Micah, Yeah, now that you mention it, I remember having read somewhere about ".ja" files as being not quite zip format. On Linux, the (latest) "file" command identifies ".ja" as "Mozilla archive" format. But (recent) unzip commands don't seem to have any trouble (unlike ARK, which can't find a suitable plugin).
But my favorite file manager -- emacs (!) -- expands them nicely into a virtual file list so you can look inside the individual files. P.S. Speaking of ISO and GPT formats, proper handling of them will need going to 64-bit file sizes and offsets. On Sun, 12 Apr 2020 17:39:22 +0000 "Micah Snyder (micasnyd)" <micas...@cisco.com> wrote: > Paul, > > I investigated further and realize now that it ISN'T > double-extracting files from plain zips. It is double-extracting > files from zips within other raw image file formats, like TAR or > image file formats. For a plain zip, It detects the file entries > twice, but doesn't extract them if the parent file is a zip. > > I tested this by making a simple zip with two text files in it, then > tar.gz'd it. Scanning the zip.tar.gz file resulted in > double-extraction of both text files. > > Funny story, the omni.ja file is not a real zip. The author of the > format decided to place the central directory header at the beginning > of the file instead of at the end, resulting in a new zip-like file > format. We're able to parse out the files from omni.ja okay because > we have self-extracting zip signatures that identify the individual > file entries and because the omni.ja file itself is detected as > "binary data" (so the ZIPSFX-in-a-ZIP exclusion rule does not apply). > > Anyhow, I now suspect that the omni.ja file in a tar.gz file will > also get double-extracted. The simplest option would be to disable > file-type-recognition scans for embedded files file formats in TAR > files (and also GPT and other non-compressed archive file formats). > I had been wanting to do this anyways after investigating a closely > related issue regarding ISO/GPT file formats. This definitely gives > us more reason to do so. > > -Micah > > On 4/10/20, 6:55 PM, "Paul Kosinski" <clamav-us...@iment.com> wrote: > > Is this a generic problem with compressed archives (like the > Firefox ".tar.bz2") or is it zip specific? > > If it is zip specific, there are 2 files in the Firefox > distribution file that are zip format compressed which might explain > the slowness. (They are both named omni.ja, but have different > contents). _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
