On 3/28/15 6:48 PM, Al Varnell wrote:
On Sat, Mar 28, 2015 at 06:35 PM, Jinwon Lee wrote:
Thanks for the responses. I am not a computer expert so I might not fully
understand
all that has been discussed but it sounds like ClamXav extracts(decompose?)
archive files like zip, RAR and then scan. But with .dmg
file it is uncertain that it does the same thing.
It sounds like ClamXav is not ‘complete’ yet.
Again, we are discussing the ClamAV® scan engine here which is used by ClamXav
but is not the same thing. ClamXav is just the user interface that allows you
to use the scan engine on your computer.
Perhaps I wasn’t clear on the results of my testing, but they indicate that the
scan engine will not look at the contents of a .dmg file until you mount it on
your desktop. It’s not so much that it’s incomplete, but I would have to guess
that it’s not possible to do so. The scan may identify the .dmg file itself as
one known to contain malware, depending on whether or not a sample was
previously received and a signature prepared for it.
-Al-
It should be possible to use cpio to extract the contents to a stream and feed
that into the ClamAV engine but the Windows people may be challenged to
replicate it without a posix tool kit.
For the wider audience: Remember that ClamAV is a cross-platform tool and it is
not likely that all platforms will have essential tools to burst a file system
image from another system. That said, cpio is a UNIX primitive and I can't
recall ever seeing a UNIX/derivative OS that didn't have it, and worked on
first-gen UNIX well over thirty years ago. Nor have I ever seen a Windows system
where it was an included utility. And that is why it is important to know what
is compiled into some of these cross-platform utilities we all depend on.
dp
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
