Re: [clamav-users] scanning mp3-files with clamscan
Am 18.07.2017 um 19:21 schrieb Paul Kosinski: "...the worst thing that might happen would involve crashing the player..." No, the worst thing that might happen is that a buffer overflow results in code execution in the player's security context. With deliberate malicious code added to the MP3 data stream, this could even lead to encrypting the user's files for ransom. and that happened often enough for several file formats like images, if some malicious crashs a player you have a problem and multimedia fromats are *well known* for security relevant bugs phrases starting with "the worst thing that might happen" are known as "the last famous words" and have no place in any security context at all On Mon, 17 Jul 2017 23:21:13 -0700 Al Varnell wrote: True MP3 files contain sounds that a media player plays. Anything executable can't be handled by the player and the worst thing that might happen would involve crashing the player, if that's even possible. Most, if not all scanners ignore such files. They take a long time to scan with a high probability of zero results. The only example I can locate that comes close to maliciousness would is one that contacts an Internet site capable of downloading actual malware. Such a site would not last long and the actual malware will likely be found before the download completes. Feel free to locate or better yet submit a sample of anything else and you stand a chance of convincing someone that it would be worthy of changing the policy. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
"...the worst thing that might happen would involve crashing the player..." No, the worst thing that might happen is that a buffer overflow results in code execution in the player's security context. With deliberate malicious code added to the MP3 data stream, this could even lead to encrypting the user's files for ransom. This sort of buffer overflow execution flaw has surfaced in other situations where "mere" passive data has led to security problems due to buggy processing, and is often being patched in various application programs. Of course, executable files (incl. less obvious ones like PDFs) pose a worse threat, but why single out MP3 among passive data formats? They are not the only big "passive" files -- TIFs can be really big these days, and various video formats even bigger (H.264, MPEG-2 etc.). On Mon, 17 Jul 2017 23:21:13 -0700 Al Varnell wrote: > True MP3 files contain sounds that a media player plays. Anything > executable can't be handled by the player and the worst thing that > might happen would involve crashing the player, if that's even > possible. > > Most, if not all scanners ignore such files. They take a long time to > scan with a high probability of zero results. The only example I can > locate that comes close to maliciousness would is one that contacts > an Internet site capable of downloading actual malware. Such a site > would not last long and the actual malware will likely be found > before the download completes. > > Feel free to locate or better yet submit a sample of anything else > and you stand a chance of convincing someone that it would be worthy > of changing the policy. > > Sent from Janet's iPad > > -Al- ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
Paul, I don't know how an MP3 file would contain malware, other than possible exploits of MP3 player/processor flaws. If you want to have MP3 files scanned anyway, it is possible to change the file type signatures for MP3 so they are not ignored. Also, I don't know of any signatures for MP3. Steve On Mon, Jul 17, 2017 at 11:45 PM, Paul Kosinski wrote: > Are MP3 files ignored because it is impossible that MP3 software ever > has buffer overflows or other security flaws??? > > Or is it because MP3 files are compressed (i.e., random-looking) and > thus may cause false positives? What about all the other compressed or > encrypted file types which might do the same? > > In other words, I don't understand why they all would be ignored. > > > On Mon, 17 Jul 2017 17:22:52 -0400 > Steven Morgan wrote: > > > Rosika, > > > > The reason the MP3 file is not scanned is because the file type > > signatures for MP3 direct that they are ignored. Particularly: > > > > "0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" > > and > > "0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" > > > > These definitions are in the daily.ftm file of the ClamAV virus > > database. > > > > Steve > > > > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
True MP3 files contain sounds that a media player plays. Anything executable can't be handled by the player and the worst thing that might happen would involve crashing the player, if that's even possible. Most, if not all scanners ignore such files. They take a long time to scan with a high probability of zero results. The only example I can locate that comes close to maliciousness would is one that contacts an Internet site capable of downloading actual malware. Such a site would not last long and the actual malware will likely be found before the download completes. Feel free to locate or better yet submit a sample of anything else and you stand a chance of convincing someone that it would be worthy of changing the policy. Sent from Janet's iPad -Al- -- Al Varnell Mountain View, CA ClamXAV User On Jul 17, 2017, at 8:45 PM, Paul Kosinski wrote: > Are MP3 files ignored because it is impossible that MP3 software ever > has buffer overflows or other security flaws??? > > Or is it because MP3 files are compressed (i.e., random-looking) and > thus may cause false positives? What about all the other compressed or > encrypted file types which might do the same? > > In other words, I don't understand why they all would be ignored. > > On Mon, 17 Jul 2017 17:22:52 -0400, Steven Morgan wrote: >> Rosika, >> >> The reason the MP3 file is not scanned is because the file type >> signatures for MP3 direct that they are ignored. Particularly: >> >> "0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" >> and >> "0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" >> >> These definitions are in the daily.ftm file of the ClamAV virus >> database. >> >> Steve >> >> On Sun, Jul 9, 2017 at 10:04 AM, Christian wrote: >>> Hi, >>> >>> I want to scan an mp3-file (about 60 MB in size). >>> My command is: >>> >>> clamscan >>> /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 >>> >>> Yet I get the message: "Data scanned: 0.00 MB" >>> First I thought that the file was too large, so I used a new >>> command: >>> >>> clamscan --max-filesize=300M --max-scansize=300M >>> /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 >>> >>> But this didn´t work either. >>> In the meantime I think that´s due to the nature of the respective >>> file. The file being mp3. >>> Could this be the case? >>> >>> I also tried: >>> >>> dd >>> if=/home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_ >>> Holmes/hörspiel.mp3 >>> | clamscan - >>> >>> Output: >>> >>> 126592+1 Datensätze ein >>> 126592+1 Datensätze aus >>> 64815503 bytes (65 MB, 62 MiB) copied, 10,9642 s, 5,9 MB/s >>> stdin: OK >>> >>> --- SCAN SUMMARY --- >>> Known viruses: 6299938 >>> Engine version: 0.99.2 >>> Scanned directories: 0 >>> Scanned files: 1 >>> Infected files: 0 >>> Data scanned: 0.00 MB >>> Data read: 61.81 MB (ratio 0.00:1) >>> Time: 11.596 sec (0 m 11 s) >>> >>> Is there any way of scanning mp3-files with clamscan? >>> >>> Greetings. >>> Rosika ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
Are MP3 files ignored because it is impossible that MP3 software ever has buffer overflows or other security flaws??? Or is it because MP3 files are compressed (i.e., random-looking) and thus may cause false positives? What about all the other compressed or encrypted file types which might do the same? In other words, I don't understand why they all would be ignored. On Mon, 17 Jul 2017 17:22:52 -0400 Steven Morgan wrote: > Rosika, > > The reason the MP3 file is not scanned is because the file type > signatures for MP3 direct that they are ignored. Particularly: > > "0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" > and > "0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" > > These definitions are in the daily.ftm file of the ClamAV virus > database. > > Steve > > > On Sun, Jul 9, 2017 at 10:04 AM, Christian > wrote: > > > Hi, > > > > I want to scan an mp3-file (about 60 MB in size). > > My command is: > > > > clamscan > > /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 > > > > Yet I get the message: "Data scanned: 0.00 MB" > > First I thought that the file was too large, so I used a new > > command: > > > > clamscan --max-filesize=300M --max-scansize=300M > > /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 > > > > But this didn´t work either. > > In the meantime I think that´s due to the nature of the respective > > file. The file being mp3. > > Could this be the case? > > > > I also tried: > > > > dd > > if=/home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_ > > Holmes/hörspiel.mp3 > > | clamscan - > > > > Output: > > > > 126592+1 Datensätze ein > > 126592+1 Datensätze aus > > 64815503 bytes (65 MB, 62 MiB) copied, 10,9642 s, 5,9 MB/s > > stdin: OK > > > > --- SCAN SUMMARY --- > > Known viruses: 6299938 > > Engine version: 0.99.2 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 0 > > Data scanned: 0.00 MB > > Data read: 61.81 MB (ratio 0.00:1) > > Time: 11.596 sec (0 m 11 s) > > > > Is there any way of scanning mp3-files with clamscan? > > > > Greetings. > > Rosika > > > > > > ___ > > clamav-users mailing list > > clamav-users@lists.clamav.net > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
Rosika, The reason the MP3 file is not scanned is because the file type signatures for MP3 direct that they are ignored. Particularly: "0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" and "0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED" These definitions are in the daily.ftm file of the ClamAV virus database. Steve On Sun, Jul 9, 2017 at 10:04 AM, Christian wrote: > Hi, > > I want to scan an mp3-file (about 60 MB in size). > My command is: > > clamscan > /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 > > Yet I get the message: "Data scanned: 0.00 MB" > First I thought that the file was too large, so I used a new command: > > clamscan --max-filesize=300M --max-scansize=300M > /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 > > But this didn´t work either. > In the meantime I think that´s due to the nature of the respective file. > The file being mp3. > Could this be the case? > > I also tried: > > dd > if=/home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_ > Holmes/hörspiel.mp3 > | clamscan - > > Output: > > 126592+1 Datensätze ein > 126592+1 Datensätze aus > 64815503 bytes (65 MB, 62 MiB) copied, 10,9642 s, 5,9 MB/s > stdin: OK > > --- SCAN SUMMARY --- > Known viruses: 6299938 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Data read: 61.81 MB (ratio 0.00:1) > Time: 11.596 sec (0 m 11 s) > > Is there any way of scanning mp3-files with clamscan? > > Greetings. > Rosika > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
> On Jul 9, 2017, at 1:21 PM, G.W. Haywood wrote:
>
> Hi there,
>
> On Sun, 9 Jul 2017, Rosika wrote:
>
>> I want to scan an mp3-file (about 60 MB in size).
>> Yet I get the message: "Data scanned: 0.00 MB"
>> ...
>> Is there any way of scanning mp3-files with clamscan?
>
> Try compressing the file with gzip first:
>
> cat file | gzip | clamscan -
I got a bit interested, so decided to write a quick yara script:
rule mp3_test {
meta:
description = "Find ID3 string at beginning of file"
strings:
$id3 = {49 44 33 03}
condition:
$id3 at 0
}
Sort of strange, that yara is catching it, but clamav isn’t.
Erics-Mac-Pro:temp eric$ clamscan -d mp3.yara ./
./.DS_Store: OK
./01 For Fruits Basket - TV Edit.mp3: OK
./01 Prologue-(Apprehension).mp3: OK
./01 The Ultimate -Naked mix -.mp3: OK
./01 Visitor.mp3: OK
./1-01 101_Book I Line 1 'Of Man's First Disobedience & The Fruit'.mp3: OK
./mp3.yara: OK
--- SCAN SUMMARY ---
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 7
Infected files: 0
Data scanned: 0.01 MB
Data read: 31.84 MB (ratio 0.00:1)
Time: 0.092 sec (0 m 0 s)
Erics-Mac-Pro:temp eric$ yara mp3.yara ./
mp3_test .//01 For Fruits Basket - TV Edit.mp3
mp3_test .//01 Visitor.mp3
mp3_test .//01 Prologue-(Apprehension).mp3
mp3_test .//01 The Ultimate -Naked mix -.mp3
mp3_test .//1-01 101_Book I Line 1 'Of Man's First Disobedience & The Fruit’.mp3
Just wondering if this is a limitation of ClamAV, or am I doing something wrong?
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] scanning mp3-files with clamscan
Hi there, On Sun, 9 Jul 2017, Rosika wrote: I want to scan an mp3-file (about 60 MB in size). Yet I get the message: "Data scanned: 0.00 MB" ... Is there any way of scanning mp3-files with clamscan? Try compressing the file with gzip first: cat file | gzip | clamscan - -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] scanning mp3-files with clamscan
Hi, I want to scan an mp3-file (about 60 MB in size). My command is: clamscan /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 Yet I get the message: "Data scanned: 0.00 MB" First I thought that the file was too large, so I used a new command: clamscan --max-filesize=300M --max-scansize=300M /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 But this didn´t work either. In the meantime I think that´s due to the nature of the respective file. The file being mp3. Could this be the case? I also tried: dd if=/home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3 | clamscan - Output: 126592+1 Datensätze ein 126592+1 Datensätze aus 64815503 bytes (65 MB, 62 MiB) copied, 10,9642 s, 5,9 MB/s stdin: OK --- SCAN SUMMARY --- Known viruses: 6299938 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 61.81 MB (ratio 0.00:1) Time: 11.596 sec (0 m 11 s) Is there any way of scanning mp3-files with clamscan? Greetings. Rosika ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
