[clamav-users] ClamAV does not detect viruses in "ar archive" file format

G.W. Haywood clamav at jubileegroup.co.uk
Fri Jul 8 16:07:07 UTC 2022 

Hi there,

On Fri, 8 Jul 2022, Schroeffu via clamav-users wrote:

> I am trying to scan "ar archive" format like .deb packages are. ClamAV
> unfortunately does not detect the eicar inside the ar archive. 
> Do I miss something to configure so clamav scans/unpacks "ar archive"
> formats correctly?

If you have deduced that ClamAV is not unpacking the archive properly,
then I'm not sure that your deduction is correct.  Testing with EICAR
files can be a little tricky because the EICAR specifications are very
particular about what is scanned.

If I create an archive with 'ar' and then scan it here, it my clamd
server does find it:

8<--------------------------------------------------------
$ ar r archive.deb eicar tempscan.pl
ar: creating archive.deb
$ clamdscan archive.deb 
/home/ged/archive.deb: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 1.372 sec (0 m 1 s)
Start Date: 2022:07:08 16:44:05
End Date:   2022:07:08 16:44:06
8<--------------------------------------------------------

but this detection is using an UNOFFICIAL signature:

8<--------------------------------------------------------
$grep EICAR /EXPORTS/clamav/databases/*
Binary file daily.cld matches
Binary file main.cld matches
rfxn.hdb:44d88612fea8a8f36de82e1278abb02f:68:{MD5}EICAR.TEST.3.59
rfxn.hdb:69630e4574ec6798239b091cda43dca0:69:{MD5}EICAR.TEST.10.58
rfxn.ndb:{HEX}EICAR.TEST.3:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
rfxn.ndb:{HEX}EICAR.TEST:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
8<--------------------------------------------------------

As you can see the official (daily, main) signatures match on the word
EICAR but it isn't the official signatures which triggered detection.

I believe that the rfxn signatures implement the EICAR specifications
incorrectly, but at least the scanner does seem to be unpacking the
archive.  If you search the archives of this mailing list for "EICAR"
you will probably find something more informative.

-- 

73,
Ged.

More information about the clamav-users mailing list