 s) When I mounted the EicarTest.dmg ClamXav Sentry (real-time process using clamd) caught it immediately. === Next I scanned download.dmg which was known to contained the FkCodec adware. It detected the hash value as expected and also matched three ZIP segments and the DMG container: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized binary data LibClamAV debug: cache_check: b4ece10d1e706b87b065523a654d48a7 is negative LibClamAV debug: in cli_check_mydoom_log() LibClamAV debug: Matched signature for file type ZIP-SFX at 376602 LibClamAV debug: Matched signature for file type ZIP-SFX at 407295 LibClamAV debug: Matched signature for file type ZIP-SFX at 563034 LibClamAV debug: Matched signature for file type DMG container file at 626691 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: Adware.OSX found LibClamAV debug: FP SIGNATURE: b4ece10d1e706b87b065523a654d48a7:627203:Adware.OSX LibClamAV debug: cli_magic_scandesc: returning 1 at line 2470 /Users/avarnell/Desktop/•Download/Malware/FkCodec-A/download.dmg: Adware.OSX FOUND LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up --- SCAN SUMMARY --- Known viruses: 3778290 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.60 MB Data read: 0.60 MB (ratio 1.01:1) Time: 7.419 sec (0 m 7 s) When I mounted the download.dmg Sentry caught Codec-M Installer.app/Contents/MacOS/Installer: Osx.Trojan.Fakecodecs-1 immediately. = Last I scanned CleanApp 4.0.8 Mac 中文版.dmg which was known to contain the Machook or WireLurker malware. I also knew that an unofficail has signature was available only to ClamXav users. It detects the hash value as expected but also was able to decompose 13 segments each with several sections. results available on request. When mounting CleanApp 4.0.8 Mac 中文版.dmg Sentry located: /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/MacOS/CleanApp: OSX.MacHook/WireLurker.UNOFFICIAL FOUND /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/FontMap1.cfg: OSX.MacHook/WireLurker.A.UNOFFICIAL FOUND /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/start.sh: OSX.MacHook/WireLurker.UNOFFICIAL FOUND == So three somewhat different results for the three .dmg files leads me to believe that bursting is possible, but no evidence of being able to detect infected files within a .dmg container. -Al- ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
Hi there, On Sun, 29 Mar 2015, Denis Peterson wrote: ... I meant dd, not cpio. But that won't work either ... Does kpartx help? I use it for mounting bits of assorted disc images, mostly when I'm playing around with Windows VMs. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
On 3/29/15 4:55 AM, TR Shaw wrote: On Mar 29, 2015, at 1:45 AM, Dennis Peterson denni...@inetnw.com wrote: On 3/28/15 10:43 PM, Jinwon Lee wrote: Thanks for that. I guess ‘Hash Value’ refers to the ClamAV identifying the .dmg as a known file that contains virus/es. Jinwon That was the case too for password protected zip files. If you can't burst the contents you condemn the wrapper. Not entirely complete as you can tell ClamAV to mark encrypted zip and rar's as viruses without having a sig. Many milters will do the same without invoking clamav, so that's of limited value. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
On Mar 29, 2015, at 1:45 AM, Dennis Peterson denni...@inetnw.com wrote: On 3/28/15 10:43 PM, Jinwon Lee wrote: Thanks for that. I guess ‘Hash Value’ refers to the ClamAV identifying the .dmg as a known file that contains virus/es. Jinwon That was the case too for password protected zip files. If you can't burst the contents you condemn the wrapper. Not entirely complete as you can tell ClamAV to mark encrypted zip and rar's as viruses without having a sig. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
On Mar 29, 2015, at 12:24 PM, G.W. Haywood cla...@jubileegroup.co.uk wrote: Hi there, On Sun, 29 Mar 2015, Denis Peterson wrote: ... I meant dd, not cpio. But that won't work either ... Does kpartx help? I use it for mounting bits of assorted disc images, mostly when I'm playing around with Windows VMs. or http://vu1tur.eu.org/tools/ dmg2iso ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
On 3/29/15 12:08 AM, Al Varnell wrote: On Sat, Mar 28, 2015 at 09:50 PM, Dennis Peterson wrote: It should be possible to use cpio to extract the contents to a stream and feed that into the ClamAV engine OS X does include cpio but I have been unsuccessful in getting it to do anything with a .dmg. cpio -h tells me it’s bsdcpio 2.8.3 -- lib archive 2.8.3”, but I also see evidence that it’s already included from clamav-0.98.6 source’s libclamav directory. I suspect that means it’s what is used to extract tar, pax, cpio , zip, jar, ar, and ISO 9660 cdrom images (from the man). I think we’re going to have to wait for somebody to tell us exactly how “Dmg scanning was added. -Al- That's because I'm an idiot. I meant dd, not cpio. But that won't work either because clamscan can't read raw partitions. Or if it does I haven't figured it out. This was also hashed out last year at http://lurker.clamav.net/message/20140210.230519.1b53a3a9.en.html dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
On Sat, Mar 28, 2015 at 09:50 PM, Dennis Peterson wrote: It should be possible to use cpio to extract the contents to a stream and feed that into the ClamAV engine OS X does include cpio but I have been unsuccessful in getting it to do anything with a .dmg. cpio -h tells me it’s bsdcpio 2.8.3 -- lib archive 2.8.3”, but I also see evidence that it’s already included from clamav-0.98.6 source’s libclamav directory. I suspect that means it’s what is used to extract tar, pax, cpio , zip, jar, ar, and ISO 9660 cdrom images (from the man). I think we’re going to have to wait for somebody to tell us exactly how “Dmg scanning was added. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
Thanks for the responses. I am not a computer expert so I might not fully understand all that has been discussed but it sounds like ClamXav extracts(decompose?) archive files like zip, RAR and then scan. But with .dmg file it is uncertain that it does the same thing. It sounds like ClamXav is not ‘complete’ yet. What I always do is scan the files as they are first, and to be extra safe, decompress or mount and then rescan them. But I still do not understand why ‘the second scans’ usually take longer(feels like to me). Still not sure if ClamXav ‘really’ scan compressed files. I just test scanned a zip file and had a look at the scan log. And it says it scanned 1 file!!?? Regards Jinwon 2015-03-29 01:32:28 + Items to be scanned: /Users/a/Desktop/gallery.zip /Users/a/Desktop/gallery.zip: OK --- SCAN SUMMARY --- Known viruses: 3779286 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 20.64 MB Data read: 9.91 MB (ratio 2.08:1) Time: 20.792 sec (0 m 20 s) On 29/03/2015, at 11:21 am, Al Varnell alvarn...@mac.com wrote: I sent this out last night, but it must have been rejected for length or something, so I’ll remove the lengthy results of the third test and quotes to see if that works. -Al- == I ran some tests after my last posting to answer just this question, but results were mixed so I was waiting for an authoritative answer. Since we haven’t heard yet, I’ll post my results. First I made my own .dmg with an eicar test file on-board. Running clamscan —debut on the file did not detect any infection nor did it identify the file as a DMG: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized binary data LibClamAV debug: cache_check: ff8fdbcdb89e9474452237677b5f09e9 is negative LibClamAV debug: in cli_check_mydoom_log() LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 LibClamAV debug: cache_add: ff8fdbcdb89e9474452237677b5f09e9 (level 0) /Volumes/Macintosh HD/Users/avarnell/Documents/EicarTest.dmg: OK LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up --- SCAN SUMMARY --- Known viruses: 3778735 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 7.62 MB Data read: 7.55 MB (ratio 1.01:1) Time: 7.553 sec (0 m 7 s) When I mounted the EicarTest.dmg ClamXav Sentry (real-time process using clamd) caught it immediately. === Next I scanned download.dmg which was known to contained the FkCodec adware. It detected the hash value as expected and also matched three ZIP segments and the DMG container: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized binary data LibClamAV debug: cache_check: b4ece10d1e706b87b065523a654d48a7 is negative LibClamAV debug: in cli_check_mydoom_log() LibClamAV debug: Matched signature for file type ZIP-SFX at 376602 LibClamAV debug: Matched signature for file type ZIP-SFX at 407295 LibClamAV debug: Matched signature for file type ZIP-SFX at 563034 LibClamAV debug: Matched signature for file type DMG container file at 626691 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: Adware.OSX found LibClamAV debug: FP SIGNATURE: b4ece10d1e706b87b065523a654d48a7:627203:Adware.OSX LibClamAV debug: cli_magic_scandesc: returning 1 at line 2470 /Users/avarnell/Desktop/•Download/Malware/FkCodec-A/download.dmg: Adware.OSX FOUND LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up --- SCAN SUMMARY --- Known viruses: 3778290 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.60 MB Data read: 0.60 MB (ratio 1.01:1) Time: 7.419 sec (0 m 7 s) When I mounted the download.dmg Sentry caught Codec-M Installer.app/Contents/MacOS/Installer: Osx.Trojan.Fakecodecs-1 immediately. = Last I scanned CleanApp 4.0.8 Mac 中文版.dmg which was known to contain the Machook or WireLurker malware. I also knew that an unofficail has signature was available only to ClamXav users. It detects the hash value as expected but also was able to decompose 13 segments each with several sections. results available on request. When mounting CleanApp 4.0.8 Mac 中文版.dmg Sentry located: /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/MacOS/CleanApp: OSX.MacHook/WireLurker.UNOFFICIAL FOUND /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/FontMap1.cfg: OSX.MacHook/WireLurker.A.UNOFFICIAL FOUND /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/start.sh: OSX.MacHook/WireLurker.UNOFFICIAL FOUND == So three somewhat different results for the three .dmg files
Re: [clamav-users] ClamXav and Compressed Files
On Sat, Mar 28, 2015 at 06:35 PM, Jinwon Lee wrote: Thanks for the responses. I am not a computer expert so I might not fully understand all that has been discussed but it sounds like ClamXav extracts(decompose?) archive files like zip, RAR and then scan. But with .dmg file it is uncertain that it does the same thing. It sounds like ClamXav is not ‘complete’ yet. Again, we are discussing the ClamAV® scan engine here which is used by ClamXav but is not the same thing. ClamXav is just the user interface that allows you to use the scan engine on your computer. Perhaps I wasn’t clear on the results of my testing, but they indicate that the scan engine will not look at the contents of a .dmg file until you mount it on your desktop. It’s not so much that it’s incomplete, but I would have to guess that it’s not possible to do so. The scan may identify the .dmg file itself as one known to contain malware, depending on whether or not a sample was previously received and a signature prepared for it. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
I sent this out last night, but it must have been rejected for length or something, so I’ll remove the lengthy results of the third test and quotes to see if that works. -Al- == I ran some tests after my last posting to answer just this question, but results were mixed so I was waiting for an authoritative answer. Since we haven’t heard yet, I’ll post my results. First I made my own .dmg with an eicar test file on-board. Running clamscan —debut on the file did not detect any infection nor did it identify the file as a DMG: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized binary data LibClamAV debug: cache_check: ff8fdbcdb89e9474452237677b5f09e9 is negative LibClamAV debug: in cli_check_mydoom_log() LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 LibClamAV debug: cache_add: ff8fdbcdb89e9474452237677b5f09e9 (level 0) /Volumes/Macintosh HD/Users/avarnell/Documents/EicarTest.dmg: OK LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up --- SCAN SUMMARY --- Known viruses: 3778735 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 7.62 MB Data read: 7.55 MB (ratio 1.01:1) Time: 7.553 sec (0 m 7 s) When I mounted the EicarTest.dmg ClamXav Sentry (real-time process using clamd) caught it immediately. === Next I scanned download.dmg which was known to contained the FkCodec adware. It detected the hash value as expected and also matched three ZIP segments and the DMG container: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized binary data LibClamAV debug: cache_check: b4ece10d1e706b87b065523a654d48a7 is negative LibClamAV debug: in cli_check_mydoom_log() LibClamAV debug: Matched signature for file type ZIP-SFX at 376602 LibClamAV debug: Matched signature for file type ZIP-SFX at 407295 LibClamAV debug: Matched signature for file type ZIP-SFX at 563034 LibClamAV debug: Matched signature for file type DMG container file at 626691 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: Adware.OSX found LibClamAV debug: FP SIGNATURE: b4ece10d1e706b87b065523a654d48a7:627203:Adware.OSX LibClamAV debug: cli_magic_scandesc: returning 1 at line 2470 /Users/avarnell/Desktop/•Download/Malware/FkCodec-A/download.dmg: Adware.OSX FOUND LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up --- SCAN SUMMARY --- Known viruses: 3778290 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.60 MB Data read: 0.60 MB (ratio 1.01:1) Time: 7.419 sec (0 m 7 s) When I mounted the download.dmg Sentry caught Codec-M Installer.app/Contents/MacOS/Installer: Osx.Trojan.Fakecodecs-1 immediately. = Last I scanned CleanApp 4.0.8 Mac 中文版.dmg which was known to contain the Machook or WireLurker malware. I also knew that an unofficail has signature was available only to ClamXav users. It detects the hash value as expected but also was able to decompose 13 segments each with several sections. results available on request. When mounting CleanApp 4.0.8 Mac 中文版.dmg Sentry located: /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/MacOS/CleanApp: OSX.MacHook/WireLurker.UNOFFICIAL FOUND /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/FontMap1.cfg: OSX.MacHook/WireLurker.A.UNOFFICIAL FOUND /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/start.sh: OSX.MacHook/WireLurker.UNOFFICIAL FOUND == So three somewhat different results for the three .dmg files leads me to believe that bursting is possible, but no evidence of being able to detect infected files within a .dmg container. -Al- ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
On 3/28/15 6:48 PM, Al Varnell wrote: On Sat, Mar 28, 2015 at 06:35 PM, Jinwon Lee wrote: Thanks for the responses. I am not a computer expert so I might not fully understand all that has been discussed but it sounds like ClamXav extracts(decompose?) archive files like zip, RAR and then scan. But with .dmg file it is uncertain that it does the same thing. It sounds like ClamXav is not ‘complete’ yet. Again, we are discussing the ClamAV® scan engine here which is used by ClamXav but is not the same thing. ClamXav is just the user interface that allows you to use the scan engine on your computer. Perhaps I wasn’t clear on the results of my testing, but they indicate that the scan engine will not look at the contents of a .dmg file until you mount it on your desktop. It’s not so much that it’s incomplete, but I would have to guess that it’s not possible to do so. The scan may identify the .dmg file itself as one known to contain malware, depending on whether or not a sample was previously received and a signature prepared for it. -Al- It should be possible to use cpio to extract the contents to a stream and feed that into the ClamAV engine but the Windows people may be challenged to replicate it without a posix tool kit. For the wider audience: Remember that ClamAV is a cross-platform tool and it is not likely that all platforms will have essential tools to burst a file system image from another system. That said, cpio is a UNIX primitive and I can't recall ever seeing a UNIX/derivative OS that didn't have it, and worked on first-gen UNIX well over thirty years ago. Nor have I ever seen a Windows system where it was an included utility. And that is why it is important to know what is compiled into some of these cross-platform utilities we all depend on. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
Yes. It makes sense. On 29/03/2015, at 6:45 pm, Dennis Peterson denni...@inetnw.com wrote: On 3/28/15 10:43 PM, Jinwon Lee wrote: Thanks for that. I guess ‘Hash Value’ refers to the ClamAV identifying the .dmg as a known file that contains virus/es. Jinwon That was the case too for password protected zip files. If you can't burst the contents you condemn the wrapper. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
On 3/28/15 10:43 PM, Jinwon Lee wrote: Thanks for that. I guess ‘Hash Value’ refers to the ClamAV identifying the .dmg as a known file that contains virus/es. Jinwon That was the case too for password protected zip files. If you can't burst the contents you condemn the wrapper. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
Thanks for that. I guess ‘Hash Value’ refers to the ClamAV identifying the .dmg as a known file that contains virus/es. Jinwon On 29/03/2015, at 2:48 pm, Al Varnell alvarn...@mac.com wrote: On Sat, Mar 28, 2015 at 06:35 PM, Jinwon Lee wrote: Thanks for the responses. I am not a computer expert so I might not fully understand all that has been discussed but it sounds like ClamXav extracts(decompose?) archive files like zip, RAR and then scan. But with .dmg file it is uncertain that it does the same thing. It sounds like ClamXav is not ‘complete’ yet. Again, we are discussing the ClamAV® scan engine here which is used by ClamXav but is not the same thing. ClamXav is just the user interface that allows you to use the scan engine on your computer. Perhaps I wasn’t clear on the results of my testing, but they indicate that the scan engine will not look at the contents of a .dmg file until you mount it on your desktop. It’s not so much that it’s incomplete, but I would have to guess that it’s not possible to do so. The scan may identify the .dmg file itself as one known to contain malware, depending on whether or not a sample was previously received and a signature prepared for it. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
Forgot to include dmg files are as described when mounted - else they are disk images (cpio). I don't know what the clam product does with unmounted disk images. dp On 3/26/15 11:09 PM, Dennis Peterson wrote: The dmg files are logical structures. They are comprised of Unix directories and files and clam doesn't need to treat them differently than any other directory tree. if you have support compiled in for zip, RAR, TAR, and several other archiving formats it should decompose them and scan each of the the contents. You should be able to explore the log to see what clamXav did while scanning. dp On 3/26/15 10:44 PM, Jinwon Lee wrote: Hi I am a new member. I am a Mac user and so I use ClamXav to scan my files. My question is: ‘Does ClamXav scan what’s inside Compressed files like .RAR, .zip…. and Package files like .dmg?’Because I feel ClamXav takes considerably longer to scan the extracted file/s compared to the compressed versions and wonder if it really scans them. Kind Regards Jinwon ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
On Thu, Mar 26, 2015 at 11:17PM, Dennis Peterson wrote: Forgot to include dmg files are as described when mounted - else they are disk images (cpio). I don't know what the clam product does with unmounted disk images. dp That’s correct. There have been a handful (nine) .dmg hash signatures quite awhile ago and I’ve handled a couple of false positives, but there is no attempt to check the image contents which would almost certainly require mounting. I believe they are simply scanned as a generic file. -Al- On 3/26/15 11:09 PM, Dennis Peterson wrote: The dmg files are logical structures. They are comprised of Unix directories and files and clam doesn't need to treat them differently than any other directory tree. if you have support compiled in for zip, RAR, TAR, and several other archiving formats it should decompose them and scan each of the the contents. You should be able to explore the log to see what clamXav did while scanning. dp On 3/26/15 10:44 PM, Jinwon Lee wrote: Hi I am a new member. I am a Mac user and so I use ClamXav to scan my files. My question is: ‘Does ClamXav scan what’s inside Compressed files like .RAR, .zip…. and Package files like .dmg?’Because I feel ClamXav takes considerably longer to scan the extracted file/s compared to the compressed versions and wonder if it really scans them. Kind Regards Jinwon ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
The dmg files are logical structures. They are comprised of Unix directories and files and clam doesn't need to treat them differently than any other directory tree. if you have support compiled in for zip, RAR, TAR, and several other archiving formats it should decompose them and scan each of the the contents. You should be able to explore the log to see what clamXav did while scanning. dp On 3/26/15 10:44 PM, Jinwon Lee wrote: Hi I am a new member. I am a Mac user and so I use ClamXav to scan my files. My question is: ‘Does ClamXav scan what’s inside Compressed files like .RAR, .zip…. and Package files like .dmg?’Because I feel ClamXav takes considerably longer to scan the extracted file/s compared to the compressed versions and wonder if it really scans them. Kind Regards Jinwon ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
For fastest, most efficient answers to questions such as these, visit the ClamXav Forum http://www.clamxav.com/BB/. This mail-list is for users of the ClamAV® scan engine on all platforms. -Al- On Thu, Mar 26, 2015 at 10:44PM, Jinwon Lee wrote: Hi I am a new member. I am a Mac user and so I use ClamXav to scan my files. My question is: ‘Does ClamXav scan what’s inside Compressed files like .RAR, .zip…. and Package files like .dmg?’Because I feel ClamXav takes considerably longer to scan the extracted file/s compared to the compressed versions and wonder if it really scans them. Kind Regards Jinwon ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
Dmg scanning was added a couple of versions back. -- Joel Esler Sent from my iPhone On Mar 27, 2015, at 3:11 AM, Al Varnell alvarn...@mac.commailto:alvarn...@mac.com wrote: On Thu, Mar 26, 2015 at 11:17PM, Dennis Peterson wrote: Forgot to include dmg files are as described when mounted - else they are disk images (cpio). I don't know what the clam product does with unmounted disk images. dp That’s correct. There have been a handful (nine) .dmg hash signatures quite awhile ago and I’ve handled a couple of false positives, but there is no attempt to check the image contents which would almost certainly require mounting. I believe they are simply scanned as a generic file. -Al- On 3/26/15 11:09 PM, Dennis Peterson wrote: The dmg files are logical structures. They are comprised of Unix directories and files and clam doesn't need to treat them differently than any other directory tree. if you have support compiled in for zip, RAR, TAR, and several other archiving formats it should decompose them and scan each of the the contents. You should be able to explore the log to see what clamXav did while scanning. dp On 3/26/15 10:44 PM, Jinwon Lee wrote: Hi I am a new member. I am a Mac user and so I use ClamXav to scan my files. My question is: ‘Does ClamXav scan what’s inside Compressed files like .RAR, .zip…. and Package files like .dmg?’Because I feel ClamXav takes considerably longer to scan the extracted file/s compared to the compressed versions and wonder if it really scans them. Kind Regards Jinwon ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] ClamXav and Compressed Files
Hi I am a new member. I am a Mac user and so I use ClamXav to scan my files. My question is: ‘Does ClamXav scan what’s inside Compressed files like .RAR, .zip…. and Package files like .dmg?’Because I feel ClamXav takes considerably longer to scan the extracted file/s compared to the compressed versions and wonder if it really scans them. Kind Regards Jinwon ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
