I sent this out last night, but it must have been rejected for length or something, so I’ll remove the lengthy results of the third test and quotes to see if that works.
-Al- ============== I ran some tests after my last posting to answer just this question, but results were mixed so I was waiting for an authoritative answer. Since we haven’t heard yet, I’ll post my results. First I made my own .dmg with an eicar test file on-board. Running clamscan —debut on the file did not detect any infection nor did it identify the file as a DMG: > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) > LibClamAV debug: Recognized binary data > LibClamAV debug: cache_check: ff8fdbcdb89e9474452237677b5f09e9 is negative > LibClamAV debug: in cli_check_mydoom_log() > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 > LibClamAV debug: cache_add: ff8fdbcdb89e9474452237677b5f09e9 (level 0) > /Volumes/Macintosh HD/Users/avarnell/Documents/EicarTest.dmg: OK > LibClamAV debug: Cleaning up phishcheck > LibClamAV debug: Freeing phishcheck struct > LibClamAV debug: Phishcheck cleaned up > > ----------- SCAN SUMMARY ----------- > Known viruses: 3778735 > Engine version: 0.98.6 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 7.62 MB > Data read: 7.55 MB (ratio 1.01:1) > Time: 7.553 sec (0 m 7 s) When I mounted the EicarTest.dmg ClamXav Sentry (real-time process using clamd) caught it immediately. ======= Next I scanned download.dmg which was known to contained the FkCodec adware. It detected the hash value as expected and also matched three ZIP segments and the DMG container: > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) > LibClamAV debug: Recognized binary data > LibClamAV debug: cache_check: b4ece10d1e706b87b065523a654d48a7 is negative > LibClamAV debug: in cli_check_mydoom_log() > LibClamAV debug: Matched signature for file type ZIP-SFX at 376602 > LibClamAV debug: Matched signature for file type ZIP-SFX at 407295 > LibClamAV debug: Matched signature for file type ZIP-SFX at 563034 > LibClamAV debug: Matched signature for file type DMG container file at 626691 > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > LibClamAV debug: Adware.OSX found > LibClamAV debug: FP SIGNATURE: > b4ece10d1e706b87b065523a654d48a7:627203:Adware.OSX > LibClamAV debug: cli_magic_scandesc: returning 1 at line 2470 > /Users/avarnell/Desktop/•Download/Malware/FkCodec-A/download.dmg: Adware.OSX > FOUND > LibClamAV debug: Cleaning up phishcheck > LibClamAV debug: Freeing phishcheck struct > LibClamAV debug: Phishcheck cleaned up > > ----------- SCAN SUMMARY ----------- > Known viruses: 3778290 > Engine version: 0.98.6 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.60 MB > Data read: 0.60 MB (ratio 1.01:1) > Time: 7.419 sec (0 m 7 s) When I mounted the download.dmg Sentry caught Codec-M Installer.app/Contents/MacOS/Installer: Osx.Trojan.Fakecodecs-1 immediately. ========= Last I scanned CleanApp 4.0.8 Mac 中文版.dmg which was known to contain the Machook or WireLurker malware. I also knew that an unofficail has signature was available only to ClamXav users. It detects the hash value as expected but also was able to decompose 13 segments each with several sections. > results available on request. When mounting CleanApp 4.0.8 Mac 中文版.dmg Sentry located: /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/MacOS/CleanApp: OSX.MacHook/WireLurker.UNOFFICIAL FOUND /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/FontMap1.cfg: OSX.MacHook/WireLurker.A.UNOFFICIAL FOUND /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/start.sh: OSX.MacHook/WireLurker.UNOFFICIAL FOUND ====== So three somewhat different results for the three .dmg files leads me to believe that bursting is possible, but no evidence of being able to detect infected files within a .dmg container. -Al- _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
