[Clamav-devel] enabling DMG and XAR support

Mark Allan markjallan at gmail.com
Wed Mar 19 11:59:27 EDT 2014


My test disk is indeed a raw image.  I've also tried read only as well as compressed, and nothing gets detected in any of those.

As you say, Disk Utility creates raw images by default, and while some software packagers do create UDIF formatted images, I suspect Disk Utility is the most common way of making disk images on OS X.

What would be required to provide full DMG support?

Also, is there a similar caveat for xar archives?  I've done a similar test for those and they slip by undetected as well.

xar -c -f new.xar DirWithManyKnownDetectedMalwareSamples

clamscan new.xar 
new.xar: OK

----------- SCAN SUMMARY -----------
Known viruses: 3259558
Engine version: 0.98.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 31.34 MB (ratio 0.00:1)
Time: 4.612 sec (0 m 4 s)

Mark

On 19 Mar 2014, at 15:43, David Raynor <draynor at sourcefire.com> wrote:

> DMG is an odd filetype, since there are really 2 or 3 different filetypes
> lumped into that category.
> 
> What we have included in ClamAV 0.98.1 is scanning of UDIF format DMG
> files, which have a definitive trailer block and may have compressed
> sections.
> We have not yet included support for scanning raw disk format DMG files,
> which are nearly indistinguishable from disk dumps. No separate compression
> is allowed.
> 
> So let me ask you this question. How did you create your DMG? Most software
> packagers create UDIF format to reduce the file size for downloads. Disk
> Utility and the hdiutil command can create a raw disk unless another format
> is checked.
> 
> To find out what format your testfile is really in, you can use the
> imageinfo sub-command of hdiutil (e.g. hdiutil imageinfo yourfile.dmg).
> Then you can use the convert sub-command of hdiutil to switch the format.
> 
> Hope this helps,
> 
> Dave R.
> 
> -- 
> ---
> Dave Raynor
> Vulnerability Research Team
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> 
> On Wed, Mar 19, 2014 at 11:34 AM, Rafael Ferreira <raf at uvasoftware.com>wrote:
> 
>> Interesting... let me run some tests and get back to you.
>> 
>> On Mar 19, 2014, at 8:33 AM, Mark Allan <markjallan at gmail.com> wrote:
>> 
>>> Just out of interest, did you test to see if it *actually* worked?
>>> 
>>> My configure output shows that dmg and xar are supported, but it doesn't
>> actually detect the Eicar test file within a disk image.
>>> 
>>> configure: Summary of engine detection features
>>>             autoit_ea06 : yes
>>>             bzip2       : ok
>>>             zlib        : /usr
>>>             unrar       : yes
>>>             dmg and xar : yes, from /usr
>>> 
>>> When I create a new disk image, copy the Eicar test file in, and scan
>> the dmg, it shows up as being clean.
>>> 
>>>> clamscan test.dmg
>>>> test.dmg: OK
>>>> 
>>>> ----------- SCAN SUMMARY -----------
>>>> Known viruses: 3259558
>>>> Engine version: 0.98.1
>>>> Scanned directories: 0
>>>> Scanned files: 1
>>>> Infected files: 0
>>>> Data scanned: 10.07 MB
>>>> Data read: 10.02 MB (ratio 1.01:1)
>>>> Time: 4.845 sec (0 m 4 s)
>>> 
>>> Does this work as expected for anyone else?
>>> 
>>> Mark
>>> 
>>> On 10 Feb 2014, at 23:38, Rafael Ferreira <raf at uvasoftware.com> wrote:
>>> 
>>>> That worked, thanks!
>>>> 
>>>> On February 10, 2014 at 4:29:41 PM, Steven Morgan (
>> smorgan at sourcefire.com) wrote:
>>>> 
>>>> Rafael,
>>>> 
>>>> Probably all you need to do install libxml&libxml2-dev, which is used by
>>>> dmg and xar, then do your configure/make.
>>>> 
>>>> Steve
>>>> 
>>>> 
>>>> On Mon, Feb 10, 2014 at 6:05 PM, Rafael Ferreira <raf at uvasoftware.com
>>> wrote:
>>>> 
>>>>> 
>>>>> Folks,
>>>>> 
>>>>> I'm compiling clamav 0.98.1 on Linux (Ubuntu 12.04 LTS) and I'm not
>>>>> getting the new super awesome DMG and XAR file support:
>>>>> 
>>>>> configure: Summary of detected features follows
>>>>> OS : linux-gnu
>>>>> pthreads : yes (-lpthread)
>>>>> configure: Summary of miscellaneous features
>>>>> check : no (auto)
>>>>> fanotify : yes
>>>>> fdpassing : 1
>>>>> IPv6 : yes
>>>>> configure: Summary of optional tools
>>>>> clamdtop : (auto)
>>>>> milter : yes (disabled)
>>>>> configure: Summary of engine performance features)
>>>>> release mode: yes
>>>>> jit : yes (auto)
>>>>> mempool : yes
>>>>> configure: Summary of engine detection features
>>>>> autoit_ea06 : yes
>>>>> bzip2 : ok
>>>>> zlib : /usr
>>>>> unrar : yes
>>>>> dmg and xar : no
>>>>> 
>>>>> Am I missing a configure flag or third party library?
>>>>> 
>>>>> Thanks in advance,
>>>>> 
>>>>> - Rafael
>>>>> 
>>>>> ----
>>>>> scanii.com - the web friendly malware scanner!
>>>>> _______________________________________________
>>>>> http://lurker.clamav.net/list/clamav-devel.html
>>>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>>>> _______________________________________________
>>>> http://lurker.clamav.net/list/clamav-devel.html
>>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>>>> _______________________________________________
>>>> http://lurker.clamav.net/list/clamav-devel.html
>>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>>> 
>>> _______________________________________________
>>> http://lurker.clamav.net/list/clamav-devel.html
>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>> 
>> _______________________________________________
>> http://lurker.clamav.net/list/clamav-devel.html
>> Please submit your patches to our Bugzilla: http://bugs.clamav.net




More information about the clamav-devel mailing list