Subject: clamav: clamscan fails to detect malware when using external archivers
due to the filetype detection code
Package: clamav
Version: 0.93~dfsg-volatile1
Severity: grave
Justification: renders package unusable
When using external archivers to process files, clamscan fails to
detect malware in many cases. This is due to the fact that the filetype
detection code (clamscan/manager.c lines 708 ff.) matches the filename
against a hardcoded list of extensions (e.g. ".zip", ".rar", ".arj"
etc.). The external archiver is only called if the filename matches the
extension.
This obviously breaks the detection in cases where the filename doesn't
contain the required extension. Most cases of self-extracting archives
use ".exe" as a extension and thus aren't recognized at all. This
creates a huge gap ("wide open barndoor" would be the precise term, I
think), as very many cases of Windows malware come in the form of
self-extracting archives. Also, this breaks in cases where suspicious
files are scanned in a quarantine, using the MD5 sum as a filename.
Libclamav already contains code to recognize the file format
independently of a filetype extension (libclamav/scanners.c, lines 1554
ff., function cli_scanraw). This could/should be used to detect the
filetype when deciding whether to call an external archiver to process a
file.
This bug has also been opened in the upstream bugzilla
(<https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1051>). However,
Debian is affected more than other distributions due to the fact that
clamscan on Debian relies on an external unrar in order to scan RAR
archives (because of the licensing issues). This bug means that
self-extracting RAR archives ARE NOT SCANNED correctly on Debian
systems. Many forms of (especially Windows) malware spread as
self-extracting RAR archives and ARE NOT DETECTED by Debian clamav
installations.
Greetings from Karlsruhe,
=ToJe=
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.24-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages clamav depends on:
ii clamav-data 20080603.093500.7339 clamav data files
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libclamav4 0.93~dfsg-volatile1 anti-virus utility for Unix - libr
ii libgmp3c2 2:4.2.2+dfsg-3 Multiprecision arithmetic library
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages clamav recommends:
ii arj 3.10.22-4 archiver for .arj files
ii clamav-base 0.93~dfsg-volatile1 anti-virus utility for Unix - base
ii unzoo 4.4-7 zoo archive extractor
-- no debconf information
--
Torsten Jerzembeck <[EMAIL PROTECTED]>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
