Tomasz Kojm wrote:
On Tue, 14 Jul 2009 17:27:04 +1000 (EST)
David Shrimpton <d.shrimp...@its.uq.edu.au> wrote:
Hi,
0.95.2, clamav has closed a bug #1554
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1554
where an archive embedded in say a bitmap file was not
detected and searched for viruses , but the archive would be detected
by popular unarchivers.
However, when I test, an ecrypted zip embedded in another file is not
reported as Encrypted.Zip when ArchiveBlockEncrypted is on in clamd.conf,
so it would still be possible to send a virus within an encrypted zip
by simply appending a few bytes to the start of the archive.
I was attempting to test this when I ran into another issue. On the
Bugzilla page, it says, "Be careful, to be read by ZIP/RAR software, the
beginning of the archive file must be in the first 50k." ClamAV seems to
enforce this: if the archive is embedded in a file larger than 50k, the
signature won't trigger.
However, many archive utilities *do* look past the first 50k of the
file. In particular, the Linux command line 'unzip' and '7z' utilities
(which are what I had on-hand) happily decompressed my EICAR.zip which
was located at the end of a 1.4MB image.
I started up a Windows VM and did some quick tests. The following
programs all searched to the end of the file:
1. 7-zip (GUI) <http://7-zip.org/>
2. PeaZip <http://peazip.sourceforge.net/>
3. PowerArchiver <http://www.powerarchiver.com/>
4. WinACE <http://www.winace.com/>
5. IZArc <http://www.izarc.org/>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
