One of my customers is reporting that a file is being blocked as
"Suspect.Zip". I haven't got a copy of the file itself, however,
I started looking for the virus signature (as it is definately a
false positive), but found none.
Completely undocumented, I found code in libclamav/unzip.c that
triggers this:
if(ch && !LH_flen) {
cli_dbgmsg("cli_unzip: found noname file\n");
*ctx->virname = "Suspect.Zip";
*ret = CL_VIRUS;
return 0;
}
[...]
if(ch && !LH_csize && LH_usize) {
cli_dbgmsg("Zip: Malformed file (csize == 0 but usize != 0)\n");
*ctx->virname = "Suspect.Zip";
*ret = CL_VIRUS;
return 0;
}
Also, I found a reference in the ChangeLog that speaks of a
"Suspected.Zip" with similar properties, that was abandoned,
fortunately, in 0.82.
You can't even disable this behaviour via the config file. Is this
an accidental re-inclusion of old, bad, code, or did some overzealous
broken file format hunter reinsert this on purpose?
For now, I've disabled this signature via the milter that we run
(MIMEDefang, not clamav-milter), but I'm again unpleasantly surprised
by this. It is *NOT* the task of clamav to detect broken archives,
if you cannot extract the archive, give up, or AT MOST have a
configuration option on how to proceed (like ArchiveBlockEncrypted).
--
Jan-Pieter Cornet <[EMAIL PROTECTED]>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs. !!
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
