subject:"\[clamav\-users\] ClamAV can't scan DVD\-size ISO files"

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Al Varnell

I realize this is only peripherally related to the OP's issue, but I believe 
it's similar enough to bring it back to the list again.

I mentioned earlier that I ran tests on a .dmg (back in March 2015) by first 
creating my own .dmg with an eicar test file on-board. But that was made with 
engine 98.6 when the dmg capability was first added.

I just repeated that test using engine 99.2 running clamscan --debug on the 
file and it still does not detect any infection nor did it identify the file as 
a DMG:

> LibClamAV debug:* SubmoduleDMG:   On
> ...
> LibClamAV debug: Recognized binary data
> ...
> /Volumes/Macintosh HD/Users/***/Documents/EicarTest.dmg: OK
> --- SCAN SUMMARY ---
> Known viruses: 7343153
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 15.24 MB
> Data read: 7.55 MB (ratio 2.02:1)
> Time: 13.971 sec (0 m 13 s)

After mounting the image and scanning that:

> LibClamAV debug: Recognized ASCII text
> LibClamAV debug: cache_check: 44d88612fea8a8f36de82e1278abb02f is negative
> LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
> LibClamAV debug: Eicar-Test-Signature found
> LibClamAV debug: FP SIGNATURE: 
> 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
> LibClamAV debug: cli_magic_scandesc: returning 1  at line 2685
> /Volumes/Disk Image/eicar.com: Eicar-Test-Signature FOUND
> --- SCAN SUMMARY ---
> Known viruses: 7343153
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 10.979 sec (0 m 10 s)

I plan on doing additional tests against at least one other .dmg that I know 
contains malware when I have more time.

-Al-

On Thu, Sep 14, 2017 at 11:45 AM, Paul Kosinski wrote:
> I tried the --debug option and it produced a lot of output (which I can
> provide if it would help). It *did* say the following, however:
> 
>  LibClamAV debug: Module ARCHIVE: On
>  LibClamAV debug:* SubmoduleRAR:  On
>  LibClamAV debug:* SubmoduleZIP:  On
>  LibClamAV debug:* Submodule   GZIP:  On
>  ...
>  LibClamAV debug:* Submodule   7zip:  On
>  LibClamAV debug:* SubmoduleISO9660:  On
>  LibClamAV debug:* SubmoduleDMG:  On
>  ...
> 
> so it apparently knows about ISOs.
> 
> It also scanned 0 data bytes in a CD-sized ISO, so it isn't just the
> problem that DVD ISOs are "too big".
> 
> Paul Kosinski
> 
> 
> On Thu, 14 Sep 2017 12:51:38 -0400
> Steven Morgan > wrote:
> 
>> ClamAV contains an iso9660 parser.
>> 
>> The clamscan --debug option may give a clue as to why it is not being
>> scanned.
>> 
>> Steven Morgan


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Paul Kosinski

I was mistaken: it turns out that ClamAV 0.99.2 *will* scan CD-size ISO
files. I just had to set --max-filesize and --max-scansize big enough.

And with the -v and -a options added, it *did* indicate it was scanning
files within the ISO.

I haven't had a chance to try 0.99.3 yet.

On Thu, 14 Sep 2017 16:11:46 -0400
Mickey Sola  wrote:

> I might be remembering wrong, but I believe there was work done to
> address Clam's large filesize handling issues in the year between
> 0.99.2 and 0.99.3.
> 
> Have you tested out the beta yet to see if your needs have been
> addressed?

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Mickey Sola

I might be remembering wrong, but I believe there was work done to address
Clam's large filesize handling issues in the year between 0.99.2 and 0.99.3.

Have you tested out the beta yet to see if your needs have been addressed?

On Thu, Sep 14, 2017 at 2:45 PM, Paul Kosinski 
wrote:

> To continue...
>
> Since this is the year 2017, and 64-bit computing has been around for
> years, I decided to see how a Windows AV package would handle my ISO
> which is "too big" for ClamAV.
>
> I copied it over to a 64-bit Win7 machine with lots of RAM (32 GB), and
> scanned it with Microsoft "Security Essentials". The result?
>
> 1. It didn't complain about the size of the file.
>
> 2. It scanned 11424 items *within* the ISO!
>
> I can understand (sort of) that ClamAV can't scan inside some archive
> formats. (But then why did --debug report that the ISO module was "on"?)
>
> But I can't understand why ClamAV can't handle files bigger than 4 GB.
> Especially now that 64-bit OSes are common, and 64-bit CPUs are totally
> mainstream.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Paul Kosinski

To continue...

Since this is the year 2017, and 64-bit computing has been around for
years, I decided to see how a Windows AV package would handle my ISO
which is "too big" for ClamAV.

I copied it over to a 64-bit Win7 machine with lots of RAM (32 GB), and
scanned it with Microsoft "Security Essentials". The result?

1. It didn't complain about the size of the file.

2. It scanned 11424 items *within* the ISO!

I can understand (sort of) that ClamAV can't scan inside some archive
formats. (But then why did --debug report that the ISO module was "on"?)

But I can't understand why ClamAV can't handle files bigger than 4 GB.
Especially now that 64-bit OSes are common, and 64-bit CPUs are totally
mainstream.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Paul Kosinski

I tried the --debug option and it produced a lot of output (which I can
provide if it would help). It *did* say the following, however:

  LibClamAV debug: Module ARCHIVE: On
  LibClamAV debug:* SubmoduleRAR:   On
  LibClamAV debug:* SubmoduleZIP:   On
  LibClamAV debug:* Submodule   GZIP:   On
  ...
  LibClamAV debug:* Submodule   7zip:   On
  LibClamAV debug:* SubmoduleISO9660:   On
  LibClamAV debug:* SubmoduleDMG:   On
  ...

so it apparently knows about ISOs.

It also scanned 0 data bytes in a CD-sized ISO, so it isn't just the
problem that DVD ISOs are "too big".

Paul Kosinski

On Thu, 14 Sep 2017 12:51:38 -0400
Steven Morgan  wrote:

> ClamAV contains an iso9660 parser.
> 
> The clamscan --debug option may give a clue as to why it is not being
> scanned.
> 
> Steven Morgan
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Steven Morgan

ClamAV contains an iso9660 parser.

The clamscan --debug option may give a clue as to why it is not being
scanned.

Steven Morgan

On Wed, Sep 13, 2017 at 10:52 PM, Al Varnell  wrote:

> On Wed, Sep 13, 2017 at 06:13 PM, Paul Kosinski wrote:
> > On Tue, 12 Sep 2017 21:49:17 -0800 kristen R wrote:
> >>
> >> The file is an image. Open the image up and then scan. Does clamscan
> >> open images itself and then preform a scan?
> >
> > YES! It scans *inside* ZIP, TAR, RAR etc.
>
> But does etc. include .iso's? There are many encoding formats that clamav
> is unable to scan inside of, including some oddball .zips I've run across.
> Although .dmg image scanning was added a few years back, I've experienced
> mixed results with detections unless the image is first mounted.
>
> It's also possible that .iso's are included in the list of files to skip.
> Have you looked into that?
>
> Sorry I don't have time at the moment to check into this for you. Perhaps
> later
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-13 Thread Al Varnell

On Wed, Sep 13, 2017 at 06:13 PM, Paul Kosinski wrote:
> On Tue, 12 Sep 2017 21:49:17 -0800 kristen R wrote:
>> 
>> The file is an image. Open the image up and then scan. Does clamscan
>> open images itself and then preform a scan?
> 
> YES! It scans *inside* ZIP, TAR, RAR etc.

But does etc. include .iso's? There are many encoding formats that clamav is 
unable to scan inside of, including some oddball .zips I've run across. 
Although .dmg image scanning was added a few years back, I've experienced mixed 
results with detections unless the image is first mounted.

It's also possible that .iso's are included in the list of files to skip. Have 
you looked into that?

Sorry I don't have time at the moment to check into this for you. Perhaps 
later

-Al-
-- 
Al Varnell
Mountain View, CA

smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-13 Thread Paul Kosinski

Thanks, but it doesn't help (still scans 0 data bytes).


On Wed, 13 Sep 2017 10:33:35 -0400
Steven Morgan  wrote:

> Paul,
> 
> in addition to max-filesize, try max-scansize.
> 
> Steve

> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-13 Thread Paul Kosinski

On Tue, 12 Sep 2017 21:49:17 -0800
kristen R  wrote:
> 
> The file is an image. Open the image up and then scan. Does  clamscan
> open images itself and then preform a scan?
> 
> 

YES! It scans *inside* ZIP, TAR, RAR etc.

(Maybe these have a 4 GB limit too?)

If ClamAV can't handle files bigger than 4 GB, then it isn't very
suitable for modern computing. Most computers sold today support 64-bit
addressing. Windows 7, 8 and 10 can be either 32 or 64 bit, as can Mac
OSX. And of course Linux started supporting files over 4 GB many years
ago -- even before it supported 64-bit memory addressing.

Finally, DVDs have held more than 4 GB almost forever, Blu-Ray is lots
bigger, and individual digital video files can easily exceed 4 GB
(especially HD or UHD source files, which have little or no compression).

P.S. The usual way to "open" an ISO is to "mount" it. This operation is
usually performed at a high privilege level (e.g. root) which means
that if a malicious ISO were able to exploit a vulnerability in the
code which decodes the ISO metadata/headers (buffer overflow comes to
mind) it could cause major system damage.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-13 Thread Steven Morgan

Paul,

in addition to max-filesize, try max-scansize.

Steve

On Tue, Sep 12, 2017 at 11:50 PM, Paul Kosinski 
wrote:

> Clamscan read the entire ISO, but didn't scan any of it!
> I thought 21st century software was finally in the 64-bit era.
>
> ---
>
> ~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
> -rw-r--r-- 1 ime users 4660914176 Sep 12 19:40
> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
>
> ~/Downloads/Linux/Knoppix> clamscan --max-filesize=M
> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
> WARNING: Numerical value for option max-filesize too high, resetting to 4G
> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso: OK
>
> --- SCAN SUMMARY ---
> Known viruses: 6303545
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: .99 MB (ratio 0.00:1)
> Time: 10.255 sec (0 m 10 s)
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-12 Thread kristen R

On 9/12/17 9:44 PM, Al Varnell wrote:
> 
>> On Sep 12, 2017, at 10:42 PM, kristen R wrote:
>>> On 9/12/17 7:50 PM, Paul Kosinski wrote:
>>> Clamscan read the entire ISO, but didn't scan any of it!
>>> I thought 21st century software was finally in the 64-bit era.
>>>
>>> ---
>>>
>>> ~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
>>> -rw-r--r-- 1 ime users 4660914176 Sep 12 19:40 
>>> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
>>>
>>> ~/Downloads/Linux/Knoppix> clamscan --max-filesize=M  
>>> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
>>> WARNING: Numerical value for option max-filesize too high, resetting to 4G
>>> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso: OK
>>>
>>> --- SCAN SUMMARY ---
>>> Known viruses: 6303545
>>> Engine version: 0.99.2
>>> Scanned directories: 0
>>> Scanned files: 1
>>> Infected files: 0
>>> Data scanned: 0.00 MB
>>> Data read: .99 MB (ratio 0.00:1)
>>> Time: 10.255 sec (0 m 10 s)
>>> ___
>>
>> Paul,
>>
>> Summary states it did scan the iso. Why do you think it didn't?
>>
>> Kristen
> 
>>> Data scanned: 0.00 MB
> 
> -Al-

The file is an image. Open the image up and then scan. Does  clamscan
open images itself and then preform a scan?




signature.asc
Description: OpenPGP digital signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-12 Thread Al Varnell


> On Sep 12, 2017, at 10:42 PM, kristen R wrote:
>> On 9/12/17 7:50 PM, Paul Kosinski wrote:
>> Clamscan read the entire ISO, but didn't scan any of it!
>> I thought 21st century software was finally in the 64-bit era.
>> 
>> ---
>> 
>> ~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
>> -rw-r--r-- 1 ime users 4660914176 Sep 12 19:40 
>> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
>> 
>> ~/Downloads/Linux/Knoppix> clamscan --max-filesize=M  
>> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
>> WARNING: Numerical value for option max-filesize too high, resetting to 4G
>> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso: OK
>> 
>> --- SCAN SUMMARY ---
>> Known viruses: 6303545
>> Engine version: 0.99.2
>> Scanned directories: 0
>> Scanned files: 1
>> Infected files: 0
>> Data scanned: 0.00 MB
>> Data read: .99 MB (ratio 0.00:1)
>> Time: 10.255 sec (0 m 10 s)
>> ___
> 
> Paul,
> 
> Summary states it did scan the iso. Why do you think it didn't?
> 
> Kristen

>> Data scanned: 0.00 MB

Sent from my iPhone

-Al-



smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-12 Thread kristen R

On 9/12/17 7:50 PM, Paul Kosinski wrote:
> Clamscan read the entire ISO, but didn't scan any of it!
> I thought 21st century software was finally in the 64-bit era.
> 
> ---
> 
> ~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
> -rw-r--r-- 1 ime users 4660914176 Sep 12 19:40 
> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
> 
> ~/Downloads/Linux/Knoppix> clamscan --max-filesize=M  
> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
> WARNING: Numerical value for option max-filesize too high, resetting to 4G
> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso: OK
> 
> --- SCAN SUMMARY ---
> Known viruses: 6303545
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: .99 MB (ratio 0.00:1)
> Time: 10.255 sec (0 m 10 s)
> ___

Paul,

Summary states it did scan the iso. Why do you think it didn't?

Kristen



signature.asc
Description: OpenPGP digital signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-12 Thread Paul Kosinski

Clamscan read the entire ISO, but didn't scan any of it!
I thought 21st century software was finally in the 64-bit era.

---

~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
-rw-r--r-- 1 ime users 4660914176 Sep 12 19:40 
KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso

~/Downloads/Linux/Knoppix> clamscan --max-filesize=M  
KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
WARNING: Numerical value for option max-filesize too high, resetting to 4G
KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso: OK

--- SCAN SUMMARY ---
Known viruses: 6303545
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: .99 MB (ratio 0.00:1)
Time: 10.255 sec (0 m 10 s)
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

[clamav-users] ClamAV can't scan DVD-size ISO files

14 matches

Site Navigation

Mail list logo

Footer information