[clamav-users] Current replacement for --max-ratio?
Kris Deugau
kdeugau at vianet.ca
Mon Jan 17 20:37:36 UTC 2022
G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Fri, 14 Jan 2022, Kris Deugau wrote:
>
>> I've just come across a presumed-malicious .zip file of about 500K
>> that contains a ~315M ISO image, which in turn appears to contain a
>> ~315M executable file.
>>
>> After a bit of searching and testing I see the --max-ratio option has
>> been removed from clamscan, and ArchiveMaxCompressionRatio in
>> clamd.conf has been deprecated.
>>
>> Are there any remaining (or new?) options that might help flag
>> hypercompressed files like this?
>
> If you're using clamd, perhaps try the AlertExceedsMax option together
> with the MaxScanSize and/or MaxFileSize options. No it's not the same. :/
Hmm. Might work for this case, I'll try some combinations.
> Did this arrive in mail, Kris?
Yes. Indications are it was sent through a cracked hosting account,
with an envelope and reply to a GMail account.
On closer inspection, when originally received the message matched one
of the Sanesecurity "foxhole" signatures, which could collectively be
scored much higher on this particular receiving account (technical role
address). It's a hack and I'm not sure it's worth even that much effort
since this is the first example I've seen in the wild.
-kgd
More information about the clamav-users
mailing list