Re: [clamav-users] clamsmtpd does not scan rar files
On 04.02.20 23:15, Ntek, SIA Janis wrote: I upgraded Debian from 9.7 to 9.11, this meant my Clam version changed from 0.100.2 to 0.101.4 libclamunrar9 package started to work it's magic and rar files are beeing scanned. Yay! I guess that the previous version 0.100.2 used libclamunrar7. how did you install libclamunrar9 while having clamav 0.100.2 ? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsmtpd does not scan rar files
Debian 9.7 was released on January 23, 2019. You really should apply updates more than once a year. Trouble with UNRAR scanning is probably a small part of the risk associated with non-updated systems (it'd be less bad if you've been applying security updates and not others, but still there's a lot of bug fixes you're leaving on the table even if it's just the non-security changes). Scott K On Tuesday, February 4, 2020 4:15:15 PM EST Ntek, SIA Janis wrote: > Thank you, everyone! > > [Solved] > I upgraded Debian from 9.7 to 9.11, this meant my Clam version changed > from 0.100.2 to 0.101.4 > libclamunrar9 package started to work it's magic and rar files are > beeing scanned. Yay! > Unrar shows that my rar test file is RAR 5, so the latest version and > libclamunrar9 unpacked it. > In mail log I get what I wanted: status=VIRUS:Archived_EXE.UNOFFICIAL > Unofficial because I mark every exe in archive as a virus. (as explained > previously) > > On 04.02.20 22:33, Scott Kitterman via clamav-users wrote: > > On Tuesday, February 4, 2020 3:26:42 PM EST Ntek, SIA Janis wrote: > >>> libclamunrar9 > >> > >> I already had that, didn't help. I will upgrade Debian 9.7 to 10 > > > > It's extremely unlikely to make any difference. They both have clamav > > 0.101 available and after this weekend's point release they will both > > have 0.102. If you want, you can enable stretch-proposed-updates (or > > buster-proposed- updates if you've upgraded in the meantime) and get > > 0.102 now. > > > > Unlike most packages in Debian we aim to keep stable Debian releases > > updated with the current clamav release to give our users the best tools > > for trying to keep up in this never ending arms race. > > > > Scott K > > > > ___ > > > > clamav-users mailing list > > clamav-users@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml signature.asc Description: This is a digitally signed message part. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsmtpd does not scan rar files
Thank you, everyone! [Solved] I upgraded Debian from 9.7 to 9.11, this meant my Clam version changed from 0.100.2 to 0.101.4 libclamunrar9 package started to work it's magic and rar files are beeing scanned. Yay! Unrar shows that my rar test file is RAR 5, so the latest version and libclamunrar9 unpacked it. In mail log I get what I wanted: status=VIRUS:Archived_EXE.UNOFFICIAL Unofficial because I mark every exe in archive as a virus. (as explained previously) On 04.02.20 22:33, Scott Kitterman via clamav-users wrote: On Tuesday, February 4, 2020 3:26:42 PM EST Ntek, SIA Janis wrote: libclamunrar9 I already had that, didn't help. I will upgrade Debian 9.7 to 10 It's extremely unlikely to make any difference. They both have clamav 0.101 available and after this weekend's point release they will both have 0.102. If you want, you can enable stretch-proposed-updates (or buster-proposed- updates if you've upgraded in the meantime) and get 0.102 now. Unlike most packages in Debian we aim to keep stable Debian releases updated with the current clamav release to give our users the best tools for trying to keep up in this never ending arms race. Scott K ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsmtpd does not scan rar files
On Tuesday, February 4, 2020 3:26:42 PM EST Ntek, SIA Janis wrote: > > libclamunrar9 > > I already had that, didn't help. I will upgrade Debian 9.7 to 10 It's extremely unlikely to make any difference. They both have clamav 0.101 available and after this weekend's point release they will both have 0.102. If you want, you can enable stretch-proposed-updates (or buster-proposed- updates if you've upgraded in the meantime) and get 0.102 now. Unlike most packages in Debian we aim to keep stable Debian releases updated with the current clamav release to give our users the best tools for trying to keep up in this never ending arms race. Scott K signature.asc Description: This is a digitally signed message part. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsmtpd does not scan rar files
libclamunrar9 I already had that, didn't help. I will upgrade Debian 9.7 to 10 On 04.02.20 16:30, Jon 'Boli' Copeland wrote: i had to install libclamunrar9 before my clam mailscanner knew how to deal with rar files. On 04/02/2020 17:18, G.W. Haywood via clamav-users wrote: Hi there, On Tue, 4 Feb 2020, Ntek, SIA Janis wrote: I have Debian 9.7 w/ postfix and ClamAV 0.100.2 I have made custom definition file /var/lib/clamav/archive_exe.cdb containing: Archived_EXE:*:*:.*\.exe:*:*:*:*:*:* So that every archive packed with exe would be treated as a virus. Please explain exactly what you mean by "every archive packed with exe". Do you mean "every archive which contains an executable file"? Please be aware that very many executable files do not have names like '*.exe' This works with .zip files and .7zip files but not with .rar files. I installed unrar package and libclamunrar9, restarted daemons and the system but still .rar files containing exe are let through. Have you scanned the test files which the ClamAV sources provide? mail6:~/src/net/mail/clamav-devel-dev-0.102/test$ >>> clamdscan ./clam-v3.rar /home/ged/src/net/mail/clamav-devel-dev-0.102/test/./clam-v3.rar: PUA.Win.Packer.AcprotectUltraprotect-1 FOUND You might get some help with your signatures from e.g. this one. Do you see anything apart from executable files compressed with RAR? You might consider simply blocking all .rar files. That's what I do, but then I'm the BOFH. There are very many other ways of compressing and/or obfuscating executable files, so if you want protection from this route of sneaking past scanners you really need to recognize all of them. Perhaps it would be easier to recognize instead just those things which are _not_ compressed and/or obfuscated. I read that at some point unrar code was removed from ClamAV and now it only supports rar versions 1-2 but not 3. How to work around this? Please check dates on information you read on the Internet. You may find that those comments were dated around December 2007 (yes, that's over 12 years ago). As far as the Debian distribution is concerned, there was a fundamental issue with the licences but I believe that it was essentially resolved by repackaging the software so the libunrar code could be separated. As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5, although I see no test files distributed for V5 RAR archives. Perhaps you will need to upgrade to Debian 10 (Buster) to make use of v101.x; I use Debian a great deal but not the packaged ClamAV - I always build from source. Amongst other things this avoids noise in the logs about outdated software (which could potentially hide some kinds of problem, a bit like hiding an elephant). Someone suggested using --unrar option, but where do I put it? Conf file syntax doesn't seem to support this. The --unrar option is deprecated, and is ignored by any recent ClamAV. Perhaps the suggestion was in a very old document, or perhaps it was a mistake, and the _configure_ option --enable-unrar was what was meant. This would mean that the discussion was about building ClamAV from source, but as Mr. Kitterman says it is not normally necessary to do that on Debian as the binaries are built with unrar already enabled. As an aside there is a potential issue with incompatibility with old libraries but I do not think you will come across it - see for example the ClamAV blog for Friday, December 21, 2018: https://blog.clamav.net/2018/ Please take a look at the documentation for more information. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsmtpd does not scan rar files
Do you mean "every archive which contains an executable file"? Please be aware that very many executable files do not have names like '*.exe' That's what I meant to say. I have a long list with executable file types in archives. For simplicity's sake I mentioned only one. As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5, although I see no test files distributed for V5 RAR archives. Perhaps you will need to upgrade to Debian 10 (Buster) to make use of v101.x; Yes, I also was thinking about it today. You may find that those comments were dated around December 2007 (yes, that's over 12 years ago). Yes that may be the case. Internet's getting old :D On 04.02.20 16:18, G.W. Haywood via clamav-users wrote: Hi there, On Tue, 4 Feb 2020, Ntek, SIA Janis wrote: I have Debian 9.7 w/ postfix and ClamAV 0.100.2 I have made custom definition file /var/lib/clamav/archive_exe.cdb containing: Archived_EXE:*:*:.*\.exe:*:*:*:*:*:* So that every archive packed with exe would be treated as a virus. Please explain exactly what you mean by "every archive packed with exe". Do you mean "every archive which contains an executable file"? Please be aware that very many executable files do not have names like '*.exe' This works with .zip files and .7zip files but not with .rar files. I installed unrar package and libclamunrar9, restarted daemons and the system but still .rar files containing exe are let through. Have you scanned the test files which the ClamAV sources provide? mail6:~/src/net/mail/clamav-devel-dev-0.102/test$ >>> clamdscan ./clam-v3.rar /home/ged/src/net/mail/clamav-devel-dev-0.102/test/./clam-v3.rar: PUA.Win.Packer.AcprotectUltraprotect-1 FOUND You might get some help with your signatures from e.g. this one. Do you see anything apart from executable files compressed with RAR? You might consider simply blocking all .rar files. That's what I do, but then I'm the BOFH. There are very many other ways of compressing and/or obfuscating executable files, so if you want protection from this route of sneaking past scanners you really need to recognize all of them. Perhaps it would be easier to recognize instead just those things which are _not_ compressed and/or obfuscated. I read that at some point unrar code was removed from ClamAV and now it only supports rar versions 1-2 but not 3. How to work around this? Please check dates on information you read on the Internet. You may find that those comments were dated around December 2007 (yes, that's over 12 years ago). As far as the Debian distribution is concerned, there was a fundamental issue with the licences but I believe that it was essentially resolved by repackaging the software so the libunrar code could be separated. As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5, although I see no test files distributed for V5 RAR archives. Perhaps you will need to upgrade to Debian 10 (Buster) to make use of v101.x; I use Debian a great deal but not the packaged ClamAV - I always build from source. Amongst other things this avoids noise in the logs about outdated software (which could potentially hide some kinds of problem, a bit like hiding an elephant). Someone suggested using --unrar option, but where do I put it? Conf file syntax doesn't seem to support this. The --unrar option is deprecated, and is ignored by any recent ClamAV. Perhaps the suggestion was in a very old document, or perhaps it was a mistake, and the _configure_ option --enable-unrar was what was meant. This would mean that the discussion was about building ClamAV from source, but as Mr. Kitterman says it is not normally necessary to do that on Debian as the binaries are built with unrar already enabled. As an aside there is a potential issue with incompatibility with old libraries but I do not think you will come across it - see for example the ClamAV blog for Friday, December 21, 2018: https://blog.clamav.net/2018/ Please take a look at the documentation for more information. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsmtpd does not scan rar files
i had to install libclamunrar9 before my clam mailscanner knew how to deal with rar files. On 04/02/2020 17:18, G.W. Haywood via clamav-users wrote: Hi there, On Tue, 4 Feb 2020, Ntek, SIA Janis wrote: I have Debian 9.7 w/ postfix and ClamAV 0.100.2 I have made custom definition file /var/lib/clamav/archive_exe.cdb containing: Archived_EXE:*:*:.*\.exe:*:*:*:*:*:* So that every archive packed with exe would be treated as a virus. Please explain exactly what you mean by "every archive packed with exe". Do you mean "every archive which contains an executable file"? Please be aware that very many executable files do not have names like '*.exe' This works with .zip files and .7zip files but not with .rar files. I installed unrar package and libclamunrar9, restarted daemons and the system but still .rar files containing exe are let through. Have you scanned the test files which the ClamAV sources provide? mail6:~/src/net/mail/clamav-devel-dev-0.102/test$ >>> clamdscan ./clam-v3.rar /home/ged/src/net/mail/clamav-devel-dev-0.102/test/./clam-v3.rar: PUA.Win.Packer.AcprotectUltraprotect-1 FOUND You might get some help with your signatures from e.g. this one. Do you see anything apart from executable files compressed with RAR? You might consider simply blocking all .rar files. That's what I do, but then I'm the BOFH. There are very many other ways of compressing and/or obfuscating executable files, so if you want protection from this route of sneaking past scanners you really need to recognize all of them. Perhaps it would be easier to recognize instead just those things which are _not_ compressed and/or obfuscated. I read that at some point unrar code was removed from ClamAV and now it only supports rar versions 1-2 but not 3. How to work around this? Please check dates on information you read on the Internet. You may find that those comments were dated around December 2007 (yes, that's over 12 years ago). As far as the Debian distribution is concerned, there was a fundamental issue with the licences but I believe that it was essentially resolved by repackaging the software so the libunrar code could be separated. As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5, although I see no test files distributed for V5 RAR archives. Perhaps you will need to upgrade to Debian 10 (Buster) to make use of v101.x; I use Debian a great deal but not the packaged ClamAV - I always build from source. Amongst other things this avoids noise in the logs about outdated software (which could potentially hide some kinds of problem, a bit like hiding an elephant). Someone suggested using --unrar option, but where do I put it? Conf file syntax doesn't seem to support this. The --unrar option is deprecated, and is ignored by any recent ClamAV. Perhaps the suggestion was in a very old document, or perhaps it was a mistake, and the _configure_ option --enable-unrar was what was meant. This would mean that the discussion was about building ClamAV from source, but as Mr. Kitterman says it is not normally necessary to do that on Debian as the binaries are built with unrar already enabled. As an aside there is a potential issue with incompatibility with old libraries but I do not think you will come across it - see for example the ClamAV blog for Friday, December 21, 2018: https://blog.clamav.net/2018/ Please take a look at the documentation for more information. -- Jon 'Boli' Copeland Systems Engineer IT Support All sales enquiries : sa...@itss.co.tz All support enquiries : supp...@itss.co.tz Emergencies Only : +255 (0) 685 374780 ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsmtpd does not scan rar files
Hi there, On Tue, 4 Feb 2020, Ntek, SIA Janis wrote: I have Debian 9.7 w/ postfix and ClamAV 0.100.2 I have made custom definition file /var/lib/clamav/archive_exe.cdb containing: Archived_EXE:*:*:.*\.exe:*:*:*:*:*:* So that every archive packed with exe would be treated as a virus. Please explain exactly what you mean by "every archive packed with exe". Do you mean "every archive which contains an executable file"? Please be aware that very many executable files do not have names like '*.exe' This works with .zip files and .7zip files but not with .rar files. I installed unrar package and libclamunrar9, restarted daemons and the system but still .rar files containing exe are let through. Have you scanned the test files which the ClamAV sources provide? mail6:~/src/net/mail/clamav-devel-dev-0.102/test$ >>> clamdscan ./clam-v3.rar /home/ged/src/net/mail/clamav-devel-dev-0.102/test/./clam-v3.rar: PUA.Win.Packer.AcprotectUltraprotect-1 FOUND You might get some help with your signatures from e.g. this one. Do you see anything apart from executable files compressed with RAR? You might consider simply blocking all .rar files. That's what I do, but then I'm the BOFH. There are very many other ways of compressing and/or obfuscating executable files, so if you want protection from this route of sneaking past scanners you really need to recognize all of them. Perhaps it would be easier to recognize instead just those things which are _not_ compressed and/or obfuscated. I read that at some point unrar code was removed from ClamAV and now it only supports rar versions 1-2 but not 3. How to work around this? Please check dates on information you read on the Internet. You may find that those comments were dated around December 2007 (yes, that's over 12 years ago). As far as the Debian distribution is concerned, there was a fundamental issue with the licences but I believe that it was essentially resolved by repackaging the software so the libunrar code could be separated. As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5, although I see no test files distributed for V5 RAR archives. Perhaps you will need to upgrade to Debian 10 (Buster) to make use of v101.x; I use Debian a great deal but not the packaged ClamAV - I always build from source. Amongst other things this avoids noise in the logs about outdated software (which could potentially hide some kinds of problem, a bit like hiding an elephant). Someone suggested using --unrar option, but where do I put it? Conf file syntax doesn't seem to support this. The --unrar option is deprecated, and is ignored by any recent ClamAV. Perhaps the suggestion was in a very old document, or perhaps it was a mistake, and the _configure_ option --enable-unrar was what was meant. This would mean that the discussion was about building ClamAV from source, but as Mr. Kitterman says it is not normally necessary to do that on Debian as the binaries are built with unrar already enabled. As an aside there is a potential issue with incompatibility with old libraries but I do not think you will come across it - see for example the ClamAV blog for Friday, December 21, 2018: https://blog.clamav.net/2018/ Please take a look at the documentation for more information. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsmtpd does not scan rar files
On February 4, 2020 1:28:45 AM UTC, "Gary R. Schmidt" wrote: >On 04/02/2020 11:38, Ntek, SIA Janis wrote: >> Hello! >> >> I have Debian 9.7 w/ postfix and ClamAV 0.100.2 I have made custom >> definition file /var/lib/clamav/archive_exe.cdb containing: >> Archived_EXE:*:*:.*\.exe:*:*:*:*:*:* >> So that every archive packed with exe would be treated as a virus. >This >> works with .zip files and .7zip files but not with .rar files. I >> installed unrar package and libclamunrar9, restarted daemons and the >> system but still .rar files containing exe are let through. >> I read that at some point unrar code was removed from ClamAV and now >it >> only supports rar versions 1-2 but not 3. How to work around this? >> Someone suggested using --unrar option, but where do I put it? Conf >file >> syntax doesn't seem to support this. >> >Just build ClamAV from source, with "--enable-unrar" and anything else >you need, thus avoiding any reliance on someone else building it with >what you want. That doesn't actually address the OP's question. With libclamunrar9 installed, the Debian package has the same capability as if you build from source. Whatever problem they are having is very unlikely to be related to using our packages. Scott K ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsmtpd does not scan rar files
On 04/02/2020 11:38, Ntek, SIA Janis wrote: Hello! I have Debian 9.7 w/ postfix and ClamAV 0.100.2 I have made custom definition file /var/lib/clamav/archive_exe.cdb containing: Archived_EXE:*:*:.*\.exe:*:*:*:*:*:* So that every archive packed with exe would be treated as a virus. This works with .zip files and .7zip files but not with .rar files. I installed unrar package and libclamunrar9, restarted daemons and the system but still .rar files containing exe are let through. I read that at some point unrar code was removed from ClamAV and now it only supports rar versions 1-2 but not 3. How to work around this? Someone suggested using --unrar option, but where do I put it? Conf file syntax doesn't seem to support this. Just build ClamAV from source, with "--enable-unrar" and anything else you need, thus avoiding any reliance on someone else building it with what you want. Cheers, GaryB-) ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamsmtpd does not scan rar files
Hello! I have Debian 9.7 w/ postfix and ClamAV 0.100.2 I have made custom definition file /var/lib/clamav/archive_exe.cdb containing: Archived_EXE:*:*:.*\.exe:*:*:*:*:*:* So that every archive packed with exe would be treated as a virus. This works with .zip files and .7zip files but not with .rar files. I installed unrar package and libclamunrar9, restarted daemons and the system but still .rar files containing exe are let through. I read that at some point unrar code was removed from ClamAV and now it only supports rar versions 1-2 but not 3. How to work around this? Someone suggested using --unrar option, but where do I put it? Conf file syntax doesn't seem to support this. Thanks BR, Janis. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml