Thanks for the reply :-)
I will poke at this a little more and try to be as detailed as I can
then file a bugreport.
Will add a few inline replies here too.
On 27.4.2021 16:09, G.W. Haywood via clamav-users wrote:
This seems to be saying you have a clamd.conf, otherwise freshclam
wouldn't be able to find it and I'd expect it to give an error. If
you do have a clamd.conf but don't have a clamd running I'd expect
freshclam to throw an error when it tried to contact clamd to tell
it to update its databases.
I am not using clamd, I installed clamav using apt and it did not
install clamdscan, but clamscan and freshclam, so I dod not find any
clamd.conf.
Mostly I'm responding to let you know that I'm still here,
Thanks for that :-)
What I mean by expected behaviour is that if you whitelist something
by means of the digest of its uncompressed form, then the scanner sees
it in compressed form, the scanner will uncompress it automatically -
and then find that it's whitelisted.
Yes, usually... not always, which is what I found confusing. I can think
of reasons of why you might not want this to be the case though (packing
malicious code so you can send it for analysis for example). If you pack
a malicious file on its own (i.e. nothing else in the archive) this
makes sense, but I have not checked what happens if you pack a malicious
file with clean files, might do that to get more data :-)
But you seem to be saying that things change when you move files
around in the filesystem, and other things (for example things like
directory/filesystem/size/scan/whatever restrictions) being equal, I
don't see why there should be any difference in behaviour when the
scan target is moved so I'd like to look into that when I have time.
Yes I did see that behavior but only when using the eicar test files,
not when using php injected malware as sample, then everything worked
exactly as I expected (including uncompressed file also whitelising zip
and vice versa).
Should I file a bugreport on this?
I'd think that's quite reasonable. :)
On it! :-)
Haukur
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
