G.W. Haywood via clamav-users wrote:
Hi there,
On Fri, 14 Jan 2022, Kris Deugau wrote:
I've just come across a presumed-malicious .zip file of about 500K
that contains a ~315M ISO image, which in turn appears to contain a
~315M executable file.
After a bit of searching and testing I see the --max-ratio option has
been removed from clamscan, and ArchiveMaxCompressionRatio in
clamd.conf has been deprecated.
Are there any remaining (or new?) options that might help flag
hypercompressed files like this?
If you're using clamd, perhaps try the AlertExceedsMax option together
with the MaxScanSize and/or MaxFileSize options. No it's not the same. :/
Hmm. Might work for this case, I'll try some combinations.
Did this arrive in mail, Kris?
Yes. Indications are it was sent through a cracked hosting account,
with an envelope and reply to a GMail account.
On closer inspection, when originally received the message matched one
of the Sanesecurity "foxhole" signatures, which could collectively be
scored much higher on this particular receiving account (technical role
address). It's a hack and I'm not sure it's worth even that much effort
since this is the first example I've seen in the wild.
-kgd
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
