dealing with zips with corrupted headers
Ulysees
Ulysees at ULYSEES.COM
Wed Nov 5 10:41:32 GMT 2003
is it just me or does the latest version of Sophos not see it either ?
Uly
> Hi everyone,
>
> No sooner do we (well...Julian) come out a workaround for the extra status
> line that ClamAV was spitting out than another virus using similar
zip-header
> trickery to sneak through our scanners.
>
> Worm.Mimail.G arrives in a zip file called "readnow.zip" that strangely
gets a
> simple "OK" from clamscan, and the virus goes right through. After some
> experimenting, I've figured out that the virus will happily unzip with the
> console unzip tool, but complains with the following message:
>
> # unzip readnow.zip
> Archive: readnow.zip
> warning [readnow.zip]: 3 extra bytes at beginning or within zipfile
> (attempting to process anyway)
> file #1: bad zipfile offset (local header sig): 3
> (attempting to re-compensate)
> extracting: readnow.doc.scr
>
> After reading the man page for clamscan, I came across an option that
disables
> clamscan's internal archive tools. When I typed
"clamscan --disable-archive
> readnow.zip" I got the expected response of "readnow.zip: Worm.Mimail.G
> FOUND".
>
> Is there a disadvantage to editing "/usr/lib/MailScanner/clamav-wrapper"
and
> removing the "--unzip" option and replacing it with "--disable-archive"?
Am I
> on the right track?
>
> Thanks,
> Chris
> --
> Chris Yuzik
> chris at fractalweb.com
> 604-304-0444
>
> "Reality is that which, when you stop believing in it, doesn't go
> away".
> -- Philip K. Dick
>
More information about the MailScanner
mailing list