[clamav-users] ClamXav and Compressed Files

Jinwon Lee alfaginon at me.com
Sat Mar 28 21:35:56 EDT 2015


Thanks for the responses. I am not a computer expert so I might not fully understand
all that has been discussed but it sounds like ClamXav extracts(decompose?) archive files like zip, RAR and then scan.  But with .dmg
file it is uncertain that it does the same thing. 

It sounds like ClamXav is not ‘complete’ yet.

What I always do is scan the files as they are first, and to be extra safe, decompress or mount and then rescan them.

But I still do not understand why ‘the second scans’ usually take longer(feels like to me).  Still not sure if ClamXav ‘really’ scan compressed files.  I just test scanned a zip file and had a look at the scan log.  And it says it scanned 1 file!!??

Regards
Jinwon

2015-03-29 01:32:28 +0000
Items to be scanned:

/Users/a/Desktop/gallery.zip


/Users/a/Desktop/gallery.zip: OK
----------- SCAN SUMMARY -----------
Known viruses: 3779286
Engine version: 0.98.6
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 20.64 MB
Data read: 9.91 MB (ratio 2.08:1)
Time: 20.792 sec (0 m 20 s)




> On 29/03/2015, at 11:21 am, Al Varnell <alvarnell at mac.com> wrote:
> 
> I sent this out last night, but it must have been rejected for length or something, so I’ll remove the lengthy results of the third test and quotes to see if that works.
> 
> -Al-
> ==============
> I ran some tests after my last posting to answer just this question, but results were mixed so I was waiting for an authoritative answer.  Since we haven’t heard yet, I’ll post my results.
> 
> First I made my own .dmg with an eicar test file on-board.  Running clamscan —debut on the file did not detect any infection nor did it identify the file as a DMG:
> 
>> LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
>> LibClamAV debug: Recognized binary data
>> LibClamAV debug: cache_check: ff8fdbcdb89e9474452237677b5f09e9 is negative
>> LibClamAV debug: in cli_check_mydoom_log()
>> LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
>> LibClamAV debug: cli_magic_scandesc: returning 0  at line 2470
>> LibClamAV debug: cache_add: ff8fdbcdb89e9474452237677b5f09e9 (level 0)
>> /Volumes/Macintosh HD/Users/avarnell/Documents/EicarTest.dmg: OK
>> LibClamAV debug: Cleaning up phishcheck
>> LibClamAV debug: Freeing phishcheck struct
>> LibClamAV debug: Phishcheck cleaned up
>> 
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 3778735
>> Engine version: 0.98.6
>> Scanned directories: 0
>> Scanned files: 1
>> Infected files: 0
>> Data scanned: 7.62 MB
>> Data read: 7.55 MB (ratio 1.01:1)
>> Time: 7.553 sec (0 m 7 s)
> 
> When I mounted the EicarTest.dmg ClamXav Sentry (real-time process using clamd) caught it immediately.
> =======
> Next I scanned download.dmg which was known to contained the FkCodec adware.  It detected the hash value as expected and also matched three ZIP segments and the DMG container:
> 
>> LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
>> LibClamAV debug: Recognized binary data
>> LibClamAV debug: cache_check: b4ece10d1e706b87b065523a654d48a7 is negative
>> LibClamAV debug: in cli_check_mydoom_log()
>> LibClamAV debug: Matched signature for file type ZIP-SFX at 376602
>> LibClamAV debug: Matched signature for file type ZIP-SFX at 407295
>> LibClamAV debug: Matched signature for file type ZIP-SFX at 563034
>> LibClamAV debug: Matched signature for file type DMG container file at 626691
>> LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
>> LibClamAV debug: Adware.OSX found
>> LibClamAV debug: FP SIGNATURE: b4ece10d1e706b87b065523a654d48a7:627203:Adware.OSX
>> LibClamAV debug: cli_magic_scandesc: returning 1  at line 2470
>> /Users/avarnell/Desktop/•Download/Malware/FkCodec-A/download.dmg: Adware.OSX FOUND
>> LibClamAV debug: Cleaning up phishcheck
>> LibClamAV debug: Freeing phishcheck struct
>> LibClamAV debug: Phishcheck cleaned up
>> 
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 3778290
>> Engine version: 0.98.6
>> Scanned directories: 0
>> Scanned files: 1
>> Infected files: 1
>> Data scanned: 0.60 MB
>> Data read: 0.60 MB (ratio 1.01:1)
>> Time: 7.419 sec (0 m 7 s)
> 
> When I mounted the download.dmg Sentry caught Codec-M Installer.app/Contents/MacOS/Installer: Osx.Trojan.Fakecodecs-1 immediately.
> =========
> Last I scanned CleanApp 4.0.8 Mac 中文版.dmg which was known to contain the Machook or WireLurker malware.  I also knew that an unofficail has signature was available only to ClamXav users.  It detects the hash value as expected but also was able to decompose 13 segments each with several sections.
> 
>> results available on request.
> 
> When mounting CleanApp 4.0.8 Mac 中文版.dmg Sentry located:
> /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/MacOS/CleanApp: OSX.MacHook/WireLurker.UNOFFICIAL FOUND
> /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/FontMap1.cfg: OSX.MacHook/WireLurker.A.UNOFFICIAL FOUND
> /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/start.sh: OSX.MacHook/WireLurker.UNOFFICIAL FOUND
> ======
> So three somewhat different results for the three .dmg files leads me to believe that bursting is possible, but no evidence of being able to detect infected files within a .dmg container.
> 
> -Al-
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml




More information about the clamav-users mailing list