[clamav-users] scanning mp3-files with clamscan

[Eric Tykwinski]

> On Jul 9, 2017, at 1:21 PM, G.W. Haywood <clamav at jubileegroup.co.uk> wrote:
> 
> Hi there,
> 
> On Sun, 9 Jul 2017, Rosika wrote:
> 
>> I want to scan an mp3-file (about 60 MB in size).
>> Yet I get the message: "Data scanned: 0.00 MB"
>> ...
>> Is there any way of scanning mp3-files with clamscan?
> 
> Try compressing the file with gzip first:
> 
> cat file | gzip | clamscan -

I got a bit interested, so decided to write a quick yara script:
rule mp3_test {
meta:
 description = "Find ID3 string at beginning of file"

strings:
 $id3 = {49 44 33 03}

condition:
 $id3 at 0
}

Sort of strange, that yara is catching it, but clamav isn’t.

Erics-Mac-Pro:temp eric$ clamscan -d mp3.yara ./
./.DS_Store: OK
./01 For Fruits Basket - TV Edit.mp3: OK
./01 Prologue-(Apprehension).mp3: OK
./01 The Ultimate -Naked mix -.mp3: OK
./01 Visitor.mp3: OK
./1-01 101_Book I Line 1 'Of Man's First Disobedience & The Fruit'.mp3: OK
./mp3.yara: OK

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 7
Infected files: 0
Data scanned: 0.01 MB
Data read: 31.84 MB (ratio 0.00:1)
Time: 0.092 sec (0 m 0 s)

Erics-Mac-Pro:temp eric$ yara mp3.yara ./
mp3_test .//01 For Fruits Basket - TV Edit.mp3
mp3_test .//01 Visitor.mp3
mp3_test .//01 Prologue-(Apprehension).mp3
mp3_test .//01 The Ultimate -Naked mix -.mp3
mp3_test .//1-01 101_Book I Line 1 'Of Man's First Disobedience & The Fruit’.mp3

Just wondering if this is a limitation of ClamAV, or am I doing something wrong?