[clamav-users] ClamAV 0.101.0 beta rar issue

Steve Basford steveb_clamav at sanesecurity.com
Thu Nov 8 13:30:31 UTC 2018


Hi,

Using a cdb sig in this format:

Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for
quotation.{0,30}\.exe$:*:*:*:2:*:*

The above sig will work on a Rar pre v5 format file, to catch a *single*
exe in a rar file.

In ClamAV 0.101.0 beta (which has Rar v5 support), the above
wasn't decting anything, but should have.

According to the documents... CDB signature:

FilePos
:  file  position  in  container  (counting  from  *1*);  absolute  value  or
range


In a Rar v3 archive, with a SINGLE exe inside using Clamav-0.99.4:

LibClamAV debug: CDBNAME:CL_TYPE_RAR:182253:request for
quotation:182253:378880:0:2:1173764330
:00000000

(note: the :2: part for FilePos)

In a Rar v3 archive, with a SINGLE exe inside using ClamAV 0.101.0 beta:

LibClamAV debug: CDBNAME:CL_TYPE_RAR:182253:request for
quotation:182253:378880:0:1:1173764330
:00000000

(note: the :1: part for FilePos)


In a Rar v5 archive, with a SINGLE exe inside, using ClamAV 0.101.0 beta:

LibClamAV debug: CDBNAME:CL_TYPE_RAR:402906:Request For Quotation
142537.exe:402906:3851480:0:1:4067430729:00000000

(note: the :1: part for FilePos)


So, Clamav-0.99.4 on a Rar v3 file reports the *first* file as 2 for the
FilePos.

ClamAV 0.101.0 beta on a Rar v3 or v5 arhive... reports the *first* file
as 1 for the FilePos.

Which is a bit of an issue for backwards compatibility...

I could change Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request
for quotation.{0,30}\.exe$:*:*:*:2:*:* to match any file position....eg:
Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for
quotation.{0,30}\.exe$:*:*:*:*:*:* but might have a higher FP rate.

I guess the old rar unpacker starts at filepos 2, the new one, starts at
filepos 1, which matched the documentation.

I guess the new unpacker could be changed to just add a +1 to the filepos
and then adjust the documents ?

The above was tested using: clamav-0.101.0-beta-win-x86-portable

-- 
Cheers,

Steve
Twitter: @sanesecurity




More information about the clamav-users mailing list