ClamAVModule and csv files in zip files

Mick asurfer at iinet.net.au
Thu Apr 12 12:46:17 IST 2007


Denis Beauchemin wrote:
> Mick a écrit :
>> Mick wrote:
>>> Scott Silva wrote:
>>>> Mick spake the following on 4/9/2007 3:55 AM:
>>>>  
>>>>> Hello.
>>>>>
>>>>> I am currently running MailScanner which uses the clamavmodule.  The
>>>>> other day, I received 4 emails from ad-noreply at google.com and each of
>>>>> these emails has a )non-password protected) zip file and contained
>>>>> within each zip file was a file called report.csv.  However, 
>>>>> MailScanner
>>>>> quarantined them even though clamscan reports that none of the zip 
>>>>> files
>>>>> are infected.  Placing ad-no-reply at google.com in
>>>>> /etc/MailScanner/rules/virus-scan.rules results in those zip files as
>>>>> sent from ad-noreply at google.com now passing through unscanned but why
>>>>> were the files quarantined in the first place when clamscan says that
>>>>> they're uninfected?
>>>>>
>>>>> Thanks,
>>>>> Mick.
>>>>>     
>>>> Did it say that they were password protected?
>>>> Clamavmodule can also choke if they are over it's stated limit on how
>>>> compressed the file is.
>>>> Look in this area of conf;
>>>>
>>>> # ClamAVModule only: set limits when scanning for viruses.
>>>> #
>>>> # The maximum recursion level of archives,
>>>> # The maximum number of files per batch,
>>>> # The maximum file of each file,
>>>> # The maximum compression ratio of archive.
>>>> # These settings *cannot* be the filename of a ruleset, only a 
>>>> simple number.
>>>> ClamAVmodule Maximum Recursion Level = 10
>>>> ClamAVmodule Maximum Files = 1000
>>>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes)
>>>> ClamAVmodule Maximum Compression Ratio = 950
>>>>
>>>>   
>>> Hi Scott.
>>>
>>> Thanks for the reply.
>>>
>>>
>>>> Did it say that they were password protected?
>>>
>>> No. They weren't password protected and they weren't reported by 
>>> clamscan as being protected.
>>>
>>>
>>> I actually work for a Web Hosting company and the control panel we 
>>> use (much to my dismay) is Ensim and the version of MailScanner that 
>>> is installed is the one that gets installed when Ensim is 
>>> installed.  As such, the version of MailScanner that we are 
>>> currently using is 4.31.6-1 (and ClamAV 0.88.7)  and so it does not 
>>> have any of those ClamAVModule directives that you have mentioned 
>>> (I'll be upgrading both within the next week or so).
>>>
>>> Anyway, the compression ratio is approximately 80%, with the archive 
>>> being just a bit smaller than what (Linux) zip 2.3 can do with zip -9.
>>>
>>>
>>> Cheers.
>>>
>> Ok. A bit more info on this.  This is in MailScanner.conf:
>>
>> Maximum Archive Depth = 0
>> Find Archives By Content = no
>> Virus Scanners = clamavmodule
>> Allow Password-Protected Archives = no
>>
>> and seeing as clamscan determined that the zip files contained no 
>> viruses, I was curious to see if clamavmodule detected any viruses in 
>> the zip files.
>> So pinching the code snippet from `perldoc Mail::ClamAV' and replacing
>>
>>
>> my $c = new Mail::ClamAV("/path/to/directory/or/file")
>>
>> with
>>
>> my $c = new Mail::ClamAV("/var/clamav/main.cvd")
>>
>>
>> (and afterwards, trying again replacing main.cvd with daily.cvd),
>>
>>
>> and also replacing
>>
>> my $status = $c->scan(FH, CL_SCAN_ARCHIVE|CL_SCAN_MAIL);
>>
>> with
>>
>> my $status = $c->scan("/tmp/report-csv.zip", 0);
>>
>>
>> upon running the perl script, clamavmodule returns:
>>
>> No virus found!
>>
>>
>> So why is MailScanner detecting them as being viruses and 
>> quarantining them (unless I place the sender's address in 
>> virus-scan.rules as previously described)?
>>
>> Cheers.
>>
> In SweepViruses.pm, you will see that MS calls Mail::ClamAV with the 
> following options:
>                               Mail::ClamAV::CL_SCAN_STDOPT() |
>                               Mail::ClamAV::CL_SCAN_ARCHIVE() |
>                               Mail::ClamAV::CL_SCAN_PE() |
>                               Mail::ClamAV::CL_SCAN_BLOCKBROKEN() |
>                               Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() |
>                               Mail::ClamAV::CL_SCAN_OLE2());
>
> Retry your scan with:
> my $status = $c->scan("/tmp/report-csv.zip", CL_SCAN_STDOPT | 
> CL_SCAN_ARCHIVE | CL_SCAN_PE | CL_SCAN_BLOCKBROKEN | 
> CL_SCAN_BLOCKENCRYPTED | CL_SCAN_OLE2);
> and you should see the virus detected.
>
> Denis
>
Hi Dennis.

Thanks for your reply.  I actually thought of this as well a short while 
after I sent in my last post i.e. seeing what parameters MS passed to 
the clamavmodule and using those in my code snippet.  However, I then 
came up with an even more brilliant idea:  Look in the mail logs ;P  
Anyway, clamavmodule reckons that the zips were Oversized.  So Google 
must squash the bejesus out of them (more than zip -9 does obviously).  
As such, I'll install the latest version of MS and remember to also 
increase the compression ratio threshold :)


Cheers.


More information about the MailScanner mailing list