Hi there
I have a viral *.jar file that clamscan and clamdscan cannot find anything wrong with, but if I run "clamscan --jar file.jar", it finds the trojans.
JAR files are meant to be ZIP files, but if I manually run unzip over it I see:
Archive: loaderadv50.jar warning [loaderadv50.jar]: 262 extra bytes at beginning or within zipfile (attempting to process anyway) testing: Counter.class OK testing: Dummy.class OK testing: Matrix.class OK testing: Parser.class OK No errors detected in compressed data of loaderadv50.jar.
So there is some junk in there that unzip skips over - but I'm wondering if that same junk allows it to bypass clamscan/clamd's standard methods of discovering if it's a JAR file? When I run "clamscan --jar loaderadv50.zip", I see clamscan calling "/usr/bin/unzip" - so I assume without that option, clamscan uses internal unzip routines, and with it clamscan calls /usr/bin/unzip?
-- Cheers
Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
