[Pkg-clamav-devel] Bug#912634: clamav scanner didn't unpack RAR archives

Dmitriy rauco at beer.tomsknet.ru
Fri Nov 2 01:11:49 GMT 2018 

Package: clamav

Version: 0.100.2+dfsg-0+deb9u1

Severity: important

Tags: upstream

 

I've some problems with scanning RAR archives in emails. Clamav daemon in
debug mode don't show any info about

unpacking RAR archive:

...

Scanning test.rar

LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)

LibClamAV debug: Recognized RAR file

LibClamAV debug: cache_check: 4f6ba332da60b249de2ec1964b084ab6 is negative

LibClamAV debug: Matched signature for file type RAR-SFX at 0

LibClamAV debug: matcher_run: performing regex matching on full map:
0+27(27) >= 27

...

 

And my test.docm file in archive didn't scanned by clamav. The same
test.docm file in ZIP or 7ZIP archive is

unpacked and scanned:

...

Scanning test.7z

LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)

LibClamAV debug: Recognized 7zip file

LibClamAV debug: cache_check: 4faef2fe564a5679afca42c78c3a17af is negative

LibClamAV debug: cli_7unz: extracting test.docm

LibClamAV debug: CDBNAME:CL_TYPE_7Z:0:test.docm:0:31866:0:0:1800081078:(nil)

LibClamAV debug: FP SIGNATURE:
4faef2fe564a5679afca42c78c3a17af:201:TBEER.BLOCK_OFFICE_MACROS_

test.7z: TBEER.BLOCK_OFFICE_MACROS_DOCS_7ZIP.UNOFFICIAL FOUND

LibClamAV debug: cli_7unz: completed successfully

...

and my rule for docm files for ZIP and 7ZIP files works.

Similar rule for RAR archive didn't match. 

Same problem exists in 0.100.1 stable version. Bug?

 

 

-- Package-specific info:

--- configuration ---

Checking configuration files in /etc/clamav

 

Config file: clamd.conf

-----------------------

BlockMax disabled

PreludeEnable disabled

PreludeAnalyzerName disabled

LogFile = "/var/log/clamav/clamav.log"

LogFileUnlock disabled

LogFileMaxSize = "4294967295"

LogTime = "yes"

LogClean disabled

LogSyslog disabled

LogFacility = "LOG_LOCAL6"

LogVerbose disabled

LogRotate = "yes"

ExtendedDetectionInfo = "yes"

PidFile disabled

TemporaryDirectory disabled

DatabaseDirectory = "/var/lib/clamav"

OfficialDatabaseOnly disabled

LocalSocket = "/var/run/clamav/clamd.ctl"

LocalSocketGroup = "clamav"

LocalSocketMode = "666"

FixStaleSocket = "yes"

TCPSocket disabled

TCPAddr disabled

MaxConnectionQueueLength = "64"

StreamMaxLength = "26214400"

StreamMinPort = "1024"

StreamMaxPort = "2048"

MaxThreads = "64"

ReadTimeout = "300"

CommandReadTimeout = "5"

SendBufTimeout = "200"

MaxQueue = "128"

IdleTimeout = "30"

ExcludePath disabled

MaxDirectoryRecursion = "15"

FollowDirectorySymlinks disabled

FollowFileSymlinks disabled

CrossFilesystems = "yes"

SelfCheck = "3600"

DisableCache disabled

VirusEvent disabled

ExitOnOOM disabled

AllowAllMatchScan = "yes"

Foreground disabled

Debug disabled

LeaveTemporaryFiles disabled

User disabled

Bytecode = "yes"

BytecodeSecurity = "TrustSigned"

BytecodeTimeout = "60000"

BytecodeUnsigned disabled

BytecodeMode = "Auto"

DetectPUA = "yes"

ExcludePUA disabled

IncludePUA = "Spy", "Script", "Server"

AlgorithmicDetection = "yes"

ScanPE = "yes"

ScanELF = "yes"

DetectBrokenExecutables disabled

ScanMail = "yes"

ScanPartialMessages disabled

PhishingSignatures = "yes"

PhishingScanURLs = "yes"

PhishingAlwaysBlockCloak disabled

PhishingAlwaysBlockSSLMismatch disabled

PartitionIntersection disabled

HeuristicScanPrecedence disabled

StructuredDataDetection disabled

StructuredMinCreditCardCount = "3"

StructuredMinSSNCount = "3"

StructuredSSNFormatNormal = "yes"

StructuredSSNFormatStripped disabled

ScanHTML = "yes"

ScanOLE2 = "yes"

OLE2BlockMacros disabled

ScanPDF = "yes"

ScanSWF = "yes"

ScanXMLDOCS = "yes"

ScanHWP3 = "yes"

ScanArchive = "yes"

ArchiveBlockEncrypted disabled

ForceToDisk disabled

MaxScanSize = "157286400"

MaxFileSize = "47185920"

MaxRecursion = "8"

MaxFiles = "10000"

MaxEmbeddedPE = "20971520"

MaxHTMLNormalize = "15728640"

MaxHTMLNoTags = "2097152"

MaxScriptNormalize = "10485760"

MaxZipTypeRcg = "1048576"

MaxPartitions = "50"

MaxIconsPE = "100"

MaxRecHWP3 = "16"

PCREMatchLimit = "100000"

PCRERecMatchLimit = "5000"

PCREMaxFileSize = "26214400"

ScanOnAccess disabled

OnAccessMountPath disabled

OnAccessIncludePath disabled

OnAccessExcludePath disabled

OnAccessExcludeRootUID disabled

OnAccessExcludeUID disabled

OnAccessMaxFileSize = "5242880"

OnAccessDisableDDD disabled

OnAccessPrevention disabled

OnAccessExtraScanning disabled

DevACOnly disabled

DevACDepth disabled

DevPerformance disabled

DevLiblog disabled

DisableCertCheck disabled

 

Config file: freshclam.conf

---------------------------

LogFileMaxSize = "4294967295"

LogTime = "yes"

LogSyslog disabled

LogFacility = "LOG_LOCAL6"

LogVerbose disabled

LogRotate = "yes"

PidFile disabled

DatabaseDirectory = "/var/lib/clamav"

Foreground disabled

Debug disabled

UpdateLogFile = "/var/log/clamav/freshclam.log"

DatabaseOwner = "clamav"

Checks = "24"

DNSDatabaseInfo = "current.cvd.clamav.net"

DatabaseMirror = "db.ru.clamav.net", "database.clamav.net"

PrivateMirror disabled

MaxAttempts = "5"

ScriptedUpdates = "yes"

TestDatabases = "yes"

CompressLocalDatabase disabled

ExtraDatabase disabled

DatabaseCustomURL disabled

HTTPProxyServer disabled

HTTPProxyPort disabled

HTTPProxyUsername disabled

HTTPProxyPassword disabled

HTTPUserAgent disabled

NotifyClamd = "/etc/clamav/clamd.conf"

OnUpdateExecute disabled

OnErrorExecute disabled

OnOutdatedExecute disabled

LocalIPAddress disabled

ConnectTimeout = "30"

ReceiveTimeout = "30"

SafeBrowsing disabled

Bytecode = "yes"

 

clamav-milter.conf not found

 

Software settings

-----------------

Version: 0.100.2

Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06
BZIP2 LIBXML2 PCRE ICONV JSON JIT

 

Database information

--------------------

Database directory: /var/lib/clamav

main.cvd: version 58, sigs: 4566249, built on Thu Jun  8 04:38:10 2017

[3rd Party] tbeer_exe.cdb: 32 sigs

[3rd Party] tbeer_old.cdb: 6 sigs

[3rd Party] tbeer_email.cdb: 8 sigs

[3rd Party] tbeer_html.cdb: 8 sigs

[3rd Party] tbeer.cdb: 8 sigs

[3rd Party] tbeer_java.cdb: 8 sigs

[3rd Party] tbeer_strange.cdb: 4 sigs

[3rd Party] tbeer_dll_reg_sys_etc.cdb: 11 sigs

[3rd Party] tbeer_others.cdb: 7 sigs

[3rd Party] tbeer_arch_in_arch.cdb: 18 sigs

bytecode.cld: version 327, sigs: 91, built on Thu Aug  9 07:43:48 2018

daily.cld: version 25079, sigs: 2137818, built on Thu Nov  1 04:17:10 2018

Total number of signatures: 6704268

 

Platform information

--------------------

uname: Linux 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64

OS: linux-gnu, ARCH: x86_64, CPU: x86_64

Full OS version: Debian GNU/Linux 9.5 (stretch)

zlib version: 1.2.8 (1.2.8), compile flags: a9

Triple: x86_64-pc-linux-gnu

CPU: broadwell, Little-endian

platform id: 0x0a215d5d0806030001060300

 

Build information

-----------------

GNU C: 6.3.0 20170516 (6.3.0)

GNU C++: 6.3.0 20170516 (6.3.0)

CPPFLAGS: -Wdate-time -D_FORTIFY_SOURCE=2

CFLAGS: -g -O2 -fdebug-prefix-map=/build/clamav-6sLuAe/clamav-0.100.2+dfsg=.
-fstack-protector-strong -Wformat -Werror=forma

CXXFLAGS: -g -O2
-fdebug-prefix-map=/build/clamav-6sLuAe/clamav-0.100.2+dfsg=.
-fstack-protector-strong -Wformat -Werror=for

LDFLAGS: -Wl,-z,relro -Wl,-z,now -Wl,--as-needed

Configure: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/

sizeof(void*) = 8

Engine flevel: 93, dconf: 93

 

--- data dir ---

total 266940

-rw-r--r-- 1 clamav clamav    951808 Aug  9 08:26 bytecode.cld

-rw-r--r-- 1 clamav clamav 154440704 Nov  1 05:25 daily.cld

-rw-r--r-- 1 clamav clamav 117892267 Jul  4 16:02 main.cvd

-rw------- 1 clamav clamav       572 Nov  1 09:25 mirrors.dat

-rw-r--r-- 1 clamav clamav      2140 Nov  1 09:11 tbeer.cdb

-rw-r--r-- 1 clamav clamav      4599 Nov  1 09:12 tbeer_arch_in_arch.cdb

-rw-r--r-- 1 clamav clamav      1418 Jul 18 12:49 tbeer_dll_reg_sys_etc.cdb

-rw-r--r-- 1 clamav clamav       804 Nov  1 09:12 tbeer_email.cdb

-rw-r--r-- 1 clamav clamav      6640 Nov  1 09:13 tbeer_exe.cdb

-rw-r--r-- 1 clamav clamav      1172 Nov  1 09:14 tbeer_html.cdb

-rw-r--r-- 1 clamav clamav       764 Nov  1 09:14 tbeer_java.cdb

-rw-r--r-- 1 clamav clamav      1293 Jul 18 09:40 tbeer_old.cdb

-rw-r--r-- 1 clamav clamav      1603 Nov  1 09:14 tbeer_others.cdb

-rw-r--r-- 1 clamav clamav       776 Oct  9 07:49 tbeer_strange.cdb

 

-- System Information:

Debian Release: 9.5

  APT prefers proposed-updates

  APT policy: (500, 'proposed-updates'), (500, 'stable')

Architecture: amd64 (x86_64)

 

Kernel: Linux 4.9.0-3-amd64 (SMP w/5 CPU cores)

Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)

Shell: /bin/sh linked to /bin/dash

Init: systemd (via /run/systemd/system)

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20181102/a1c07a51/attachment-0001.html>

More information about the Pkg-clamav-devel mailing list