[Clamav-users] Problem to check virus within RAR archives ?

Wed, 26 Oct 2005 06:18:08 -0700 

Hi,

I just donwload the last RPM version of clamAV for redhat 9 and I made some
tests : 
$ clamscan -V
ClamAV 0.87/1148/Tue Oct 25 21:34:12 2005

1/ I have downloaded a test virus : 
$ wget http://www.eicar.org/download/eicar.com

2/ I checked the virus with clamscan, it is OK 
$ clamscan eicar.com
eicar.com: Eicar-Test-Signature FOUND
[...]

3/ I checked if clamscan can found a virus inside a compressed archive, and
it is OK.
$ tar jcvf test.tar.bz2 eicar.com 
eicar.com
$ clamscan test.tar.bz2
test.tar.bz2: Eicar-Test-Signature FOUND

4/ I do the same with a RAR Archive, and clamscan CAN NOT FOUND THE VIRUS:

$ rar -h
RAR 3.50 beta 1   Copyright (c) 1993-2005 Alexander Roshal   30 Mar 2005
[...]
$ unrar -h 
UNRAR 3.50 beta 3 freeware      Copyright (c) 1993-2005 Alexander Roshal
[...]


$ rar a test.rar eicar.com
[...]

$ clamscan --unrar=/usr/bin/unrar test.rar
./test.rar: OK

5/ I run again the program in debug mode, and it seem there is an error 

$ clamscan --debug --unrar=/usr/bin/unrar test.rar
[...]
LibClamAV debug: Recognized RAR file
LibClamAV debug: in scanrar()
LibClamAV debug: unrarlib.c:2652:InitCRC Initialize CRC table
LibClamAV debug: ExtrFile(): dup(3) = 4
LibClamAV debug: Couldn't read next filename from archive (I/O error): 0
LibClamAV debug: RAR: Number of archived files: 1
LibClamAV debug: RAR: eicar.com, crc32: 0x6851cf3c, encrypted: 0,
compressed: 72, normal: 68,
 method: 51, ratio: 0 (max: 250)
LibClamAV debug: RAR: Exit code: 0
LibClamAV debug: Calculated MD5 checksum: e7386367e1626f6186a23132c4309fa2
./test.rar: OK

6/ when I unrar the file to stdout and pipe the content to clamscan stdin,
it works.
$ unrar -inul p test.rar | clamscan -
stdin: Eicar-Test-Signature FOUND

Somebody know how to solve this problem ?

Regards.

Pierre-Emmanuel Brinette
Network Engineer
________________________
SATXPRO
38, place des pavillons
F-69007 Lyon
France
Tel: +33 (0) 4 72 80 82 35
GSM: +33 (0) 6 60 03 82 35
Fax: +33 (0) 4 78 72 83 94
http://www.satxpro.com  


_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

Reply via email to