ClamAv and --unrar=
Julian Field
MailScanner at ecs.soton.ac.uk
Tue Mar 22 17:48:14 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Thanks for that.
There is some good news for MailScanner users, however.
Though clamscan will not call the external unrar while scanning for
viruses, MailScanner does still call it (for all filenames) if the file
looks like either a rar file or a self-extracting one. This enables the
filename and filetype content checks to still be done properly, despite
the fact that clamscan itself won't tag any viruses in it.
Rick Cooper wrote:
>I was just following a thread on the clamav users list and found something
>that should be noted by anyone using the command line version of clamav
>scanner in MailScanner.
>
>Someone noted that clamscan does not call the external unrar command, even
>when defined, when the file extension being scanned is not .rar. I checked
>the code in manager.c and they specifically do NOT call the external command
>unless the following conditions are met (in listed order):
>
> 1. The internal unrar code fails
> 2. The file extension is .rar
>
>That means the version two code is called first (and that is noted in the
>docs), but unless the file extension is .rar the external code is never
>used... that includes self extracting .exe files. I tested this and it is,
>in fact, how clamscan operates. I can take a .rar file and rename it to .txt
>and call clamscan directly on file.txt with the --unrar= switch and the
>internal code fails with the standard RAR MODULE FAILURE and the external is
>not called unless I rename it back to file.rar. The ClamAVModule code does
>not suffer from this extremely short sighted code.
>
>I thought I would mention this to the list because obviously self extracting
>rar files are never checked (unless created as a 2.0 version... not likely)
>and any malicious individual who wanted to get something past the clamav
>unpacker could simply change the extension or package it as a self
>extracting archive within another .rar or .zip file.
>
>Just a note.
>
> Rick
>
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list