[clamav-users] Trouble with foxhole

Hartmann, Jan j.hartmann at kirchhoff-automotive.com
Wed Oct 14 06:23:41 UTC 2015 




Hi,
Today we had a lot problems with exe files hidden in zip archives

I tried to add the foxholedb to our clamav, but sadly it didn’t recognize the exe in the zip.


clamscan --database=/var/lib/clamav/foxhole_generic.cdb fatuousness\ paging\ policy\ work\ regulations.zip
fatuousness paging policy work regulations.zip: OK


Mit freundlichen Grüßen / Best Regards


i. A. Jan Hartmann
IT Administrator Groupware

phone: +49 2371 820 298
mobile: +49 171 865 962 2
fax: +49 2371 211 443
e-mail: j.hartmann at kirchhoff-automotive.com


KIRCHHOFF Witte GmbH
c/o KIRCHHOFF Automotive GmbH
Stefanstrasse 2
58638 Iserlohn
Germany



KIRCHHOFF Witte GmbH | HRB 6370 Amtsgericht Iserlohn | Sitz der Gesellschaft: 58640 Iserlohn | Geschäftsführer: Dipl.-Ing. Jürgen Wolfgang Kirchhoff, Andreas Haase, Dipl.-Ing. Stefan Leitzgen | http://www.kirchhoff-automotive.com





Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

----------- SCAN SUMMARY -----------
Known viruses: 185
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.05 MB
Data read: 0.02 MB (ratio 2.60:1)
-------------- next part --------------
LibClamAV debug: searching for unrar, user-searchpath: /usr/lib
LibClamAV debug: searching for unrar: libclamunrar_iface.so.6.1.26 not found
LibClamAV debug: unrar support loaded from /usr/lib/libclamunrar_iface.so.6 libclamunrar_iface_so
LibClamAV debug: Initialized 0.98.7 engine
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
LibClamAV debug: Bytecode initialized in JIT mode
LibClamAV debug: /var/lib/clamav/foxhole_generic.cdb loaded
LibClamAV debug: Initializing engine->root[0]
LibClamAV debug: Initialising AC pattern matcher of root[0]
LibClamAV debug: cli_initroots: Initializing BM tables of root[0]
LibClamAV debug: Initializing engine->root[1]
LibClamAV debug: Initialising AC pattern matcher of root[1]
LibClamAV debug: cli_initroots: Initializing BM tables of root[1]
LibClamAV debug: Initializing engine->root[2]
LibClamAV debug: Initialising AC pattern matcher of root[2]
LibClamAV debug: Initializing engine->root[3]
LibClamAV debug: Initialising AC pattern matcher of root[3]
LibClamAV debug: Initializing engine->root[4]
LibClamAV debug: Initialising AC pattern matcher of root[4]
LibClamAV debug: Initializing engine->root[5]
LibClamAV debug: Initialising AC pattern matcher of root[5]
LibClamAV debug: Initializing engine->root[6]
LibClamAV debug: Initialising AC pattern matcher of root[6]
LibClamAV debug: Initializing engine->root[7]
LibClamAV debug: Initialising AC pattern matcher of root[7]
LibClamAV debug: Initializing engine->root[8]
LibClamAV debug: Initialising AC pattern matcher of root[8]
LibClamAV debug: Initializing engine->root[9]
LibClamAV debug: Initialising AC pattern matcher of root[9]
LibClamAV debug: Initializing engine->root[10]
LibClamAV debug: Initialising AC pattern matcher of root[10]
LibClamAV debug: Initializing engine->root[11]
LibClamAV debug: Initialising AC pattern matcher of root[11]
LibClamAV debug: Initializing engine->root[12]
LibClamAV debug: Initialising AC pattern matcher of root[12]
LibClamAV debug: Initializing engine->root[13]
LibClamAV debug: Initialising AC pattern matcher of root[13]
LibClamAV debug: Loaded 145 filetype definitions
LibClamAV debug: Using filter for trie 0
LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 76 (reloff: 1, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 32 
LibClamAV debug: Using filter for trie 1
LibClamAV debug: Matcher[1]: PE: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 
LibClamAV debug: Matcher[2]: OLE2: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[3]: HTML: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Using filter for trie 4
LibClamAV debug: Matcher[4]: MAIL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[6]: ELF: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Using filter for trie 7
LibClamAV debug: Matcher[7]: ASCII: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[10]: PDF: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[11]: FLASH: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[12]: JAVA: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[13]: INTERNAL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Dynamic engine configuration settings:
LibClamAV debug: --------------------------------------
LibClamAV debug: Module PE: On
LibClamAV debug:    * Submodule     PARITE:	On
LibClamAV debug:    * Submodule       KRIZ:	On
LibClamAV debug:    * Submodule    MAGISTR:	On
LibClamAV debug:    * Submodule    POLIPOS:	On
LibClamAV debug:    * Submodule    MD5SECT:	On
LibClamAV debug:    * Submodule        UPX:	On
LibClamAV debug:    * Submodule        FSG:	On
LibClamAV debug:    * Submodule    SWIZZOR:	On
LibClamAV debug:    * Submodule     PETITE:	On
LibClamAV debug:    * Submodule     PESPIN:	On
LibClamAV debug:    * Submodule         YC:	On
LibClamAV debug:    * Submodule     WWPACK:	On
LibClamAV debug:    * Submodule     NSPACK:	On
LibClamAV debug:    * Submodule        MEW:	On
LibClamAV debug:    * Submodule      UPACK:	On
LibClamAV debug:    * Submodule     ASPACK:	On
LibClamAV debug:    * Submodule    CATALOG:	On
LibClamAV debug:    * Submodule DISABLECERT:	** Off **
LibClamAV debug:    * Submodule   DUMPCERT:	** Off **
LibClamAV debug:    * Submodule  MATCHICON:	On
LibClamAV debug: Module ELF: On
LibClamAV debug: Module MACHO: On
LibClamAV debug: Module ARCHIVE: On
LibClamAV debug:    * Submodule        RAR:	On
LibClamAV debug:    * Submodule        ZIP:	On
LibClamAV debug:    * Submodule       GZIP:	On
LibClamAV debug:    * Submodule       BZIP:	On
LibClamAV debug:    * Submodule        ARJ:	On
LibClamAV debug:    * Submodule       SZDD:	On
LibClamAV debug:    * Submodule        CAB:	On
LibClamAV debug:    * Submodule        CHM:	On
LibClamAV debug:    * Submodule       OLE2:	On
LibClamAV debug:    * Submodule        TAR:	On
LibClamAV debug:    * Submodule       CPIO:	On
LibClamAV debug:    * Submodule     BINHEX:	On
LibClamAV debug:    * Submodule        SIS:	On
LibClamAV debug:    * Submodule       NSIS:	On
LibClamAV debug:    * Submodule     AUTOIT:	On
LibClamAV debug:    * Submodule    ISHIELD:	On
LibClamAV debug:    * Submodule       7zip:	On
LibClamAV debug:    * Submodule    ISO9660:	On
LibClamAV debug:    * Submodule        DMG:	On
LibClamAV debug:    * Submodule        XAR:	On
LibClamAV debug:    * Submodule    HFSPLUS:	On
LibClamAV debug:    * Submodule         XZ:	On
LibClamAV debug: Module DOCUMENT: On
LibClamAV debug:    * Submodule       HTML:	On
LibClamAV debug:    * Submodule        RTF:	On
LibClamAV debug:    * Submodule        PDF:	On
LibClamAV debug:    * Submodule     SCRIPT:	On
LibClamAV debug:    * Submodule HTMLSKIPRAW:	On
LibClamAV debug:    * Submodule     JSNORM:	On
LibClamAV debug:    * Submodule        SWF:	On
LibClamAV debug: Module MAIL: On
LibClamAV debug:    * Submodule       MBOX:	On
LibClamAV debug:    * Submodule       TNEF:	On
LibClamAV debug: Module OTHER: On
LibClamAV debug:    * Submodule  UUENCODED:	On
LibClamAV debug:    * Submodule     SCRENC:	On
LibClamAV debug:    * Submodule       RIFF:	On
LibClamAV debug:    * Submodule       JPEG:	On
LibClamAV debug:    * Submodule    CRYPTFF:	On
LibClamAV debug:    * Submodule        DLP:	On
LibClamAV debug:    * Submodule  MYDOOMLOG:	On
LibClamAV debug:    * Submodule PREFILTERING:	On
LibClamAV debug:    * Submodule PDFNAMEOBJ:	On
LibClamAV debug:    * Submodule  PRTNINTXN:	On
LibClamAV debug: Module PHISHING On
LibClamAV debug:    * Submodule     ENGINE:	On
LibClamAV debug:    * Submodule    ENTCONV:	On
LibClamAV debug: Module BYTECODE On
LibClamAV debug:    * Submodule INTERPRETER:	On
LibClamAV debug:    * Submodule    JIT X86:	On
LibClamAV debug:    * Submodule    JIT PPC:	On
LibClamAV debug:    * Submodule    JIT ARM:	** Off **
LibClamAV debug: Module STATS Off
LibClamAV debug: pool memory used: 5.937 MB
LibClamAV debug: No bytecodes loaded, not running builtin test
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized ZIP file
LibClamAV debug: cache_check: a60a67db9972504c370bc088fad5eb09 is negative
LibClamAV debug: in cli_unzip
LibClamAV debug: cli_unzip: central @52b8
LibClamAV debug: cli_unzip: ch - flags 2 - method 8 - csize 527b - usize 8a00 - flen e - elen 9 - clen 0 - disk 0 - off 0
LibClamAV debug: cli_unzip: ch - fname: 8045207857.exe
LibClamAV debug: cli_unzip: lh - ZMDNAME:0:8045207857.exe:35328:21115:ecea7732:8:1:1
LibClamAV debug: CDBNAME:CL_TYPE_ZIP:21115:8045207857.exe:21115:35328:0:1:3974788914:(nil)
LibClamAV debug: cli_unzip: extracted to /tmp/clamav-5cbfdda8d607b898a1a31c62e967d7e5.tmp/zip.000
LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16)
LibClamAV debug: Recognized MS-EXE/DLL file
LibClamAV debug: cache_check: 6d66dfaa8f5987ef48943c3cc2e8b8db is negative
LibClamAV debug: in cli_peheader
LibClamAV debug: versioninfo_cb: type: 10, name: 1, lang: 409, rva: 8110
LibClamAV debug: cli_peheader: parsing version info @ rva 8110 (1/1)
LibClamAV debug: VersionInfo (838e): 'CompanyName'='UnitedPeople Corporation' - VI:43006f006d00700061006e0079004e0061006d0065000000000055006e006900740065006400500065006f0070006c006500200043006f00720070006f0072006100740069006f00
LibClamAV debug: VersionInfo (83e2): 'FileDescription'='UnitedPeople tools' - VI:460069006c0065004400650073006300720069007000740069006f006e000000000055006e006900740065006400500065006f0070006c006500200074006f006f006c00
LibClamAV debug: VersionInfo (8432): 'FileVersion'='1.1.161.1' - VI:460069006c006500560065007200730069006f006e000000000031002e0031002e00310036003100
LibClamAV debug: VersionInfo (8466): 'InternalName'='unipeo.EXE' - VI:49006e007400650072006e0061006c004e0061006d006500000075006e006900700065006f002e0045005800
LibClamAV debug: VersionInfo (849e): 'LegalCopyright'='R©UnitedPeople Corporation.  All rights reserved.' - VI:4c006500670061006c0043006f00700079007200690067006800740000001204a90055006e006900740065006400500065006f0070006c006500200043006f00720070006f0072006100740069006f006e002e002000200041006c006c00200072006900670068007400730020007200650073006500720076006500
LibClamAV debug: VersionInfo (8526): 'OriginalFilename'='invepeo.EXE' - VI:4f0072006900670069006e0061006c00460069006c0065006e0061006d006500000069006e0076006500700065006f002e004500
LibClamAV debug: VersionInfo (8566): 'ProductName'='UnitedPeopleR® pure tools' - VI:500072006f0064007500630074004e0061006d0065000000000055006e006900740065006400500065006f0070006c0065001204ae0020007000750072006500200074006f006f00
LibClamAV debug: VersionInfo (85ba): 'ProductVersion'='1.1.161.1' - VI:500072006f006400750063007400560065007200730069006f006e00000031002e0031002e00310036003100
LibClamAV debug: Matched signature for file type PE
LibClamAV debug: hashtab: Freeing hashset, elements: 8, capacity: 64
LibClamAV debug: e_lfanew == 216
LibClamAV debug: File type: Executable
LibClamAV debug: Machine type: 80386
LibClamAV debug: NumberOfSections: 3
LibClamAV debug: TimeDateStamp: Tue Jul  1 12:57:51 2014
LibClamAV debug: SizeOfOptionalHeader: e0
LibClamAV debug: File format: PE
LibClamAV debug: MajorLinkerVersion: 6
LibClamAV debug: MinorLinkerVersion: 0
LibClamAV debug: SizeOfCode: 0x3400
LibClamAV debug: SizeOfInitializedData: 0x5200
LibClamAV debug: SizeOfUninitializedData: 0x0
LibClamAV debug: AddressOfEntryPoint: 0x1e06
LibClamAV debug: BaseOfCode: 0x1000
LibClamAV debug: SectionAlignment: 0x1000
LibClamAV debug: FileAlignment: 0x200
LibClamAV debug: MajorSubsystemVersion: 4
LibClamAV debug: MinorSubsystemVersion: 0
LibClamAV debug: SizeOfImage: 0xb000
LibClamAV debug: SizeOfHeaders: 0x400
LibClamAV debug: NumberOfRvaAndSizes: 16
LibClamAV debug: Subsystem: Win32 GUI
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 0
LibClamAV debug: Section name: .text
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x3216 0x4000
LibClamAV debug: VirtualAddress: 0x1000 0x1000
LibClamAV debug: SizeOfRawData: 0x3400 0x3400
LibClamAV debug: PointerToRawData: 0x400 0x400
LibClamAV debug: Section contains executable code
LibClamAV debug: Section's memory is executable
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 1
LibClamAV debug: Section name: .data
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x220e 0x3000
LibClamAV debug: VirtualAddress: 0x5000 0x5000
LibClamAV debug: SizeOfRawData: 0x2400 0x2400
LibClamAV debug: PointerToRawData: 0x3800 0x3800
LibClamAV debug: Section's memory is writeable
LibClamAV debug: ------------------------------------
LibClamAV debug: Section 2
LibClamAV debug: Section name: .rsrc
LibClamAV debug: Section data (from headers - in memory)
LibClamAV debug: VirtualSize: 0x2d70 0x3000
LibClamAV debug: VirtualAddress: 0x8000 0x8000
LibClamAV debug: SizeOfRawData: 0x2e00 0x2e00
LibClamAV debug: PointerToRawData: 0x5c00 0x5c00
LibClamAV debug: ------------------------------------
LibClamAV debug: EntryPoint offset: 0x1206 (4614)
LibClamAV debug: Bytecode executing hook id 259 (0 hooks)
LibClamAV debug: Bytecode: no logical signature matched, no bytecode executed
LibClamAV debug: Bytecode executing hook id 257 (0 hooks)
LibClamAV debug: Bytecode: no logical signature matched, no bytecode executed
LibClamAV debug: cli_magic_scandesc: returning 0  at line 2477
LibClamAV debug: cache_add: 6d66dfaa8f5987ef48943c3cc2e8b8db (level 0)
LibClamAV debug: cli_unzip: ch - wrkcomplete
LibClamAV debug: Matched signature for file type ZIP-SFX at 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: cli_magic_scandesc: returning 0  at line 2477
LibClamAV debug: cache_add: a60a67db9972504c370bc088fad5eb09 (level 0)
fatuousness paging policy work regulations.zip: OK
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

----------- SCAN SUMMARY -----------
Known viruses: 185
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.05 MB
Data read: 0.02 MB (ratio 2.60:1)
Time: 0.012 sec (0 m 0 s)

More information about the clamav-users mailing list