Schroeffu, Ged,
ClamAV does not include support for parsing the old AR archive format used for
DEB archives ( https://en.wikipedia.org/wiki/Ar_(Unix) ). Adding AR archive
parsing would be a new feature. You are welcome to create a feature request
issue using the bug report queue on Github
https://github.com/Cisco-Talos/clamav/issues/new?assignees=&labels=&template=bug_report.md&title=.
But I can't promise if or when we'll add support for DEB-style AR archives.
Ged, the unofficial eicar signature that you shared targets any file (target
type 0) at any offset (offset: *):
{HEX}EICAR.TEST.3:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
For a format like AR or TAR, this signature will match if those eicar bytes are
found anywhere in the file. The AR format does not do any compression, so it
makes sense that this signature would alert. But this is not the intended use
case for the EICAR test file because it doesn't demonstrate any unpacking of
the archive.
Regards,
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <[email protected]> on behalf of
Schroeffu via clamav-users <[email protected]>
Sent: Monday, July 11, 2022 1:27 AM
To: [email protected] <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file
format
Hi Ged & ClamAV Users,
you are right about eicar, the unofficial signatures are detected in a .ar
archive format.
Beside of this, unfortunately, real malware code and eicar is not detected in a
.tar.gz (gzip) inside of an .ar archive file (like .deb packages are).
How to reproduce:
- Download my testfile gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb
(6MB) (download here at your own risk!) and run a scan like this:
- wget https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1 -O
/tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan -z
/tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (no virus found) *1)
- unpack & scan gzip file (data.tar.zst) inside, now this way unpacked .ar
archive, viruses are found inside .tar.zst (gzip):
- ar x /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan
-z /tmp/data.tar.zst (virus will be found) *2)
--> Is this my handling failure, like not configured scan archive-in-archive,
or a bugreport worth?
https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1
*1)
clamdscan -z gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb:
OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 3.508 sec (0 m 3 s)
Start Date: 2022:07:11 10:11:49
End Date: 2022:07:11 10:11:53
*2)
clamdscan -z data.tar.zst
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
Win.Dropper.Corebot-7599208-0 FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
{HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
{HEX}EICAR.TEST.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 21.519 sec (0 m 21 s)
Start Date: 2022:07:11 10:11:18
End Date: 2022:07:11 10:11:39
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
