When the .zip file is scanned, I get this "Input/Output error":
-----
$ clamscan --debug /tmp/test.zip
LibClamAV debug: Loading databases from /var/lib/clamav/
LibClamAV debug: Loading /var/lib/clamav//main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 97483b1d8189548e820e8a3f4bef787b
LibClamAV debug: Decoded signature: 97483b1d8189548e820e8a3f4bef787b
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-e63077a2d17ae1db/COPYING
LibClamAV debug: Unpacking /tmp/clamav-e63077a2d17ae1db/main.db
LibClamAV debug: Unpacking /tmp/clamav-e63077a2d17ae1db/main.hdb
LibClamAV debug: Unpacking /tmp/clamav-e63077a2d17ae1db/main.ndb
LibClamAV debug: Unpacking /tmp/clamav-e63077a2d17ae1db/main.zmd
LibClamAV debug: Unpacking /tmp/clamav-e63077a2d17ae1db/main.fp
LibClamAV debug: Loading databases from /tmp/clamav-e63077a2d17ae1db
LibClamAV debug: Loading /tmp/clamav-e63077a2d17ae1db/main.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading /tmp/clamav-e63077a2d17ae1db/main.hdb
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading /tmp/clamav-e63077a2d17ae1db/main.ndb
LibClamAV debug: Loading /tmp/clamav-e63077a2d17ae1db/main.zmd
LibClamAV debug: Loading /tmp/clamav-e63077a2d17ae1db/main.fp
LibClamAV debug: Loading /var/lib/clamav//daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 12a436bd3f5d5af1900ff1abd76bdf99
LibClamAV debug: Decoded signature: 12a436bd3f5d5af1900ff1abd76bdf99
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-7fd240260e726c3a/COPYING
LibClamAV debug: Unpacking /tmp/clamav-7fd240260e726c3a/daily.db
LibClamAV debug: Unpacking /tmp/clamav-7fd240260e726c3a/daily.hdb
LibClamAV debug: Unpacking /tmp/clamav-7fd240260e726c3a/daily.ndb
LibClamAV debug: Loading databases from /tmp/clamav-7fd240260e726c3a
LibClamAV debug: Loading /tmp/clamav-7fd240260e726c3a/daily.db
LibClamAV debug: Loading /tmp/clamav-7fd240260e726c3a/daily.hdb
LibClamAV debug: Loading /tmp/clamav-7fd240260e726c3a/daily.ndb
LibClamAV debug: Recognized ZIP file
LibClamAV debug: in scanzip()
LibClamAV debug: Zip: license.txt, crc32: 0xa250cada, encrypted: 0, compressed: 1121, normal: 2222, method: 9, ratio: 1 (max: 250)
LibClamAV debug: Calculated MD5 checksum: faf5b6a93db48430ef9b6285862c48f5
LibClamAV debug: Zip: lullabys.exe, crc32: 0xb36318c0, encrypted: 0, compressed: 1490006, normal: 1494890, method: 9, ratio: 1 (max: 250)
LibClamAV debug: Zip: Incorrectly decompressed (32768 != 1494890)
LibClamAV debug: Calculated MD5 checksum: c092fbc985a309383a668a135ee6715d
/tmp/test.zip: Input/Output error
----------- SCAN SUMMARY ----------- Known viruses: 34257 Engine version: 0.84 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 4.22 MB Time: 1.369 sec (0 m 1 s)
-----
This initially came to my attention because a customer complained that this file was being discarded as a "Broken.Executable" virus by one of our mail servers running amavis and version 0.83 of ClamAV. Version 0.84 just gives the "Input/Output error" message, which is less harmful (amavis passes it as "unchecked") but still not good.
Does anyone have any idea what causes this? Obviously, ClamAV is only able to decompress the first 32768 bytes of the file, but unzipping this file with other utilities gives no errors or warnings. I tried debugging the zzip_file_read function of ClamAV with gdb, but apparently debugging the libclamav.so library is beyond my gdb skills (hints welcome).
I've tested many other .zip files and don't have this problem. I've also tried it on two separate machines. Finally, I also tried using today's "devel-20050506" snapshot with the same result.
I have a copy of the .zip file in question if anyone else wishes to see it (it's over 4 MB, though). I don't know what program created the file, as it came from a customer who doesn't know the details.
-- Robert L Mathews, Tiger Technologies http://www.tigertech.net/ _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
