ClamAv Module question

Rick Cooper rcooper at DWFORD.COM
Sun Jun 27 17:26:01 IST 2004


I have noticed that the ClamAVModule code has never been updated to use the
password protected and OLE code. If the line

$results = $Clam->scan("$dirname/$childname/$filename",
Mail::ClamAV::CL_ARCHIVE());

is changed to

$results = $Clam->scan("$dirname/$childname/$filename",
Mail::ClamAV::CL_ARCHIVE()|Mail::ClamAV::CL_ENCRYPTED()|Mail::ClamAV::CL_OLE
2());

It will use both. However if a password protected archive is found it is
returned as an infection. Of course it's not a simple as just changing the
line because there would have to be a check as to if the system is
disallowing encrypted archives or not.

I think it's something to think about as the current code will first give a
RAR error and then an OK so an encrypted RAR containing a virus will come
through right past the ClamAV code. (unless of course there is a signature
for the particular RAR file)

Password Protected rar test with standard code contains eicar.com:

Jun 27 11:11:08 srv2 MailScanner[12887]:
/var/spool/mailscanner/incoming/12887/1BecFD-0003Lx-4N/eicarprot.rar->eicar.
com  Not scanned (encrypted)
Jun 27 11:11:09 srv2 MailScanner[12887]: ClamAVModule::ERROR:: RAR module
failure:: ./1BecFD-0003Lx-4N/eicarprot.rar
Jun 27 11:11:09 srv2 MailScanner[12887]: Virus Scanning: ClamAV Module found
1 infections
Jun 27 11:11:09 srv2 MailScanner[12887]: Virus Scanning: Found 1 viruses
Jun 27 11:11:09 srv2 MailScanner[12887]: Uninfected: Delivered 1 messages
<-- NOTE THIS
=========================================================================
With Change above same file:

Jun 27 11:14:06 srv2 MailScanner[12986]:
/var/spool/mailscanner/incoming/12986/1BecI4-0003NV-KJ/eicarprot.rar->eicar.
com  Not scanned (encrypted)
Jun 27 11:14:07 srv2 MailScanner[12986]: ClamAVModule::INFECTED::
Encrypted.RAR:: ./1BecI4-0003NV-KJ/eicarprot.rar
Jun 27 11:14:07 srv2 MailScanner[12986]: Virus Scanning: ClamAV Module found
1 infections
Jun 27 11:14:07 srv2 MailScanner[12986]: Infected message 1BecI4-0003NV-KJ
came from 192.168.1.203
Jun 27 11:14:07 srv2 MailScanner[12986]: Virus Scanning: Found 1 viruses
Jun 27 11:14:07 srv2 MailScanner[12986]: Silent: Delivered 1 messages
containing silent viruses
Jun 27 11:14:07 srv2 MailScanner[12986]: Notices: Warned about 1 messages
<-- NOW THIS
==========================================================================

Or same file with standard ClamAvModule code and my UnPackRar patch:

Jun 27 11:16:26 srv2 MailScanner[13226]: Password-protected archive
(eicarprot.rar) in 1BecKM-0003RQ-9c
Jun 27 11:16:26 srv2 MailScanner[13226]: Virus and Content Scanning:
Starting
Jun 27 11:16:26 srv2 MailScanner[13226]:
/var/spool/mailscanner/incoming/13226/1BecKM-0003RQ-9c/eicarprot.rar->eicar.
com  Not scanned (encrypted)
Jun 27 11:16:27 srv2 MailScanner[13226]: ClamAVModule::ERROR:: RAR module
failure:: ./1BecKM-0003RQ-9c/eicarprot.rar
Jun 27 11:16:27 srv2 MailScanner[13226]: Virus Scanning: ClamAV Module found
1 infections
Jun 27 11:16:27 srv2 MailScanner[13226]: Virus Scanning: Found 1 viruses
Jun 27 11:16:27 srv2 MailScanner[13226]: Silent: Delivered 1 messages
containing silent viruses
Jun 27 11:16:27 srv2 MailScanner[13226]: Notices: Warned about 1 messages
<-- AND THIS

Note with my UnPackRar patch the offending file is correctly identified as a
password protected archive and not a virus, plus it allows for filename
checks the same as the UnpackZip function. I would think one or the other
should be implemented. Of course you could just block all RAR files but
there are people who actually use RAR legitimately

Julian, if you are interested in the UnpackRar patch and no longer have it I
can rebuild it and post it again.


 Rick Cooper

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list