subject:"Re\: \[clamav\-users\] ClamAV does not detect viruses in \"ar archive\" file format"

Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format

2022-07-11 Thread Micah Snyder (micasnyd) via clamav-users

Schroeffu, Ged,

ClamAV does not include support for parsing the old AR archive format used for 
DEB archives ( https://en.wikipedia.org/wiki/Ar_(Unix) ).  Adding AR archive 
parsing would be a new feature.  You are welcome to create a feature request 
issue using the bug report queue on Github 
https://github.com/Cisco-Talos/clamav/issues/new?assignees===bug_report.md=.
  But I can't promise if or when we'll add support for DEB-style AR archives.

Ged, the unofficial eicar signature that you shared targets any file (target 
type 0) at any offset (offset: *):
{HEX}EICAR.TEST.3:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a

For a format like AR or TAR, this signature will match if those eicar bytes are 
found anywhere in the file. The AR format does not do any compression, so it 
makes sense that this signature would alert. But this is not the intended use 
case for the EICAR test file because it doesn't demonstrate any unpacking of 
the archive.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of 
Schroeffu via clamav-users 
Sent: Monday, July 11, 2022 1:27 AM
To: clamav-users@lists.clamav.net 
Cc: i...@schroeffu.ch 
Subject: Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file 
format


Hi Ged &  ClamAV Users,

you are right about eicar, the unofficial signatures are detected in a .ar 
archive format.
Beside of this, unfortunately, real malware code and eicar is not detected in a 
.tar.gz (gzip) inside of an .ar archive file (like .deb packages are).

How to reproduce:

- Download my testfile gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb 
(6MB) (download here at your own risk!) and run a scan like this:
- wget https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1 -O 
/tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan -z 
/tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (no virus found) *1)
- unpack & scan gzip file (data.tar.zst) inside, now this way unpacked .ar 
archive, viruses are found inside .tar.zst (gzip):
- ar x /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan 
-z /tmp/data.tar.zst (virus will be found) *2)

--> Is this my handling failure, like not configured scan archive-in-archive, 
or a bugreport worth?


https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1

*1)

clamdscan -z gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb:
 OK

--- SCAN SUMMARY ---
Infected files: 0
Time: 3.508 sec (0 m 3 s)
Start Date: 2022:07:11 10:11:49
End Date: 2022:07:11 10:11:53

*2)

clamdscan -z data.tar.zst
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst: 
Win.Dropper.Corebot-7599208-0 FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst: 
{HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst: 
{HEX}EICAR.TEST.UNOFFICIAL FOUND

--- SCAN SUMMARY ---
Infected files: 1
Time: 21.519 sec (0 m 21 s)
Start Date: 2022:07:11 10:11:18
End Date: 2022:07:11 10:11:39
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format

2022-07-11 Thread Schroeffu via clamav-users

Hi Ged &  ClamAV Users, 


you are right about eicar, the unofficial signatures are detected in a
.ar archive format.
Beside of this, unfortunately, real malware code and eicar is not
detected in a .tar.gz (gzip) inside of an .ar archive file (like .deb
packages are). 


How to reproduce:

- Download my testfile
gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (6MB) (download
here at your own risk!) and run a scan like this:
- wget https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1 -O
/tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan
-z /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (no virus
found) *1) 
- unpack & scan gzip file (data.tar.zst) inside, now this way unpacked

.ar archive, viruses are found inside .tar.zst (gzip):
- ar x /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb &&
clamdscan -z /tmp/data.tar.zst (virus will be found) *2)  


--> Is this my handling failure, like not configured scan
archive-in-archive, or a bugreport worth? 


https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1

*1) 

clamdscan -z gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb 
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb:
OK 


--- SCAN SUMMARY ---
Infected files: 0
Time: 3.508 sec (0 m 3 s)
Start Date: 2022:07:11 10:11:49
End Date: 2022:07:11 10:11:53 

*2) 

clamdscan -z data.tar.zst 
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:

Win.Dropper.Corebot-7599208-0 FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
{HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
{HEX}EICAR.TEST.UNOFFICIAL FOUND 


--- SCAN SUMMARY ---
Infected files: 1
Time: 21.519 sec (0 m 21 s)
Start Date: 2022:07:11 10:11:18
End Date: 2022:07:11 10:11:39___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format

2022-07-08 Thread G.W. Haywood via clamav-users


Hi there,

On Fri, 8 Jul 2022, Schroeffu via clamav-users wrote:


I am trying to scan "ar archive" format like .deb packages are. ClamAV
unfortunately does not detect the eicar inside the ar archive. 
Do I miss something to configure so clamav scans/unpacks "ar archive"

formats correctly?


If you have deduced that ClamAV is not unpacking the archive properly,
then I'm not sure that your deduction is correct.  Testing with EICAR
files can be a little tricky because the EICAR specifications are very
particular about what is scanned.

If I create an archive with 'ar' and then scan it here, it my clamd
server does find it:

8<
$ ar r archive.deb eicar tempscan.pl
ar: creating archive.deb
$ clamdscan archive.deb 
/home/ged/archive.deb: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND


--- SCAN SUMMARY ---
Infected files: 1
Time: 1.372 sec (0 m 1 s)
Start Date: 2022:07:08 16:44:05
End Date:   2022:07:08 16:44:06
8<

but this detection is using an UNOFFICIAL signature:

8<
$grep EICAR /EXPORTS/clamav/databases/*
Binary file daily.cld matches
Binary file main.cld matches
rfxn.hdb:44d88612fea8a8f36de82e1278abb02f:68:{MD5}EICAR.TEST.3.59
rfxn.hdb:69630e4574ec6798239b091cda43dca0:69:{MD5}EICAR.TEST.10.58
rfxn.ndb:{HEX}EICAR.TEST.3:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
rfxn.ndb:{HEX}EICAR.TEST:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
8<

As you can see the official (daily, main) signatures match on the word
EICAR but it isn't the official signatures which triggered detection.

I believe that the rfxn signatures implement the EICAR specifications
incorrectly, but at least the scanner does seem to be unpacking the
archive.  If you search the archives of this mailing list for "EICAR"
you will probably find something more informative.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format

Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format

Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format

3 matches

Site Navigation

Mail list logo

Footer information