I realize this is only peripherally related to the OP's issue, but I believe it's similar enough to bring it back to the list again.
I mentioned earlier that I ran tests on a .dmg (back in March 2015) by first creating my own .dmg with an eicar test file on-board. But that was made with engine 98.6 when the dmg capability was first added. I just repeated that test using engine 99.2 running clamscan --debug on the file and it still does not detect any infection nor did it identify the file as a DMG: > LibClamAV debug: * Submodule DMG: On > ... > LibClamAV debug: Recognized binary data > ... > /Volumes/Macintosh HD/Users/***/Documents/EicarTest.dmg: OK > ----------- SCAN SUMMARY ----------- > Known viruses: 7343153 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 15.24 MB > Data read: 7.55 MB (ratio 2.02:1) > Time: 13.971 sec (0 m 13 s) After mounting the image and scanning that: > LibClamAV debug: Recognized ASCII text > LibClamAV debug: cache_check: 44d88612fea8a8f36de82e1278abb02f is negative > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > LibClamAV debug: Eicar-Test-Signature found > LibClamAV debug: FP SIGNATURE: > 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature > LibClamAV debug: cli_magic_scandesc: returning 1 at line 2685 > /Volumes/Disk Image/eicar.com: Eicar-Test-Signature FOUND > ----------- SCAN SUMMARY ----------- > Known viruses: 7343153 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Data read: 0.00 MB (ratio 0.00:1) > Time: 10.979 sec (0 m 10 s) I plan on doing additional tests against at least one other .dmg that I know contains malware when I have more time. -Al- On Thu, Sep 14, 2017 at 11:45 AM, Paul Kosinski wrote: > I tried the --debug option and it produced a lot of output (which I can > provide if it would help). It *did* say the following, however: > > LibClamAV debug: Module ARCHIVE: On > LibClamAV debug: * Submodule RAR: On > LibClamAV debug: * Submodule ZIP: On > LibClamAV debug: * Submodule GZIP: On > ... > LibClamAV debug: * Submodule 7zip: On > LibClamAV debug: * Submodule ISO9660: On > LibClamAV debug: * Submodule DMG: On > ... > > so it apparently knows about ISOs. > > It also scanned 0 data bytes in a CD-sized ISO, so it isn't just the > problem that DVD ISOs are "too big". > > Paul Kosinski > > > On Thu, 14 Sep 2017 12:51:38 -0400 > Steven Morgan <smor...@sourcefire.com <mailto:smor...@sourcefire.com>> wrote: > >> ClamAV contains an iso9660 parser. >> >> The clamscan --debug option may give a clue as to why it is not being >> scanned. >> >> Steven Morgan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
