Thanks for the responses. I am not a computer expert so I might not fully understand all that has been discussed but it sounds like ClamXav extracts(decompose?) archive files like zip, RAR and then scan. But with .dmg file it is uncertain that it does the same thing.
It sounds like ClamXav is not ‘complete’ yet. What I always do is scan the files as they are first, and to be extra safe, decompress or mount and then rescan them. But I still do not understand why ‘the second scans’ usually take longer(feels like to me). Still not sure if ClamXav ‘really’ scan compressed files. I just test scanned a zip file and had a look at the scan log. And it says it scanned 1 file!!?? Regards Jinwon 2015-03-29 01:32:28 +0000 Items to be scanned: /Users/a/Desktop/gallery.zip /Users/a/Desktop/gallery.zip: OK ----------- SCAN SUMMARY ----------- Known viruses: 3779286 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 20.64 MB Data read: 9.91 MB (ratio 2.08:1) Time: 20.792 sec (0 m 20 s) > On 29/03/2015, at 11:21 am, Al Varnell <alvarn...@mac.com> wrote: > > I sent this out last night, but it must have been rejected for length or > something, so I’ll remove the lengthy results of the third test and quotes to > see if that works. > > -Al- > ============== > I ran some tests after my last posting to answer just this question, but > results were mixed so I was waiting for an authoritative answer. Since we > haven’t heard yet, I’ll post my results. > > First I made my own .dmg with an eicar test file on-board. Running clamscan > —debut on the file did not detect any infection nor did it identify the file > as a DMG: > >> LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) >> LibClamAV debug: Recognized binary data >> LibClamAV debug: cache_check: ff8fdbcdb89e9474452237677b5f09e9 is negative >> LibClamAV debug: in cli_check_mydoom_log() >> LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 >> LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 >> LibClamAV debug: cache_add: ff8fdbcdb89e9474452237677b5f09e9 (level 0) >> /Volumes/Macintosh HD/Users/avarnell/Documents/EicarTest.dmg: OK >> LibClamAV debug: Cleaning up phishcheck >> LibClamAV debug: Freeing phishcheck struct >> LibClamAV debug: Phishcheck cleaned up >> >> ----------- SCAN SUMMARY ----------- >> Known viruses: 3778735 >> Engine version: 0.98.6 >> Scanned directories: 0 >> Scanned files: 1 >> Infected files: 0 >> Data scanned: 7.62 MB >> Data read: 7.55 MB (ratio 1.01:1) >> Time: 7.553 sec (0 m 7 s) > > When I mounted the EicarTest.dmg ClamXav Sentry (real-time process using > clamd) caught it immediately. > ======= > Next I scanned download.dmg which was known to contained the FkCodec adware. > It detected the hash value as expected and also matched three ZIP segments > and the DMG container: > >> LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) >> LibClamAV debug: Recognized binary data >> LibClamAV debug: cache_check: b4ece10d1e706b87b065523a654d48a7 is negative >> LibClamAV debug: in cli_check_mydoom_log() >> LibClamAV debug: Matched signature for file type ZIP-SFX at 376602 >> LibClamAV debug: Matched signature for file type ZIP-SFX at 407295 >> LibClamAV debug: Matched signature for file type ZIP-SFX at 563034 >> LibClamAV debug: Matched signature for file type DMG container file at 626691 >> LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 >> LibClamAV debug: Adware.OSX found >> LibClamAV debug: FP SIGNATURE: >> b4ece10d1e706b87b065523a654d48a7:627203:Adware.OSX >> LibClamAV debug: cli_magic_scandesc: returning 1 at line 2470 >> /Users/avarnell/Desktop/•Download/Malware/FkCodec-A/download.dmg: Adware.OSX >> FOUND >> LibClamAV debug: Cleaning up phishcheck >> LibClamAV debug: Freeing phishcheck struct >> LibClamAV debug: Phishcheck cleaned up >> >> ----------- SCAN SUMMARY ----------- >> Known viruses: 3778290 >> Engine version: 0.98.6 >> Scanned directories: 0 >> Scanned files: 1 >> Infected files: 1 >> Data scanned: 0.60 MB >> Data read: 0.60 MB (ratio 1.01:1) >> Time: 7.419 sec (0 m 7 s) > > When I mounted the download.dmg Sentry caught Codec-M > Installer.app/Contents/MacOS/Installer: Osx.Trojan.Fakecodecs-1 immediately. > ========= > Last I scanned CleanApp 4.0.8 Mac 中文版.dmg which was known to contain the > Machook or WireLurker malware. I also knew that an unofficail has signature > was available only to ClamXav users. It detects the hash value as expected > but also was able to decompose 13 segments each with several sections. > >> results available on request. > > When mounting CleanApp 4.0.8 Mac 中文版.dmg Sentry located: > /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/MacOS/CleanApp: > OSX.MacHook/WireLurker.UNOFFICIAL FOUND > /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/FontMap1.cfg: > OSX.MacHook/WireLurker.A.UNOFFICIAL FOUND > /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/start.sh: > OSX.MacHook/WireLurker.UNOFFICIAL FOUND > ====== > So three somewhat different results for the three .dmg files leads me to > believe that bursting is possible, but no evidence of being able to detect > infected files within a .dmg container. > > -Al- > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
