Mark, Your xar scenario should be working. You can get more info with --debug. If you want to forward that output and/or test file, we can investigate further.
Steve On Wed, Mar 19, 2014 at 11:59 AM, Mark Allan <[email protected]> wrote: > My test disk is indeed a raw image. I've also tried read only as well as > compressed, and nothing gets detected in any of those. > > As you say, Disk Utility creates raw images by default, and while some > software packagers do create UDIF formatted images, I suspect Disk Utility > is the most common way of making disk images on OS X. > > What would be required to provide full DMG support? > > Also, is there a similar caveat for xar archives? I've done a similar > test for those and they slip by undetected as well. > > xar -c -f new.xar DirWithManyKnownDetectedMalwareSamples > > clamscan new.xar > new.xar: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 3259558 > Engine version: 0.98.1 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Data read: 31.34 MB (ratio 0.00:1) > Time: 4.612 sec (0 m 4 s) > > Mark > > On 19 Mar 2014, at 15:43, David Raynor <[email protected]> wrote: > > > DMG is an odd filetype, since there are really 2 or 3 different filetypes > > lumped into that category. > > > > What we have included in ClamAV 0.98.1 is scanning of UDIF format DMG > > files, which have a definitive trailer block and may have compressed > > sections. > > We have not yet included support for scanning raw disk format DMG files, > > which are nearly indistinguishable from disk dumps. No separate > compression > > is allowed. > > > > So let me ask you this question. How did you create your DMG? Most > software > > packagers create UDIF format to reduce the file size for downloads. Disk > > Utility and the hdiutil command can create a raw disk unless another > format > > is checked. > > > > To find out what format your testfile is really in, you can use the > > imageinfo sub-command of hdiutil (e.g. hdiutil imageinfo yourfile.dmg). > > Then you can use the convert sub-command of hdiutil to switch the format. > > > > Hope this helps, > > > > Dave R. > > > > -- > > --- > > Dave Raynor > > Vulnerability Research Team > > _______________________________________________ > > http://lurker.clamav.net/list/clamav-devel.html > > Please submit your patches to our Bugzilla: http://bugs.clamav.net > > > > On Wed, Mar 19, 2014 at 11:34 AM, Rafael Ferreira <[email protected] > >wrote: > > > >> Interesting... let me run some tests and get back to you. > >> > >> On Mar 19, 2014, at 8:33 AM, Mark Allan <[email protected]> wrote: > >> > >>> Just out of interest, did you test to see if it *actually* worked? > >>> > >>> My configure output shows that dmg and xar are supported, but it > doesn't > >> actually detect the Eicar test file within a disk image. > >>> > >>> configure: Summary of engine detection features > >>> autoit_ea06 : yes > >>> bzip2 : ok > >>> zlib : /usr > >>> unrar : yes > >>> dmg and xar : yes, from /usr > >>> > >>> When I create a new disk image, copy the Eicar test file in, and scan > >> the dmg, it shows up as being clean. > >>> > >>>> clamscan test.dmg > >>>> test.dmg: OK > >>>> > >>>> ----------- SCAN SUMMARY ----------- > >>>> Known viruses: 3259558 > >>>> Engine version: 0.98.1 > >>>> Scanned directories: 0 > >>>> Scanned files: 1 > >>>> Infected files: 0 > >>>> Data scanned: 10.07 MB > >>>> Data read: 10.02 MB (ratio 1.01:1) > >>>> Time: 4.845 sec (0 m 4 s) > >>> > >>> Does this work as expected for anyone else? > >>> > >>> Mark > >>> > >>> On 10 Feb 2014, at 23:38, Rafael Ferreira <[email protected]> wrote: > >>> > >>>> That worked, thanks! > >>>> > >>>> On February 10, 2014 at 4:29:41 PM, Steven Morgan ( > >> [email protected]) wrote: > >>>> > >>>> Rafael, > >>>> > >>>> Probably all you need to do install libxml&libxml2-dev, which is used > by > >>>> dmg and xar, then do your configure/make. > >>>> > >>>> Steve > >>>> > >>>> > >>>> On Mon, Feb 10, 2014 at 6:05 PM, Rafael Ferreira <[email protected] > >>> wrote: > >>>> > >>>>> > >>>>> Folks, > >>>>> > >>>>> I'm compiling clamav 0.98.1 on Linux (Ubuntu 12.04 LTS) and I'm not > >>>>> getting the new super awesome DMG and XAR file support: > >>>>> > >>>>> configure: Summary of detected features follows > >>>>> OS : linux-gnu > >>>>> pthreads : yes (-lpthread) > >>>>> configure: Summary of miscellaneous features > >>>>> check : no (auto) > >>>>> fanotify : yes > >>>>> fdpassing : 1 > >>>>> IPv6 : yes > >>>>> configure: Summary of optional tools > >>>>> clamdtop : (auto) > >>>>> milter : yes (disabled) > >>>>> configure: Summary of engine performance features) > >>>>> release mode: yes > >>>>> jit : yes (auto) > >>>>> mempool : yes > >>>>> configure: Summary of engine detection features > >>>>> autoit_ea06 : yes > >>>>> bzip2 : ok > >>>>> zlib : /usr > >>>>> unrar : yes > >>>>> dmg and xar : no > >>>>> > >>>>> Am I missing a configure flag or third party library? > >>>>> > >>>>> Thanks in advance, > >>>>> > >>>>> - Rafael > >>>>> > >>>>> ---- > >>>>> scanii.com - the web friendly malware scanner! > >>>>> _______________________________________________ > >>>>> http://lurker.clamav.net/list/clamav-devel.html > >>>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net > >>>> _______________________________________________ > >>>> http://lurker.clamav.net/list/clamav-devel.html > >>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net > >>>> _______________________________________________ > >>>> http://lurker.clamav.net/list/clamav-devel.html > >>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net > >>> > >>> _______________________________________________ > >>> http://lurker.clamav.net/list/clamav-devel.html > >>> Please submit your patches to our Bugzilla: http://bugs.clamav.net > >> > >> _______________________________________________ > >> http://lurker.clamav.net/list/clamav-devel.html > >> Please submit your patches to our Bugzilla: http://bugs.clamav.net > > _______________________________________________ > http://lurker.clamav.net/list/clamav-devel.html > Please submit your patches to our Bugzilla: http://bugs.clamav.net > _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
