[clamav-users] A better zip bomb
Arnaud Jacques
webmaster at securiteinfo.com
Fri Nov 8 08:23:42 UTC 2019
Hello Brent,
> https://www.bamsoftware.com/hacks/zipbomb/
>
> I took the liberty of spinning up a vagrant instance to find out for
> myself.
>
> Here you can see I scanned the zip file, thats made available from the
> above site. As you can see, clamav (inconjunction with Sanesecurity),
> the file passed.
>
> vagrant at stretch:~/src$ clamscan zbsm.zip
> zbsm.zip: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8944025
> Engine version: 0.101.4
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 63.13 MB
> Data read: 0.04 MB (ratio 1616.20:1)
> Time: 196.787 sec (3 m 16 s)
No need 3rd party signatures, official ClamAV seems to work fine with
these files :
clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M
/var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND
/var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND
/var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8748540
Engine version: 0.101.4
Scanned directories: 1
Scanned files: 3
Infected files: 3
Data scanned: 169.38 MB
Data read: 53.22 MB (ratio 3.18:1)
Time: 396.918 sec (6 m 36 s)
--
Cordialement / Best regards,
Arnaud Jacques
Gérant de SecuriteInfo.com
Téléphone : +33-(0)3.44.39.76.46
E-mail : aj at securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
More information about the clamav-users
mailing list