clamav and RAR..(update and feature request)

Rick Cooper rcooper at DWFORD.COM
Mon Mar 7 14:02:45 GMT 2005


> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Steen, Glenn
> Sent: Monday, March 07, 2005 8:01 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: clamav and RAR..(update and feature request)
>
>
> > -----Original Message-----
> > From: MailScanner mailing list
> > [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Martin Hepworth
> > Sent: den 7 mars 2005 10:29
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: clamav and RAR..(update and feature request)
> >
> (snip)
> > I caught two RAR viruses over the w/end, Sophos also picked
> > them up. But
> (snip)
> > Report: ClamAV: 075466.rar contains Worm.Bagle.BA-RAR
> >          SophosSAVI: 075466.rar was infected by Troj/BagleDl-M
> Isn't that just a ClamAV signature for the entire RAR file?
> We saw a few more than 2, the first couple or so found by mcafee and
> bitdefender, and after a while by that exact clam sig.
>
> I don't use any version 3 capable unrar, except what bdc and uvscan
> might be able to do (If any slip through, the second level filename
> checks get them... And those were quiet:).
>
> -- Glenn (who will need look into using the new unrar features:)
>

I use f-prot, clamavmodule and bdc. We recieved 11 of these before any of
those vendors were catching them, but I happend to get a notice from another
list and added a check for ^[0-9]{6,}\.exe in my Archived FileName Rules
file(s) and they were picked up. However without UnPackRar function your
file name checks would have been quiet because MS would not have been able
to unpack the file to do the tests, unless you just block all .rar files.

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list