[Clamav-devel] enabling DMG and XAR support

David Raynor draynor at sourcefire.com
Wed Mar 19 11:43:16 EDT 2014


On Wed, Mar 19, 2014 at 11:34 AM, Rafael Ferreira <raf at uvasoftware.com>wrote:

> Interesting... let me run some tests and get back to you.
>
> On Mar 19, 2014, at 8:33 AM, Mark Allan <markjallan at gmail.com> wrote:
>
> > Just out of interest, did you test to see if it *actually* worked?
> >
> > My configure output shows that dmg and xar are supported, but it doesn't
> actually detect the Eicar test file within a disk image.
> >
> > configure: Summary of engine detection features
> >              autoit_ea06 : yes
> >              bzip2       : ok
> >              zlib        : /usr
> >              unrar       : yes
> >              dmg and xar : yes, from /usr
> >
> > When I create a new disk image, copy the Eicar test file in, and scan
> the dmg, it shows up as being clean.
> >
> >> clamscan test.dmg
> >> test.dmg: OK
> >>
> >> ----------- SCAN SUMMARY -----------
> >> Known viruses: 3259558
> >> Engine version: 0.98.1
> >> Scanned directories: 0
> >> Scanned files: 1
> >> Infected files: 0
> >> Data scanned: 10.07 MB
> >> Data read: 10.02 MB (ratio 1.01:1)
> >> Time: 4.845 sec (0 m 4 s)
> >
> > Does this work as expected for anyone else?
> >
> > Mark
> >
> > On 10 Feb 2014, at 23:38, Rafael Ferreira <raf at uvasoftware.com> wrote:
> >
> >> That worked, thanks!
> >>
> >> On February 10, 2014 at 4:29:41 PM, Steven Morgan (
> smorgan at sourcefire.com) wrote:
> >>
> >> Rafael,
> >>
> >> Probably all you need to do install libxml&libxml2-dev, which is used by
> >> dmg and xar, then do your configure/make.
> >>
> >> Steve
> >>
> >>
> >> On Mon, Feb 10, 2014 at 6:05 PM, Rafael Ferreira <raf at uvasoftware.com
> >wrote:
> >>
> >>>
> >>> Folks,
> >>>
> >>> I'm compiling clamav 0.98.1 on Linux (Ubuntu 12.04 LTS) and I'm not
> >>> getting the new super awesome DMG and XAR file support:
> >>>
> >>> configure: Summary of detected features follows
> >>> OS : linux-gnu
> >>> pthreads : yes (-lpthread)
> >>> configure: Summary of miscellaneous features
> >>> check : no (auto)
> >>> fanotify : yes
> >>> fdpassing : 1
> >>> IPv6 : yes
> >>> configure: Summary of optional tools
> >>> clamdtop : (auto)
> >>> milter : yes (disabled)
> >>> configure: Summary of engine performance features)
> >>> release mode: yes
> >>> jit : yes (auto)
> >>> mempool : yes
> >>> configure: Summary of engine detection features
> >>> autoit_ea06 : yes
> >>> bzip2 : ok
> >>> zlib : /usr
> >>> unrar : yes
> >>> dmg and xar : no
> >>>
> >>> Am I missing a configure flag or third party library?
> >>>
> >>> Thanks in advance,
> >>>
> >>> - Rafael
> >>>
> >>> ----
> >>> scanii.com - the web friendly malware scanner!
> >>> _______________________________________________
> >>> http://lurker.clamav.net/list/clamav-devel.html
> >>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >> _______________________________________________
> >> http://lurker.clamav.net/list/clamav-devel.html
> >> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >> _______________________________________________
> >> http://lurker.clamav.net/list/clamav-devel.html
> >> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>

DMG is an odd filetype, since there are really 2 or 3 different filetypes
lumped into that category.

What we have included in ClamAV 0.98.1 is scanning of UDIF format DMG
files, which have a definitive trailer block and may have compressed
sections.
We have not yet included support for scanning raw disk format DMG files,
which are nearly indistinguishable from disk dumps. No separate compression
is allowed.

So let me ask you this question. How did you create your DMG? Most software
packagers create UDIF format to reduce the file size for downloads. Disk
Utility and the hdiutil command can create a raw disk unless another format
is checked.

To find out what format your testfile is really in, you can use the
imageinfo sub-command of hdiutil (e.g. hdiutil imageinfo yourfile.dmg).
Then you can use the convert sub-command of hdiutil to switch the format.

Hope this helps,

Dave R.

-- 
---
Dave Raynor
Vulnerability Research Team


More information about the clamav-devel mailing list