ClamAv and --unrar=

Rick Cooper rcooper at DWFORD.COM
Tue Mar 22 17:17:29 GMT 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I was just following a thread on the clamav users list and found something
that should be noted by anyone using the command line version of clamav
scanner in MailScanner.

Someone noted that clamscan does not call the external unrar command, even
when defined, when the file extension being scanned is not .rar. I checked
the code in manager.c and they specifically do NOT call the external command
unless the following conditions are met (in listed order):

        1. The internal unrar code fails
        2. The file extension is .rar

That means the version two code is called first (and that is noted in the
docs), but unless the file extension is .rar the external code is never
used... that includes self extracting .exe files. I tested this and it is,
in fact, how clamscan operates. I can take a .rar file and rename it to .txt
and call clamscan directly on file.txt with the --unrar= switch and the
internal code fails with the standard RAR MODULE FAILURE and the external is
not called unless I rename it back to file.rar. The ClamAVModule code does
not suffer from this extremely short sighted code.

I thought I would mention this to the list because obviously self extracting
rar files are never checked (unless created as a 2.0 version... not likely)
and any malicious individual who wanted to get something past the clamav
unpacker could simply change the extension or package it as a self
extracting archive within another .rar or .zip file.

Just a note.

 Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list