[Clamav-users] Zip module failure with ClamAV 0.88.7

Wed, 31 Jan 2007 03:37:55 -0800 

Hi,
Clam has been working great on our mailservers, recently a particular client has been sending us zip files that have caused clamd to fall over with the "Zip module failure" error. 


I've verified this error by letting the zips through the mail gateway and 
then running clamscan on them, debug output attached. I've also included 
zipinfo output in case that helps you work out what type of zip files these 
are.



Unfortunately I am not able to supply you with the zip files themselves as 
they are commercially sensitive, but virus free, based on scanning with AVG 
under Win32.



Do you think this is a bug in ClamAV? Having looked through google and 
various mail archives, I was under the impression that bugs with zip files 
were supposed to all be fixed as of 0.88.7


Kind regards,
Stu.

The following commands generated the attached output:


clamscan --debug --verbose --tempdir=/tmp/strr-clamd-LchVLv 
Stylesheet_Spreadsheet_vB.ZIP NewItemsB.ZIP > log.txt 2>&1


zipinfo -zvh <zip file>


LibClamAV debug: Setting /tmp/strr-clamd-LchVLv as global temporary directory
LibClamAV debug: Loading databases from /var/lib/clamav/
LibClamAV debug: Loading /var/lib/clamav//main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = eb2702736e04b00af9ba46c9e2e3b95d
LibClamAV debug: Decoded signature: eb2702736e04b00af9ba46c9e2e3b95d
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56/COPYING
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56/main.db
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56/main.hdb
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56/main.ndb
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56/main.zmd
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56/main.fp
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56/main.info
LibClamAV debug: Loading databases from 
/tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56
LibClamAV debug: Loading /tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56/main.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading /tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56/main.hdb
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading /tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56/main.ndb
LibClamAV debug: Loading /tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56/main.zmd
LibClamAV debug: Loading /tmp/strr-clamd-LchVLv/clamav-9604de0d406a6c56/main.fp
LibClamAV debug: Loading /var/lib/clamav//daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 235fa0d9aefa8546f9bb1c74fdbbae53
LibClamAV debug: Decoded signature: 235fa0d9aefa8546f9bb1c74fdbbae53
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/COPYING
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/daily.db
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/daily.hdb
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/daily.ndb
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/daily.zmd
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/daily.fp
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/daily.info
LibClamAV debug: Unpacking 
/tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/daily.pdb
LibClamAV debug: Loading databases from 
/tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2
LibClamAV debug: Loading /tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/daily.db
LibClamAV debug: Loading 
/tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/daily.hdb
LibClamAV debug: Loading 
/tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/daily.ndb
LibClamAV debug: Loading 
/tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/daily.zmd
LibClamAV debug: Loading /tmp/strr-clamd-LchVLv/clamav-9d0f64f4681d8de2/daily.fp
Scanning Stylesheet_Spreadsheet_vB.ZIP
LibClamAV debug: Recognized ZIP file
LibClamAV debug: in scanzip()
LibClamAV debug: Zip: Stylesheet_Spreadsheet_vB.xls, crc32: 0xc86f1774, offset: 
0, encrypted: 0, compressed: 163176, normal: 591872, method: 9, ratio: 3 (max: 
250)
LibClamAV debug: Zip: Incorrectly decompressed (0 != 591872)
LibClamAV debug: Type: 507, expected: 502 (Dialer.Riprova)
LibClamAV debug: Calculated MD5 checksum: 0683bd5cf0872551bc55abbe3e083370
Stylesheet_Spreadsheet_vB.ZIP: Zip module failure
Scanning Stylesheet_Spreadsheet_vB.ZIP
LibClamAV debug: Recognized ZIP file
LibClamAV debug: Type: 507, expected: 502 (Dialer.Riprova)
LibClamAV debug: Calculated MD5 checksum: 0683bd5cf0872551bc55abbe3e083370
Scanning NewItemsB.ZIP
LibClamAV debug: Recognized ZIP file
LibClamAV debug: in scanzip()
LibClamAV debug: Zip: NewItemsB.xls, crc32: 0xaf1bdb88, offset: 0, encrypted: 
0, compressed: 282940, normal: 1892864, method: 9, ratio: 6 (max: 250)
LibClamAV debug: Zip: Incorrectly decompressed (0 != 1892864)
LibClamAV debug: Calculated MD5 checksum: d6435987d54ab87b39f0905a50584aa6
NewItemsB.ZIP: Zip module failure
Scanning NewItemsB.ZIP
LibClamAV debug: Recognized ZIP file
LibClamAV debug: Calculated MD5 checksum: d6435987d54ab87b39f0905a50584aa6

----------- SCAN SUMMARY -----------
Known viruses: 87449
Engine version: 0.88.7
Scanned directories: 0
Scanned files: 2
Infected files: 0
Data scanned: 0.84 MB
Time: 6.879 sec (0 m 6 s)

Archive:  NewItemsB.ZIP   283064 bytes   1 file

End-of-central-directory record:
-------------------------------

  Actual offset of end-of-central-dir record:      283042 (000451A2h)
  Expected offset of end-of-central-dir record:    283042 (000451A2h)
  (based on the length of the central directory and its expected offset)

  This zipfile constitutes the sole disk of a single-part archive; its
  central directory contains 1 entry.  The central directory is 59
  (0000003Bh) bytes long, and its (expected) offset in bytes from the
  beginning of the zipfile is 282983 (00045167h).

  There is no zipfile comment.

Central directory entry #1:
---------------------------

  NewItemsB.xls

  offset of local header from start of archive:     0 (00000000h) bytes
  file system or operating system of origin:        MS-DOS, OS/2 or NT FAT
  version of encoding software:                     2.1
  minimum file system compatibility required:       MS-DOS, OS/2 or NT FAT
  minimum software version required to extract:     2.1
  compression method:                               deflated (enhanced-64k)
  compression sub-type (deflation):                 maximum
  file security status:                             not encrypted
  extended local header:                            no
  file last modified on (DOS date/time):            2007 Jan 11 15:13:14
  32-bit CRC value (hex):                           af1bdb88
  compressed size:                                  282940 bytes
  uncompressed size:                                1892864 bytes
  length of filename:                               13 characters
  length of extra field:                            0 bytes
  length of file comment:                           0 characters
  disk number on which file begins:                 disk 1
  apparent file type:                               text
  non-MSDOS external file attributes:               000000 hex
  MS-DOS file attributes (00 hex):                  none

  There is no file comment.


Archive:  Stylesheet_Spreadsheet_vB.ZIP   163332 bytes   1 file

End-of-central-directory record:
-------------------------------

  Actual offset of end-of-central-dir record:      163310 (00027DEEh)
  Expected offset of end-of-central-dir record:    163310 (00027DEEh)
  (based on the length of the central directory and its expected offset)

  This zipfile constitutes the sole disk of a single-part archive; its
  central directory contains 1 entry.  The central directory is 75
  (0000004Bh) bytes long, and its (expected) offset in bytes from the
  beginning of the zipfile is 163235 (00027DA3h).

  There is no zipfile comment.

Central directory entry #1:
---------------------------

  Stylesheet_Spreadsheet_vB.xls

  offset of local header from start of archive:     0 (00000000h) bytes
  file system or operating system of origin:        MS-DOS, OS/2 or NT FAT
  version of encoding software:                     2.1
  minimum file system compatibility required:       MS-DOS, OS/2 or NT FAT
  minimum software version required to extract:     2.1
  compression method:                               deflated (enhanced-64k)
  compression sub-type (deflation):                 maximum
  file security status:                             not encrypted
  extended local header:                            no
  file last modified on (DOS date/time):            2007 Jan 11 15:51:16
  32-bit CRC value (hex):                           c86f1774
  compressed size:                                  163176 bytes
  uncompressed size:                                591872 bytes
  length of filename:                               29 characters
  length of extra field:                            0 bytes
  length of file comment:                           0 characters
  disk number on which file begins:                 disk 1
  apparent file type:                               text
  non-MSDOS external file attributes:               000000 hex
  MS-DOS file attributes (00 hex):                  none

  There is no file comment.


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html














    











					Reply via email to