-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert L Mathews wrote: > I have found the source of the issue I reported to clamav-users last > week (originally with a subject of "Input/Output error with .zip file > under 0.84"), with the help of a pointer from Andrey Melnikoff. > > The issue is: If an unencrypted .zip file over 32KB in size is > compressed using the PKZIP "deflate64" algorithm (zip method 9), > ClamAV's built-in unzip mechanism can't handle it because it doesn't > really support deflate64, even though line 196 of zzip-file.c has code > that checks for this method and thinks it is supported. > > Version 0.85 of ClamAV returns the following output for such a file: > > $ ./clamscan eicardeflate64.zip > eicardeflate64.zip: Zip module failure > eicardeflate64.zip: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 34257 > Engine version: 0.85 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Time: 0.481 sec (0 m 0 s) > > (If you're trying this yourself, use --debug for more technical info; it > shows the nature of the decompression failure in detail.) > > This may well be harmless if clients detect the failure, but I wonder if > the fact that ClamAV returns both "Zip module failure" and "OK" could > potentially confuse some clients into thinking the file is clean when it > isn't. I have no evidence to suggest that that is (or isn't) the case, > but if so, that could be a problem, since all popular unzip clients can > decompress such a file with no trouble. > > If anyone is interested, the file I used for testing (which is the EICAR > test file appended with 70 KB or so of random data to ensure it's big > enough to trigger the decompression failure) is available at: > > http://www.tigertech.net/eicardeflate64.zip > > Or you can create your own such files with a trial version of PKZIP with > the compression level set to "custom" and the method set to "deflate64"; > just make sure the files are greater than 32 KB in size (otherwise zzip > will decompress them successfully). > > I'm not quite sure what the "solution" to this is (or if one is even > needed), but if nothing else, zzip-file.c should probably be changed to > not think it can decompress zip method 9 files, because it doesn't seem > like it can if they're bigger than 32 KB. >
I just tested it with commercial AV: only KAV and NOD can detect it.Strange. Regards Boguslaw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCgwZYtuGICzHOh+YRAppRAJ4iWnmcsqKmJNPih8BaqFVwezikQACfUmaZ nzegtfavyg05WH0BSdX2UjI= =2aZW -----END PGP SIGNATURE----- _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html
