[clamav-users] ClamAV can't scan DVD-size ISO files
Al Varnell
alvarnell at mac.com
Fri Sep 15 03:13:57 UTC 2017
I realize this is only peripherally related to the OP's issue, but I believe it's similar enough to bring it back to the list again.
I mentioned earlier that I ran tests on a .dmg (back in March 2015) by first creating my own .dmg with an eicar test file on-board. But that was made with engine 98.6 when the dmg capability was first added.
I just repeated that test using engine 99.2 running clamscan --debug on the file and it still does not detect any infection nor did it identify the file as a DMG:
> LibClamAV debug: * Submodule DMG: On
> ...
> LibClamAV debug: Recognized binary data
> ...
> /Volumes/Macintosh HD/Users/***/Documents/EicarTest.dmg: OK
> ----------- SCAN SUMMARY -----------
> Known viruses: 7343153
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 15.24 MB
> Data read: 7.55 MB (ratio 2.02:1)
> Time: 13.971 sec (0 m 13 s)
After mounting the image and scanning that:
> LibClamAV debug: Recognized ASCII text
> LibClamAV debug: cache_check: 44d88612fea8a8f36de82e1278abb02f is negative
> LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
> LibClamAV debug: Eicar-Test-Signature found
> LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
> LibClamAV debug: cli_magic_scandesc: returning 1 at line 2685
> /Volumes/Disk Image/eicar.com: Eicar-Test-Signature FOUND
> ----------- SCAN SUMMARY -----------
> Known viruses: 7343153
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 10.979 sec (0 m 10 s)
I plan on doing additional tests against at least one other .dmg that I know contains malware when I have more time.
-Al-
On Thu, Sep 14, 2017 at 11:45 AM, Paul Kosinski wrote:
> I tried the --debug option and it produced a lot of output (which I can
> provide if it would help). It *did* say the following, however:
>
> LibClamAV debug: Module ARCHIVE: On
> LibClamAV debug: * Submodule RAR: On
> LibClamAV debug: * Submodule ZIP: On
> LibClamAV debug: * Submodule GZIP: On
> ...
> LibClamAV debug: * Submodule 7zip: On
> LibClamAV debug: * Submodule ISO9660: On
> LibClamAV debug: * Submodule DMG: On
> ...
>
> so it apparently knows about ISOs.
>
> It also scanned 0 data bytes in a CD-sized ISO, so it isn't just the
> problem that DVD ISOs are "too big".
>
> Paul Kosinski
>
>
> On Thu, 14 Sep 2017 12:51:38 -0400
> Steven Morgan <smorgan at sourcefire.com <mailto:smorgan at sourcefire.com>> wrote:
>
>> ClamAV contains an iso9660 parser.
>>
>> The clamscan --debug option may give a clue as to why it is not being
>> scanned.
>>
>> Steven Morgan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170914/0f01375f/attachment.bin>
More information about the clamav-users
mailing list