[clamav-users] scanning mp3-files with clamscan

Tue Jul 18 06:21:13 UTC 2017

True MP3 files contain sounds that a media player plays. Anything executable can't be handled by the player and the worst thing that might happen would involve crashing the player, if that's even possible.

Most, if not all scanners ignore such files. They take a long time to scan with a high probability of zero results. The only example I can locate that comes close to maliciousness would is one that contacts an Internet site capable of downloading actual malware. Such a site would not last long and the actual malware will likely be found before the download completes.

Feel free to locate or better yet submit a sample of anything else and you stand a chance of convincing someone that it would be worthy of changing the policy.

Sent from Janet's iPad

-Al-
-- 
Al Varnell
Mountain View, CA
ClamXAV User

On Jul 17, 2017, at 8:45 PM, Paul Kosinski wrote:
> Are MP3 files ignored because it is impossible that MP3 software ever
> has buffer overflows or other security flaws???
> 
> Or is it because MP3 files are compressed (i.e., random-looking) and
> thus may cause false positives? What about all the other compressed or
> encrypted file types which might do the same?
> 
> In other words, I don't understand why they all would be ignored.
> 
> On Mon, 17 Jul 2017 17:22:52 -0400, Steven Morgan wrote:
>> Rosika,
>> 
>> The reason the MP3 file is not scanned is because the file type
>> signatures for MP3 direct that they are ignored. Particularly:
>> 
>> "0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED"
>>  and
>> "0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED"
>> 
>> These definitions are in the daily.ftm file of the ClamAV virus
>> database.
>> 
>> Steve
>> 
>> On Sun, Jul 9, 2017 at 10:04 AM, Christian wrote:
>>> Hi,
>>> 
>>> I want to scan an mp3-file (about 60 MB in size).
>>> My command is:
>>> 
>>> clamscan
>>> /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3
>>> 
>>> Yet I get the message: "Data scanned: 0.00 MB"
>>> First I thought that the file was too large, so I used a new
>>> command:
>>> 
>>> clamscan --max-filesize=300M --max-scansize=300M
>>> /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3
>>> 
>>> But this didn´t work either.
>>> In the meantime I think that´s due to the nature of the respective
>>> file. The file being mp3.
>>> Could this be the case?
>>> 
>>> I also tried:
>>> 
>>> dd
>>> if=/home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_
>>> Holmes/hörspiel.mp3
>>> | clamscan -
>>> 
>>> Output:
>>> 
>>> 126592+1 Datensätze ein
>>> 126592+1 Datensätze aus
>>> 64815503 bytes (65 MB, 62 MiB) copied, 10,9642 s, 5,9 MB/s
>>> stdin: OK
>>> 
>>> ----------- SCAN SUMMARY -----------
>>> Known viruses: 6299938
>>> Engine version: 0.99.2
>>> Scanned directories: 0
>>> Scanned files: 1
>>> Infected files: 0
>>> Data scanned: 0.00 MB
>>> Data read: 61.81 MB (ratio 0.00:1)
>>> Time: 11.596 sec (0 m 11 s)
>>> 
>>> Is there any way of scanning mp3-files with clamscan?
>>> 
>>> Greetings.
>>> Rosika