[clamav-users] ClamAV 0.101.0 beta rar issue
Steve Basford
steveb_clamav at sanesecurity.com
Thu Nov 8 13:30:31 UTC 2018
Hi,
Using a cdb sig in this format:
Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for
quotation.{0,30}\.exe$:*:*:*:2:*:*
The above sig will work on a Rar pre v5 format file, to catch a *single*
exe in a rar file.
In ClamAV 0.101.0 beta (which has Rar v5 support), the above
wasn't decting anything, but should have.
According to the documents... CDB signature:
FilePos
: file position in container (counting from *1*); absolute value or
range
In a Rar v3 archive, with a SINGLE exe inside using Clamav-0.99.4:
LibClamAV debug: CDBNAME:CL_TYPE_RAR:182253:request for
quotation:182253:378880:0:2:1173764330
:00000000
(note: the :2: part for FilePos)
In a Rar v3 archive, with a SINGLE exe inside using ClamAV 0.101.0 beta:
LibClamAV debug: CDBNAME:CL_TYPE_RAR:182253:request for
quotation:182253:378880:0:1:1173764330
:00000000
(note: the :1: part for FilePos)
In a Rar v5 archive, with a SINGLE exe inside, using ClamAV 0.101.0 beta:
LibClamAV debug: CDBNAME:CL_TYPE_RAR:402906:Request For Quotation
142537.exe:402906:3851480:0:1:4067430729:00000000
(note: the :1: part for FilePos)
So, Clamav-0.99.4 on a Rar v3 file reports the *first* file as 2 for the
FilePos.
ClamAV 0.101.0 beta on a Rar v3 or v5 arhive... reports the *first* file
as 1 for the FilePos.
Which is a bit of an issue for backwards compatibility...
I could change Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request
for quotation.{0,30}\.exe$:*:*:*:2:*:* to match any file position....eg:
Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for
quotation.{0,30}\.exe$:*:*:*:*:*:* but might have a higher FP rate.
I guess the old rar unpacker starts at filepos 2, the new one, starts at
filepos 1, which matched the documentation.
I guess the new unpacker could be changed to just add a +1 to the filepos
and then adjust the documents ?
The above was tested using: clamav-0.101.0-beta-win-x86-portable
--
Cheers,
Steve
Twitter: @sanesecurity
More information about the clamav-users
mailing list