[clamav-users] clamsmtpd does not scan rar files
Ntek, SIA Janis
info at ntek.lv
Tue Feb 4 20:26:42 UTC 2020
> libclamunrar9
I already had that, didn't help. I will upgrade Debian 9.7 to 10
On 04.02.20 16:30, Jon 'Boli' Copeland wrote:
> i had to install libclamunrar9 before my clam mailscanner knew how to
> deal with rar files.
>
> On 04/02/2020 17:18, G.W. Haywood via clamav-users wrote:
>> Hi there,
>>
>> On Tue, 4 Feb 2020, Ntek, SIA Janis wrote:
>>
>>> I have Debian 9.7 w/ postfix and ClamAV 0.100.2 I have made custom
>>> definition file /var/lib/clamav/archive_exe.cdb containing:
>>> Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
>>> So that every archive packed with exe would be treated as a virus.
>>
>> Please explain exactly what you mean by "every archive packed with exe".
>> Do you mean "every archive which contains an executable file"? Please
>> be aware that very many executable files do not have names like '*.exe'
>>
>>> This works with .zip files and .7zip files but not with .rar files.
>>> I installed unrar package and libclamunrar9, restarted daemons and
>>> the system but still .rar files containing exe are let through.
>>
>> Have you scanned the test files which the ClamAV sources provide?
>>
>> mail6:~/src/net/mail/clamav-devel-dev-0.102/test$ >>> clamdscan
>> ./clam-v3.rar
>> /home/ged/src/net/mail/clamav-devel-dev-0.102/test/./clam-v3.rar:
>> PUA.Win.Packer.AcprotectUltraprotect-1 FOUND
>>
>> You might get some help with your signatures from e.g. this one.
>>
>> Do you see anything apart from executable files compressed with RAR?
>> You might consider simply blocking all .rar files. That's what I do,
>> but then I'm the BOFH. There are very many other ways of compressing
>> and/or obfuscating executable files, so if you want protection from
>> this route of sneaking past scanners you really need to recognize all
>> of them. Perhaps it would be easier to recognize instead just those
>> things which are _not_ compressed and/or obfuscated.
>>
>>> I read that at some point unrar code was removed from ClamAV and now
>>> it only supports rar versions 1-2 but not 3. How to work around this?
>>
>> Please check dates on information you read on the Internet. You may
>> find that those comments were dated around December 2007 (yes, that's
>> over 12 years ago). As far as the Debian distribution is concerned,
>> there was a fundamental issue with the licences but I believe that it
>> was essentially resolved by repackaging the software so the libunrar
>> code could be separated.
>>
>> As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5,
>> although I see no test files distributed for V5 RAR archives. Perhaps
>> you will need to upgrade to Debian 10 (Buster) to make use of v101.x;
>> I use Debian a great deal but not the packaged ClamAV - I always build
>> from source. Amongst other things this avoids noise in the logs about
>> outdated software (which could potentially hide some kinds of problem,
>> a bit like hiding an elephant).
>>
>>> Someone suggested using --unrar option, but where do I put it? Conf
>>> file syntax doesn't seem to support this.
>>
>> The --unrar option is deprecated, and is ignored by any recent ClamAV.
>> Perhaps the suggestion was in a very old document, or perhaps it was a
>> mistake, and the _configure_ option --enable-unrar was what was meant.
>> This would mean that the discussion was about building ClamAV from
>> source, but as Mr. Kitterman says it is not normally necessary to do
>> that on Debian as the binaries are built with unrar already enabled.
>>
>> As an aside there is a potential issue with incompatibility with old
>> libraries but I do not think you will come across it - see for example
>> the ClamAV blog for Friday, December 21, 2018:
>>
>> https://blog.clamav.net/2018/
>>
>> Please take a look at the documentation for more information.
>>
More information about the clamav-users
mailing list