[Clamav-devel] enabling DMG and XAR support

Steven Morgan smorgan at sourcefire.com
Wed Mar 19 12:09:38 EDT 2014


Mark,

Your xar scenario should be working. You can get more info with --debug. If
you want to forward that output and/or test file, we can investigate
further.

Steve


On Wed, Mar 19, 2014 at 11:59 AM, Mark Allan <markjallan at gmail.com> wrote:

> My test disk is indeed a raw image.  I've also tried read only as well as
> compressed, and nothing gets detected in any of those.
>
> As you say, Disk Utility creates raw images by default, and while some
> software packagers do create UDIF formatted images, I suspect Disk Utility
> is the most common way of making disk images on OS X.
>
> What would be required to provide full DMG support?
>
> Also, is there a similar caveat for xar archives?  I've done a similar
> test for those and they slip by undetected as well.
>
> xar -c -f new.xar DirWithManyKnownDetectedMalwareSamples
>
> clamscan new.xar
> new.xar: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 3259558
> Engine version: 0.98.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 31.34 MB (ratio 0.00:1)
> Time: 4.612 sec (0 m 4 s)
>
> Mark
>
> On 19 Mar 2014, at 15:43, David Raynor <draynor at sourcefire.com> wrote:
>
> > DMG is an odd filetype, since there are really 2 or 3 different filetypes
> > lumped into that category.
> >
> > What we have included in ClamAV 0.98.1 is scanning of UDIF format DMG
> > files, which have a definitive trailer block and may have compressed
> > sections.
> > We have not yet included support for scanning raw disk format DMG files,
> > which are nearly indistinguishable from disk dumps. No separate
> compression
> > is allowed.
> >
> > So let me ask you this question. How did you create your DMG? Most
> software
> > packagers create UDIF format to reduce the file size for downloads. Disk
> > Utility and the hdiutil command can create a raw disk unless another
> format
> > is checked.
> >
> > To find out what format your testfile is really in, you can use the
> > imageinfo sub-command of hdiutil (e.g. hdiutil imageinfo yourfile.dmg).
> > Then you can use the convert sub-command of hdiutil to switch the format.
> >
> > Hope this helps,
> >
> > Dave R.
> >
> > --
> > ---
> > Dave Raynor
> > Vulnerability Research Team
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >
> > On Wed, Mar 19, 2014 at 11:34 AM, Rafael Ferreira <raf at uvasoftware.com
> >wrote:
> >
> >> Interesting... let me run some tests and get back to you.
> >>
> >> On Mar 19, 2014, at 8:33 AM, Mark Allan <markjallan at gmail.com> wrote:
> >>
> >>> Just out of interest, did you test to see if it *actually* worked?
> >>>
> >>> My configure output shows that dmg and xar are supported, but it
> doesn't
> >> actually detect the Eicar test file within a disk image.
> >>>
> >>> configure: Summary of engine detection features
> >>>             autoit_ea06 : yes
> >>>             bzip2       : ok
> >>>             zlib        : /usr
> >>>             unrar       : yes
> >>>             dmg and xar : yes, from /usr
> >>>
> >>> When I create a new disk image, copy the Eicar test file in, and scan
> >> the dmg, it shows up as being clean.
> >>>
> >>>> clamscan test.dmg
> >>>> test.dmg: OK
> >>>>
> >>>> ----------- SCAN SUMMARY -----------
> >>>> Known viruses: 3259558
> >>>> Engine version: 0.98.1
> >>>> Scanned directories: 0
> >>>> Scanned files: 1
> >>>> Infected files: 0
> >>>> Data scanned: 10.07 MB
> >>>> Data read: 10.02 MB (ratio 1.01:1)
> >>>> Time: 4.845 sec (0 m 4 s)
> >>>
> >>> Does this work as expected for anyone else?
> >>>
> >>> Mark
> >>>
> >>> On 10 Feb 2014, at 23:38, Rafael Ferreira <raf at uvasoftware.com> wrote:
> >>>
> >>>> That worked, thanks!
> >>>>
> >>>> On February 10, 2014 at 4:29:41 PM, Steven Morgan (
> >> smorgan at sourcefire.com) wrote:
> >>>>
> >>>> Rafael,
> >>>>
> >>>> Probably all you need to do install libxml&libxml2-dev, which is used
> by
> >>>> dmg and xar, then do your configure/make.
> >>>>
> >>>> Steve
> >>>>
> >>>>
> >>>> On Mon, Feb 10, 2014 at 6:05 PM, Rafael Ferreira <raf at uvasoftware.com
> >>> wrote:
> >>>>
> >>>>>
> >>>>> Folks,
> >>>>>
> >>>>> I'm compiling clamav 0.98.1 on Linux (Ubuntu 12.04 LTS) and I'm not
> >>>>> getting the new super awesome DMG and XAR file support:
> >>>>>
> >>>>> configure: Summary of detected features follows
> >>>>> OS : linux-gnu
> >>>>> pthreads : yes (-lpthread)
> >>>>> configure: Summary of miscellaneous features
> >>>>> check : no (auto)
> >>>>> fanotify : yes
> >>>>> fdpassing : 1
> >>>>> IPv6 : yes
> >>>>> configure: Summary of optional tools
> >>>>> clamdtop : (auto)
> >>>>> milter : yes (disabled)
> >>>>> configure: Summary of engine performance features)
> >>>>> release mode: yes
> >>>>> jit : yes (auto)
> >>>>> mempool : yes
> >>>>> configure: Summary of engine detection features
> >>>>> autoit_ea06 : yes
> >>>>> bzip2 : ok
> >>>>> zlib : /usr
> >>>>> unrar : yes
> >>>>> dmg and xar : no
> >>>>>
> >>>>> Am I missing a configure flag or third party library?
> >>>>>
> >>>>> Thanks in advance,
> >>>>>
> >>>>> - Rafael
> >>>>>
> >>>>> ----
> >>>>> scanii.com - the web friendly malware scanner!
> >>>>> _______________________________________________
> >>>>> http://lurker.clamav.net/list/clamav-devel.html
> >>>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >>>> _______________________________________________
> >>>> http://lurker.clamav.net/list/clamav-devel.html
> >>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >>>> _______________________________________________
> >>>> http://lurker.clamav.net/list/clamav-devel.html
> >>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >>>
> >>> _______________________________________________
> >>> http://lurker.clamav.net/list/clamav-devel.html
> >>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> >>
> >> _______________________________________________
> >> http://lurker.clamav.net/list/clamav-devel.html
> >> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>



More information about the clamav-devel mailing list