BTW, I faced the same problem. My solution was to call f-prot to scan rar archives (I use courier and I set up a maildropfilter in order to check wether there's a rar attachment). I use clamd, because it is much faster than f-prot or clamscan, so I only scan mails with f-prot if there are rars in it.
Good luck, Peter -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pierre-Emmanuel Brinette Sent: Wednesday, October 26, 2005 3:16 PM To: [email protected] Subject: [Clamav-users] Problem to check virus within RAR archives ? Hi, I just donwload the last RPM version of clamAV for redhat 9 and I made some tests : $ clamscan -V ClamAV 0.87/1148/Tue Oct 25 21:34:12 2005 1/ I have downloaded a test virus : $ wget http://www.eicar.org/download/eicar.com 2/ I checked the virus with clamscan, it is OK $ clamscan eicar.com eicar.com: Eicar-Test-Signature FOUND [...] 3/ I checked if clamscan can found a virus inside a compressed archive, and it is OK. $ tar jcvf test.tar.bz2 eicar.com eicar.com $ clamscan test.tar.bz2 test.tar.bz2: Eicar-Test-Signature FOUND 4/ I do the same with a RAR Archive, and clamscan CAN NOT FOUND THE VIRUS: $ rar -h RAR 3.50 beta 1 Copyright (c) 1993-2005 Alexander Roshal 30 Mar 2005 [...] $ unrar -h UNRAR 3.50 beta 3 freeware Copyright (c) 1993-2005 Alexander Roshal [...] $ rar a test.rar eicar.com [...] $ clamscan --unrar=/usr/bin/unrar test.rar ./test.rar: OK 5/ I run again the program in debug mode, and it seem there is an error $ clamscan --debug --unrar=/usr/bin/unrar test.rar [...] LibClamAV debug: Recognized RAR file LibClamAV debug: in scanrar() LibClamAV debug: unrarlib.c:2652:InitCRC Initialize CRC table LibClamAV debug: ExtrFile(): dup(3) = 4 LibClamAV debug: Couldn't read next filename from archive (I/O error): 0 LibClamAV debug: RAR: Number of archived files: 1 LibClamAV debug: RAR: eicar.com, crc32: 0x6851cf3c, encrypted: 0, compressed: 72, normal: 68, method: 51, ratio: 0 (max: 250) LibClamAV debug: RAR: Exit code: 0 LibClamAV debug: Calculated MD5 checksum: e7386367e1626f6186a23132c4309fa2 ./test.rar: OK 6/ when I unrar the file to stdout and pipe the content to clamscan stdin, it works. $ unrar -inul p test.rar | clamscan - stdin: Eicar-Test-Signature FOUND Somebody know how to solve this problem ? Regards. Pierre-Emmanuel Brinette Network Engineer ________________________ SATXPRO 38, place des pavillons F-69007 Lyon France Tel: +33 (0) 4 72 80 82 35 GSM: +33 (0) 6 60 03 82 35 Fax: +33 (0) 4 78 72 83 94 http://www.satxpro.com _______________________________________________ http://lurker.clamav.net/list/clamav-users.html _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
