[clamav-users] A better zip bomb
G.W. Haywood
clamav at jubileegroup.co.uk
Fri Nov 8 10:58:46 UTC 2019
Hi there,
On Fri, 8 Nov 2019, Arnaud Jacques wrote:
...Brent wrote:
>>
>> https://www.bamsoftware.com/hacks/zipbomb/
>>
>> Here you can see I scanned the zip file, thats made available from the
>> above site. As you can see, clamav (inconjunction with Sanesecurity),
>> the file passed.
>>
>> vagrant at stretch:~/src$ clamscan zbsm.zip
>> zbsm.zip: OK
>
> No need 3rd party signatures, official ClamAV seems to work fine with
> these files :
>
> clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M
> /var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND
> /var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND
> /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND
It seems that there might be room for improvement in Brent's client's
ClamAV configuration, perhaps we should be trying to understand why it
is in this state. It should be a deliberate choice to disable a test
for excessive resource usage, not an accident.
--
73,
Ged.
More information about the clamav-users
mailing list