[clamav-users] ClamAV 0.101.0 beta rar issue

Steve Basford steveb_clamav at sanesecurity.com
Thu Nov 8 13:30:31 UTC 2018


Using a cdb sig in this format:

Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for

The above sig will work on a Rar pre v5 format file, to catch a *single*
exe in a rar file.

In ClamAV 0.101.0 beta (which has Rar v5 support), the above
wasn't decting anything, but should have.

According to the documents... CDB signature:

:  file  position  in  container  (counting  from  *1*);  absolute  value  or

In a Rar v3 archive, with a SINGLE exe inside using Clamav-0.99.4:

LibClamAV debug: CDBNAME:CL_TYPE_RAR:182253:request for

(note: the :2: part for FilePos)

In a Rar v3 archive, with a SINGLE exe inside using ClamAV 0.101.0 beta:

LibClamAV debug: CDBNAME:CL_TYPE_RAR:182253:request for

(note: the :1: part for FilePos)

In a Rar v5 archive, with a SINGLE exe inside, using ClamAV 0.101.0 beta:

LibClamAV debug: CDBNAME:CL_TYPE_RAR:402906:Request For Quotation

(note: the :1: part for FilePos)

So, Clamav-0.99.4 on a Rar v3 file reports the *first* file as 2 for the

ClamAV 0.101.0 beta on a Rar v3 or v5 arhive... reports the *first* file
as 1 for the FilePos.

Which is a bit of an issue for backwards compatibility...

I could change Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request
for quotation.{0,30}\.exe$:*:*:*:2:*:* to match any file position....eg:
Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for
quotation.{0,30}\.exe$:*:*:*:*:*:* but might have a higher FP rate.

I guess the old rar unpacker starts at filepos 2, the new one, starts at
filepos 1, which matched the documentation.

I guess the new unpacker could be changed to just add a +1 to the filepos
and then adjust the documents ?

The above was tested using: clamav-0.101.0-beta-win-x86-portable


Twitter: @sanesecurity

More information about the clamav-users mailing list