Re: [Clamav-users] Virus in ZIP files not being found.

Thu, 27 Jul 2006 00:36:42 -0700 

Noel Jones wrote:

At 06:51 AM 7/26/2006, Maren Leizaola wrote:

Unzip code is built into clamav, and is on by default.
Is there any way to debug this? to find out what Clamav is actually doing? 
How do I get it to log what actions it is taking?



For clamd, the clamd.conf option Debug writes extra logging to the 
normal log file.

For clamscan, use --debug.

When I scan an eicar.zip file, the output looks like:

# clamscan --debug eicar.zip
LibClamAV debug: Loading databases from /var/db/clamav
... snipped ~40 lines about unpacking/verifying databases ...
... the important part is near the end ...
LibClamAV debug: Recognized ZIP file
LibClamAV debug: in scanzip()

LibClamAV debug: Zip: eicar.txt, crc32: 0x1dd02bdb, offset: 0, 
encrypted: 0, compressed: 69, normal: 69, method: 0, ratio: 1 (max: 250)

LibClamAV debug: Eicar-Test-Signature found in descriptor 5.
LibClamAV debug: Zip: Infected with Eicar-Test-Signature
eicar.zip: Eicar-Test-Signature FOUND



Noel,

   This is uselful stuff. The following virus is being detected by one 
of my ClamAV servers and not by the other. Can you see any problems?


clamscan Anne.zip
Anne.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 62902
Engine version: 0.88.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.08 MB
Time: 4.117 sec (0 m 4 s)
$ clamscan --debug Anne.zip
LibClamAV debug: Loading databases from /var/db/clamav
LibClamAV debug: Loading /var/db/clamav/main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = a9a400e70dcbfe2c9e11d78416e1c0cc
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /var/tmp//clamav-cbab3d0605045e72/COPYING
LibClamAV debug: Unpacking /var/tmp//clamav-cbab3d0605045e72/main.db
LibClamAV debug: Unpacking /var/tmp//clamav-cbab3d0605045e72/main.hdb
LibClamAV debug: Unpacking /var/tmp//clamav-cbab3d0605045e72/main.ndb
LibClamAV debug: Unpacking /var/tmp//clamav-cbab3d0605045e72/main.zmd
LibClamAV debug: Unpacking /var/tmp//clamav-cbab3d0605045e72/main.fp
LibClamAV debug: Loading databases from /var/tmp//clamav-cbab3d0605045e72
LibClamAV debug: Loading /var/tmp//clamav-cbab3d0605045e72/main.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading /var/tmp//clamav-cbab3d0605045e72/main.hdb
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading /var/tmp//clamav-cbab3d0605045e72/main.ndb
LibClamAV debug: Loading /var/tmp//clamav-cbab3d0605045e72/main.zmd
LibClamAV debug: Loading /var/tmp//clamav-cbab3d0605045e72/main.fp
LibClamAV debug: Loading /var/db/clamav/daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 7bb923263f9adb51c9bab4b354d5f043
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /var/tmp//clamav-f012ca12b47b356a/COPYING
LibClamAV debug: Unpacking /var/tmp//clamav-f012ca12b47b356a/daily.db
LibClamAV debug: Unpacking /var/tmp//clamav-f012ca12b47b356a/daily.hdb
LibClamAV debug: Unpacking /var/tmp//clamav-f012ca12b47b356a/daily.ndb
LibClamAV debug: Unpacking /var/tmp//clamav-f012ca12b47b356a/daily.zmd
LibClamAV debug: Unpacking /var/tmp//clamav-f012ca12b47b356a/daily.info
LibClamAV debug: Loading databases from /var/tmp//clamav-f012ca12b47b356a
LibClamAV debug: Loading /var/tmp//clamav-f012ca12b47b356a/daily.db
LibClamAV debug: Loading /var/tmp//clamav-f012ca12b47b356a/daily.hdb
LibClamAV debug: Loading /var/tmp//clamav-f012ca12b47b356a/daily.ndb
LibClamAV debug: Loading /var/tmp//clamav-f012ca12b47b356a/daily.zmd
LibClamAV debug: Recognized ZIP file
LibClamAV debug: in scanzip()

LibClamAV debug: Zip: upiiwsat/qjflcanjes.dll, crc32: 0x822b7df8, 
offset: 0, encrypted: 1, compressed: 1253, normal: 2004, method: 8, 
ratio: 1 (max: 250)

LibClamAV debug: Small data (0 bytes)

LibClamAV debug: Zip: upiiwsat/, crc32: 0x0, offset: 1306, encrypted: 0, 
compressed: 0, normal: 0, method: 0, ratio: 0 (max: 250)
LibClamAV debug: Zip: xqkioayseo.exe, crc32: 0xb3303819, offset: 1345, 
encrypted: 1, compressed: 83555, normal: 94126, method: 8, ratio: 1 
(max: 250)

LibClamAV debug: Small data (0 bytes)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-11)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-10)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-9)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-8)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-7)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-6)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-11)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-10)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-9)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-8)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-7)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-6)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-11)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-10)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-9)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-8)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-7)
LibClamAV debug: Type: 507, expected: 502 (Trojan.Downloader.Harnig-6)
LibClamAV debug: Calculated MD5 checksum: 732036189699e429089e7ca6f5118489
Anne.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 62902
Engine version: 0.88.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.08 MB
Time: 4.051 sec (0 m 4 s)

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html






















					Reply via email to