Re: [clamav-users] ClamAV can't scan DVD-size ISO files
I realize this is only peripherally related to the OP's issue, but I believe it's similar enough to bring it back to the list again. I mentioned earlier that I ran tests on a .dmg (back in March 2015) by first creating my own .dmg with an eicar test file on-board. But that was made with engine 98.6 when the dmg capability was first added. I just repeated that test using engine 99.2 running clamscan --debug on the file and it still does not detect any infection nor did it identify the file as a DMG: > LibClamAV debug:* SubmoduleDMG: On > ... > LibClamAV debug: Recognized binary data > ... > /Volumes/Macintosh HD/Users/***/Documents/EicarTest.dmg: OK > --- SCAN SUMMARY --- > Known viruses: 7343153 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 15.24 MB > Data read: 7.55 MB (ratio 2.02:1) > Time: 13.971 sec (0 m 13 s) After mounting the image and scanning that: > LibClamAV debug: Recognized ASCII text > LibClamAV debug: cache_check: 44d88612fea8a8f36de82e1278abb02f is negative > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > LibClamAV debug: Eicar-Test-Signature found > LibClamAV debug: FP SIGNATURE: > 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature > LibClamAV debug: cli_magic_scandesc: returning 1 at line 2685 > /Volumes/Disk Image/eicar.com: Eicar-Test-Signature FOUND > --- SCAN SUMMARY --- > Known viruses: 7343153 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Data read: 0.00 MB (ratio 0.00:1) > Time: 10.979 sec (0 m 10 s) I plan on doing additional tests against at least one other .dmg that I know contains malware when I have more time. -Al- On Thu, Sep 14, 2017 at 11:45 AM, Paul Kosinski wrote: > I tried the --debug option and it produced a lot of output (which I can > provide if it would help). It *did* say the following, however: > > LibClamAV debug: Module ARCHIVE: On > LibClamAV debug:* SubmoduleRAR: On > LibClamAV debug:* SubmoduleZIP: On > LibClamAV debug:* Submodule GZIP: On > ... > LibClamAV debug:* Submodule 7zip: On > LibClamAV debug:* SubmoduleISO9660: On > LibClamAV debug:* SubmoduleDMG: On > ... > > so it apparently knows about ISOs. > > It also scanned 0 data bytes in a CD-sized ISO, so it isn't just the > problem that DVD ISOs are "too big". > > Paul Kosinski > > > On Thu, 14 Sep 2017 12:51:38 -0400 > Steven Morgan> wrote: > >> ClamAV contains an iso9660 parser. >> >> The clamscan --debug option may give a clue as to why it is not being >> scanned. >> >> Steven Morgan smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV can't scan DVD-size ISO files
I was mistaken: it turns out that ClamAV 0.99.2 *will* scan CD-size ISO files. I just had to set --max-filesize and --max-scansize big enough. And with the -v and -a options added, it *did* indicate it was scanning files within the ISO. I haven't had a chance to try 0.99.3 yet. On Thu, 14 Sep 2017 16:11:46 -0400 Mickey Solawrote: > I might be remembering wrong, but I believe there was work done to > address Clam's large filesize handling issues in the year between > 0.99.2 and 0.99.3. > > Have you tested out the beta yet to see if your needs have been > addressed? ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV can't scan DVD-size ISO files
I might be remembering wrong, but I believe there was work done to address Clam's large filesize handling issues in the year between 0.99.2 and 0.99.3. Have you tested out the beta yet to see if your needs have been addressed? On Thu, Sep 14, 2017 at 2:45 PM, Paul Kosinskiwrote: > To continue... > > Since this is the year 2017, and 64-bit computing has been around for > years, I decided to see how a Windows AV package would handle my ISO > which is "too big" for ClamAV. > > I copied it over to a 64-bit Win7 machine with lots of RAM (32 GB), and > scanned it with Microsoft "Security Essentials". The result? > > 1. It didn't complain about the size of the file. > > 2. It scanned 11424 items *within* the ISO! > > I can understand (sort of) that ClamAV can't scan inside some archive > formats. (But then why did --debug report that the ISO module was "on"?) > > But I can't understand why ClamAV can't handle files bigger than 4 GB. > Especially now that 64-bit OSes are common, and 64-bit CPUs are totally > mainstream. > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV can't scan DVD-size ISO files
To continue... Since this is the year 2017, and 64-bit computing has been around for years, I decided to see how a Windows AV package would handle my ISO which is "too big" for ClamAV. I copied it over to a 64-bit Win7 machine with lots of RAM (32 GB), and scanned it with Microsoft "Security Essentials". The result? 1. It didn't complain about the size of the file. 2. It scanned 11424 items *within* the ISO! I can understand (sort of) that ClamAV can't scan inside some archive formats. (But then why did --debug report that the ISO module was "on"?) But I can't understand why ClamAV can't handle files bigger than 4 GB. Especially now that 64-bit OSes are common, and 64-bit CPUs are totally mainstream. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV can't scan DVD-size ISO files
I tried the --debug option and it produced a lot of output (which I can provide if it would help). It *did* say the following, however: LibClamAV debug: Module ARCHIVE: On LibClamAV debug:* SubmoduleRAR: On LibClamAV debug:* SubmoduleZIP: On LibClamAV debug:* Submodule GZIP: On ... LibClamAV debug:* Submodule 7zip: On LibClamAV debug:* SubmoduleISO9660: On LibClamAV debug:* SubmoduleDMG: On ... so it apparently knows about ISOs. It also scanned 0 data bytes in a CD-sized ISO, so it isn't just the problem that DVD ISOs are "too big". Paul Kosinski On Thu, 14 Sep 2017 12:51:38 -0400 Steven Morganwrote: > ClamAV contains an iso9660 parser. > > The clamscan --debug option may give a clue as to why it is not being > scanned. > > Steven Morgan ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV can't scan DVD-size ISO files
ClamAV contains an iso9660 parser. The clamscan --debug option may give a clue as to why it is not being scanned. Steven Morgan On Wed, Sep 13, 2017 at 10:52 PM, Al Varnellwrote: > On Wed, Sep 13, 2017 at 06:13 PM, Paul Kosinski wrote: > > On Tue, 12 Sep 2017 21:49:17 -0800 kristen R wrote: > >> > >> The file is an image. Open the image up and then scan. Does clamscan > >> open images itself and then preform a scan? > > > > YES! It scans *inside* ZIP, TAR, RAR etc. > > But does etc. include .iso's? There are many encoding formats that clamav > is unable to scan inside of, including some oddball .zips I've run across. > Although .dmg image scanning was added a few years back, I've experienced > mixed results with detections unless the image is first mounted. > > It's also possible that .iso's are included in the list of files to skip. > Have you looked into that? > > Sorry I don't have time at the moment to check into this for you. Perhaps > later > > -Al- > -- > Al Varnell > Mountain View, CA > > > > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV can't scan DVD-size ISO files
On Wed, Sep 13, 2017 at 06:13 PM, Paul Kosinski wrote: > On Tue, 12 Sep 2017 21:49:17 -0800 kristen R wrote: >> >> The file is an image. Open the image up and then scan. Does clamscan >> open images itself and then preform a scan? > > YES! It scans *inside* ZIP, TAR, RAR etc. But does etc. include .iso's? There are many encoding formats that clamav is unable to scan inside of, including some oddball .zips I've run across. Although .dmg image scanning was added a few years back, I've experienced mixed results with detections unless the image is first mounted. It's also possible that .iso's are included in the list of files to skip. Have you looked into that? Sorry I don't have time at the moment to check into this for you. Perhaps later -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV can't scan DVD-size ISO files
Thanks, but it doesn't help (still scans 0 data bytes). On Wed, 13 Sep 2017 10:33:35 -0400 Steven Morganwrote: > Paul, > > in addition to max-filesize, try max-scansize. > > Steve > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV can't scan DVD-size ISO files
On Tue, 12 Sep 2017 21:49:17 -0800 kristen Rwrote: > > The file is an image. Open the image up and then scan. Does clamscan > open images itself and then preform a scan? > > YES! It scans *inside* ZIP, TAR, RAR etc. (Maybe these have a 4 GB limit too?) If ClamAV can't handle files bigger than 4 GB, then it isn't very suitable for modern computing. Most computers sold today support 64-bit addressing. Windows 7, 8 and 10 can be either 32 or 64 bit, as can Mac OSX. And of course Linux started supporting files over 4 GB many years ago -- even before it supported 64-bit memory addressing. Finally, DVDs have held more than 4 GB almost forever, Blu-Ray is lots bigger, and individual digital video files can easily exceed 4 GB (especially HD or UHD source files, which have little or no compression). P.S. The usual way to "open" an ISO is to "mount" it. This operation is usually performed at a high privilege level (e.g. root) which means that if a malicious ISO were able to exploit a vulnerability in the code which decodes the ISO metadata/headers (buffer overflow comes to mind) it could cause major system damage. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV can't scan DVD-size ISO files
Paul, in addition to max-filesize, try max-scansize. Steve On Tue, Sep 12, 2017 at 11:50 PM, Paul Kosinskiwrote: > Clamscan read the entire ISO, but didn't scan any of it! > I thought 21st century software was finally in the 64-bit era. > > --- > > ~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso > -rw-r--r-- 1 ime users 4660914176 Sep 12 19:40 > KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso > > ~/Downloads/Linux/Knoppix> clamscan --max-filesize=M > KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso > WARNING: Numerical value for option max-filesize too high, resetting to 4G > KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso: OK > > --- SCAN SUMMARY --- > Known viruses: 6303545 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Data read: .99 MB (ratio 0.00:1) > Time: 10.255 sec (0 m 10 s) > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV can't scan DVD-size ISO files
On 9/12/17 9:44 PM, Al Varnell wrote: > >> On Sep 12, 2017, at 10:42 PM, kristen R wrote: >>> On 9/12/17 7:50 PM, Paul Kosinski wrote: >>> Clamscan read the entire ISO, but didn't scan any of it! >>> I thought 21st century software was finally in the 64-bit era. >>> >>> --- >>> >>> ~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso >>> -rw-r--r-- 1 ime users 4660914176 Sep 12 19:40 >>> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso >>> >>> ~/Downloads/Linux/Knoppix> clamscan --max-filesize=M >>> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso >>> WARNING: Numerical value for option max-filesize too high, resetting to 4G >>> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso: OK >>> >>> --- SCAN SUMMARY --- >>> Known viruses: 6303545 >>> Engine version: 0.99.2 >>> Scanned directories: 0 >>> Scanned files: 1 >>> Infected files: 0 >>> Data scanned: 0.00 MB >>> Data read: .99 MB (ratio 0.00:1) >>> Time: 10.255 sec (0 m 10 s) >>> ___ >> >> Paul, >> >> Summary states it did scan the iso. Why do you think it didn't? >> >> Kristen > >>> Data scanned: 0.00 MB > > -Al- The file is an image. Open the image up and then scan. Does clamscan open images itself and then preform a scan? signature.asc Description: OpenPGP digital signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV can't scan DVD-size ISO files
> On Sep 12, 2017, at 10:42 PM, kristen R wrote: >> On 9/12/17 7:50 PM, Paul Kosinski wrote: >> Clamscan read the entire ISO, but didn't scan any of it! >> I thought 21st century software was finally in the 64-bit era. >> >> --- >> >> ~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso >> -rw-r--r-- 1 ime users 4660914176 Sep 12 19:40 >> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso >> >> ~/Downloads/Linux/Knoppix> clamscan --max-filesize=M >> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso >> WARNING: Numerical value for option max-filesize too high, resetting to 4G >> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso: OK >> >> --- SCAN SUMMARY --- >> Known viruses: 6303545 >> Engine version: 0.99.2 >> Scanned directories: 0 >> Scanned files: 1 >> Infected files: 0 >> Data scanned: 0.00 MB >> Data read: .99 MB (ratio 0.00:1) >> Time: 10.255 sec (0 m 10 s) >> ___ > > Paul, > > Summary states it did scan the iso. Why do you think it didn't? > > Kristen >> Data scanned: 0.00 MB Sent from my iPhone -Al- smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV can't scan DVD-size ISO files
On 9/12/17 7:50 PM, Paul Kosinski wrote: > Clamscan read the entire ISO, but didn't scan any of it! > I thought 21st century software was finally in the 64-bit era. > > --- > > ~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso > -rw-r--r-- 1 ime users 4660914176 Sep 12 19:40 > KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso > > ~/Downloads/Linux/Knoppix> clamscan --max-filesize=M > KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso > WARNING: Numerical value for option max-filesize too high, resetting to 4G > KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso: OK > > --- SCAN SUMMARY --- > Known viruses: 6303545 > Engine version: 0.99.2 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Data read: .99 MB (ratio 0.00:1) > Time: 10.255 sec (0 m 10 s) > ___ Paul, Summary states it did scan the iso. Why do you think it didn't? Kristen signature.asc Description: OpenPGP digital signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] ClamAV can't scan DVD-size ISO files
Clamscan read the entire ISO, but didn't scan any of it! I thought 21st century software was finally in the 64-bit era. --- ~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso -rw-r--r-- 1 ime users 4660914176 Sep 12 19:40 KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso ~/Downloads/Linux/Knoppix> clamscan --max-filesize=M KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso WARNING: Numerical value for option max-filesize too high, resetting to 4G KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso: OK --- SCAN SUMMARY --- Known viruses: 6303545 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: .99 MB (ratio 0.00:1) Time: 10.255 sec (0 m 10 s) ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml