Re: [clamav-users] A better zip bomb
Hi there, On Fri, 8 Nov 2019, Markus Kolb via clamav-users wrote: Am 08.11.2019 11:58, schrieb G.W. Haywood via clamav-users: > On Fri, 8 Nov 2019, Arnaud Jacques wrote: > ...Brent wrote: [...] > > clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M > > /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND > > It seems that there might be room for improvement in Brent's client's > ClamAV configuration, perhaps we should be trying to understand why it > is in this state. It should be a deliberate choice to disable a test > for excessive resource usage, not an accident. The alerting on exceed is disabled by default. Ah, good point. I'd forgotten that long ago I'd set 'AlertExceedsMax' to 'yes' in the base configuration that I usually use as a starting point. Maybe that should default to 'yes', perhaps with higher values for some of the limits if that's an issue? I must say that I don't recall any problems with the default values for archive limits in many years of using ClamAV. There was one contract draughtsman who for some time insisted on sending 30- megabyte emails to the QA manager at his client, but it was a Sendmail limit which rejected the messages, not ClamAV. In the end they stopped using him. :/ -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] A better zip bomb
Am 08.11.2019 11:58, schrieb G.W. Haywood via clamav-users: Hi there, On Fri, 8 Nov 2019, Arnaud Jacques wrote: ...Brent wrote: [...] clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND It seems that there might be room for improvement in Brent's client's ClamAV configuration, perhaps we should be trying to understand why it is in this state. It should be a deliberate choice to disable a test for excessive resource usage, not an accident. The alerting on exceed is disabled by default. So you have to set the config option. I think it is disabled because the default limits on file-sizes, archive-sizes and so on are bit low. So without adapting all this to your needs you will most likely see false-positiv exceed warnings. Maybe there should be options to enable/disable the different exceed types separately. Markus ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] A better zip bomb
Hi there, On Fri, 8 Nov 2019, Arnaud Jacques wrote: ...Brent wrote: https://www.bamsoftware.com/hacks/zipbomb/ Here you can see I scanned the zip file, thats made available from the above site. As you can see, clamav (inconjunction with Sanesecurity), the file passed. vagrant@stretch:~/src$ clamscan zbsm.zip zbsm.zip: OK No need 3rd party signatures, official ClamAV seems to work fine with these files : clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M /var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND It seems that there might be room for improvement in Brent's client's ClamAV configuration, perhaps we should be trying to understand why it is in this state. It should be a deliberate choice to disable a test for excessive resource usage, not an accident. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] A better zip bomb
Good day Arnaud Thanks so much for this. Really appreciate the fast reply and help. Regards Brent Clark On 2019/11/08 10:23, Arnaud Jacques wrote: Hello Brent, https://www.bamsoftware.com/hacks/zipbomb/ I took the liberty of spinning up a vagrant instance to find out for myself. Here you can see I scanned the zip file, thats made available from the above site. As you can see, clamav (inconjunction with Sanesecurity), the file passed. vagrant@stretch:~/src$ clamscan zbsm.zip zbsm.zip: OK --- SCAN SUMMARY --- Known viruses: 8944025 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 63.13 MB Data read: 0.04 MB (ratio 1616.20:1) Time: 196.787 sec (3 m 16 s) No need 3rd party signatures, official ClamAV seems to work fine with these files : clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M /var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND --- SCAN SUMMARY --- Known viruses: 8748540 Engine version: 0.101.4 Scanned directories: 1 Scanned files: 3 Infected files: 3 Data scanned: 169.38 MB Data read: 53.22 MB (ratio 3.18:1) Time: 396.918 sec (6 m 36 s) ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] A better zip bomb
Hello Brent, https://www.bamsoftware.com/hacks/zipbomb/ I took the liberty of spinning up a vagrant instance to find out for myself. Here you can see I scanned the zip file, thats made available from the above site. As you can see, clamav (inconjunction with Sanesecurity), the file passed. vagrant@stretch:~/src$ clamscan zbsm.zip zbsm.zip: OK --- SCAN SUMMARY --- Known viruses: 8944025 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 63.13 MB Data read: 0.04 MB (ratio 1616.20:1) Time: 196.787 sec (3 m 16 s) No need 3rd party signatures, official ClamAV seems to work fine with these files : clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M /var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND --- SCAN SUMMARY --- Known viruses: 8748540 Engine version: 0.101.4 Scanned directories: 1 Scanned files: 3 Infected files: 3 Data scanned: 169.38 MB Data read: 53.22 MB (ratio 3.18:1) Time: 396.918 sec (6 m 36 s) -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
