[clamav-users] A better zip bomb
Brent Clark
brentgclarklist at gmail.com
Fri Nov 8 09:43:57 UTC 2019
Good day Arnaud
Thanks so much for this.
Really appreciate the fast reply and help.
Regards
Brent Clark
On 2019/11/08 10:23, Arnaud Jacques wrote:
> Hello Brent,
>
>
>> https://www.bamsoftware.com/hacks/zipbomb/
>>
>> I took the liberty of spinning up a vagrant instance to find out for
>> myself.
>>
>> Here you can see I scanned the zip file, thats made available from the
>> above site. As you can see, clamav (inconjunction with Sanesecurity),
>> the file passed.
>>
>> vagrant at stretch:~/src$ clamscan zbsm.zip
>> zbsm.zip: OK
>>
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 8944025
>> Engine version: 0.101.4
>> Scanned directories: 0
>> Scanned files: 1
>> Infected files: 0
>> Data scanned: 63.13 MB
>> Data read: 0.04 MB (ratio 1616.20:1)
>> Time: 196.787 sec (3 m 16 s)
>
>
> No need 3rd party signatures, official ClamAV seems to work fine with
> these files :
>
> clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M
> /var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND
> /var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND
> /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8748540
> Engine version: 0.101.4
> Scanned directories: 1
> Scanned files: 3
> Infected files: 3
> Data scanned: 169.38 MB
> Data read: 53.22 MB (ratio 3.18:1)
> Time: 396.918 sec (6 m 36 s)
>
>
More information about the clamav-users
mailing list