[clamav-users] ClamXav and Compressed Files
dennispe at inetnw.com
Sun Mar 29 00:50:52 EDT 2015
On 3/28/15 6:48 PM, Al Varnell wrote:
> On Sat, Mar 28, 2015 at 06:35 PM, Jinwon Lee wrote:
>> Thanks for the responses. I am not a computer expert so I might not fully understand
>> all that has been discussed but it sounds like ClamXav extracts(decompose?) archive files like zip, RAR and then scan. But with .dmg
>> file it is uncertain that it does the same thing.
>> It sounds like ClamXav is not ‘complete’ yet.
> Again, we are discussing the ClamAV® scan engine here which is used by ClamXav but is not the same thing. ClamXav is just the user interface that allows you to use the scan engine on your computer.
> Perhaps I wasn’t clear on the results of my testing, but they indicate that the scan engine will not look at the contents of a .dmg file until you mount it on your desktop. It’s not so much that it’s incomplete, but I would have to guess that it’s not possible to do so. The scan may identify the .dmg file itself as one known to contain malware, depending on whether or not a sample was previously received and a signature prepared for it.
It should be possible to use cpio to extract the contents to a stream and feed
that into the ClamAV engine but the Windows people may be challenged to
replicate it without a posix tool kit.
For the wider audience: Remember that ClamAV is a cross-platform tool and it is
not likely that all platforms will have essential tools to burst a file system
image from another system. That said, cpio is a UNIX primitive and I can't
recall ever seeing a UNIX/derivative OS that didn't have it, and worked on
first-gen UNIX well over thirty years ago. Nor have I ever seen a Windows system
where it was an included utility. And that is why it is important to know what
is compiled into some of these cross-platform utilities we all depend on.
More information about the clamav-users