'Re: [clamav-users] ClamXav and Compressed Files'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       clamav-users
Subject:    Re: [clamav-users] ClamXav and Compressed Files
From:       Steven Morgan <smorgan () sourcefire ! com>
Date:       2015-03-30 15:25:58
Message-ID: CAH-jhOAR3mC-WyYKk4He-wyLOgNWwnHKQbOgH_KSyewZQXZ4ww () mail ! gmail ! com
[Download RAW message or body]

Al,

Could you please open a ticket at bugzilla.clamav.net and attach your
EicarTest.dmg and also the command used to create it? We'll take a look at
what's going on.

Thanks,
Steve

On Sat, Mar 28, 2015 at 6:21 PM, Al Varnell <alvarnell@mac.com> wrote:

> I sent this out last night, but it must have been rejected for length or
> something, so I'll remove the lengthy results of the third test and quotes
> to see if that works.
>
> -Al-
> ==============
> I ran some tests after my last posting to answer just this question, but
> results were mixed so I was waiting for an authoritative answer.  Since we
> haven't heard yet, I'll post my results.
>
> First I made my own .dmg with an eicar test file on-board.  Running
> clamscan —debut on the file did not detect any infection nor did it
> identify the file as a DMG:
>
> > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
> > LibClamAV debug: Recognized binary data
> > LibClamAV debug: cache_check: ff8fdbcdb89e9474452237677b5f09e9 is
> negative
> > LibClamAV debug: in cli_check_mydoom_log()
> > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
> > LibClamAV debug: cli_magic_scandesc: returning 0  at line 2470
> > LibClamAV debug: cache_add: ff8fdbcdb89e9474452237677b5f09e9 (level 0)
> > /Volumes/Macintosh HD/Users/avarnell/Documents/EicarTest.dmg: OK
> > LibClamAV debug: Cleaning up phishcheck
> > LibClamAV debug: Freeing phishcheck struct
> > LibClamAV debug: Phishcheck cleaned up
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 3778735
> > Engine version: 0.98.6
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 0
> > Data scanned: 7.62 MB
> > Data read: 7.55 MB (ratio 1.01:1)
> > Time: 7.553 sec (0 m 7 s)
>
> When I mounted the EicarTest.dmg ClamXav Sentry (real-time process using
> clamd) caught it immediately.
> =======
> Next I scanned download.dmg which was known to contained the FkCodec
> adware.  It detected the hash value as expected and also matched three ZIP
> segments and the DMG container:
>
> > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
> > LibClamAV debug: Recognized binary data
> > LibClamAV debug: cache_check: b4ece10d1e706b87b065523a654d48a7 is
> negative
> > LibClamAV debug: in cli_check_mydoom_log()
> > LibClamAV debug: Matched signature for file type ZIP-SFX at 376602
> > LibClamAV debug: Matched signature for file type ZIP-SFX at 407295
> > LibClamAV debug: Matched signature for file type ZIP-SFX at 563034
> > LibClamAV debug: Matched signature for file type DMG container file at
> 626691
> > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
> > LibClamAV debug: Adware.OSX found
> > LibClamAV debug: FP SIGNATURE:
> b4ece10d1e706b87b065523a654d48a7:627203:Adware.OSX
> > LibClamAV debug: cli_magic_scandesc: returning 1  at line 2470
> > /Users/avarnell/Desktop/•Download/Malware/FkCodec-A/download.dmg:
> Adware.OSX FOUND
> > LibClamAV debug: Cleaning up phishcheck
> > LibClamAV debug: Freeing phishcheck struct
> > LibClamAV debug: Phishcheck cleaned up
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 3778290
> > Engine version: 0.98.6
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 1
> > Data scanned: 0.60 MB
> > Data read: 0.60 MB (ratio 1.01:1)
> > Time: 7.419 sec (0 m 7 s)
>
> When I mounted the download.dmg Sentry caught Codec-M
> Installer.app/Contents/MacOS/Installer: Osx.Trojan.Fakecodecs-1 immediately.
> =========
> Last I scanned CleanApp 4.0.8 Mac 中文版.dmg which was known to contain the
> Machook or WireLurker malware.  I also knew that an unofficail has
> signature was available only to ClamXav users.  It detects the hash value
> as expected but also was able to decompose 13 segments each with several
> sections.
>
> > results available on request.
>
> When mounting CleanApp 4.0.8 Mac 中文版.dmg Sentry located:
> /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/MacOS/CleanApp:
> OSX.MacHook/WireLurker.UNOFFICIAL FOUND
> /Volumes/CleanApp 4.0.8 Mac
> 中文版/CleanApp.app/Contents/Resources/FontMap1.cfg:
> OSX.MacHook/WireLurker.A.UNOFFICIAL FOUND
> /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/start.sh:
> OSX.MacHook/WireLurker.UNOFFICIAL FOUND
> ======
> So three somewhat different results for the three .dmg files leads me to
> believe that bursting is possible, but no evidence of being able to detect
> infected files within a .dmg container.
>
> -Al-
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic