[clamav-users] clamsmtpd does not scan rar files

Tue Feb 4 14:30:49 UTC 2020

i had to install libclamunrar9 before my clam mailscanner knew how to 
deal with rar files.

On 04/02/2020 17:18, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Tue, 4 Feb 2020, Ntek, SIA Janis wrote:
>
>> I have Debian 9.7 w/ postfix and ClamAV 0.100.2  I have made custom 
>> definition file /var/lib/clamav/archive_exe.cdb containing:
>> Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
>> So that every archive packed with exe would be treated as a virus.
>
> Please explain exactly what you mean by "every archive packed with exe".
> Do you mean "every archive which contains an executable file"? Please
> be aware that very many executable files do not have names like '*.exe'
>
>> This works with .zip files and .7zip files but not with .rar files. I 
>> installed unrar package and libclamunrar9, restarted daemons and the 
>> system but still .rar files containing exe are let through.
>
> Have you scanned the test files which the ClamAV sources provide?
>
> mail6:~/src/net/mail/clamav-devel-dev-0.102/test$ >>> clamdscan 
> ./clam-v3.rar 
> /home/ged/src/net/mail/clamav-devel-dev-0.102/test/./clam-v3.rar: 
> PUA.Win.Packer.AcprotectUltraprotect-1 FOUND
>
> You might get some help with your signatures from e.g. this one.
>
> Do you see anything apart from executable files compressed with RAR?
> You might consider simply blocking all .rar files.  That's what I do,
> but then I'm the BOFH.  There are very many other ways of compressing
> and/or obfuscating executable files, so if you want protection from
> this route of sneaking past scanners you really need to recognize all
> of them.  Perhaps it would be easier to recognize instead just those
> things which are _not_ compressed and/or obfuscated.
>
>> I read that at some point unrar code was removed from ClamAV and now 
>> it only supports rar versions 1-2 but not 3. How to work around this?
>
> Please check dates on information you read on the Internet.  You may
> find that those comments were dated around December 2007 (yes, that's
> over 12 years ago).  As far as the Debian distribution is concerned,
> there was a fundamental issue with the licences but I believe that it
> was essentially resolved by repackaging the software so the libunrar
> code could be separated.
>
> As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5,
> although I see no test files distributed for V5 RAR archives. Perhaps
> you will need to upgrade to Debian 10 (Buster) to make use of v101.x;
> I use Debian a great deal but not the packaged ClamAV - I always build
> from source.  Amongst other things this avoids noise in the logs about
> outdated software (which could potentially hide some kinds of problem,
> a bit like hiding an elephant).
>
>> Someone suggested using --unrar option, but where do I put it? Conf 
>> file syntax doesn't seem to support this.
>
> The --unrar option is deprecated, and is ignored by any recent ClamAV.
> Perhaps the suggestion was in a very old document, or perhaps it was a
> mistake, and the _configure_ option --enable-unrar was what was meant.
> This would mean that the discussion was about building ClamAV from
> source, but as Mr. Kitterman says it is not normally necessary to do
> that on Debian as the binaries are built with unrar already enabled.
>
> As an aside there is a potential issue with incompatibility with old
> libraries but I do not think you will come across it - see for example
> the ClamAV blog for Friday, December 21, 2018:
>
> https://blog.clamav.net/2018/
>
> Please take a look at the documentation for more information.
>
-- 
Jon 'Boli' Copeland
Systems Engineer
IT Support
All sales enquiries   : sales at itss.co.tz
All support enquiries : support at itss.co.tz
Emergencies Only      : +255 (0) 685 374780