Al, Could you please open a ticket at bugzilla.clamav.net and attach your EicarTest.dmg and also the command used to create it? We'll take a look at what's going on.
Thanks, Steve On Sat, Mar 28, 2015 at 6:21 PM, Al Varnell <alvarn...@mac.com> wrote: > I sent this out last night, but it must have been rejected for length or > something, so I’ll remove the lengthy results of the third test and quotes > to see if that works. > > -Al- > ============== > I ran some tests after my last posting to answer just this question, but > results were mixed so I was waiting for an authoritative answer. Since we > haven’t heard yet, I’ll post my results. > > First I made my own .dmg with an eicar test file on-board. Running > clamscan —debut on the file did not detect any infection nor did it > identify the file as a DMG: > > > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) > > LibClamAV debug: Recognized binary data > > LibClamAV debug: cache_check: ff8fdbcdb89e9474452237677b5f09e9 is > negative > > LibClamAV debug: in cli_check_mydoom_log() > > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > > LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 > > LibClamAV debug: cache_add: ff8fdbcdb89e9474452237677b5f09e9 (level 0) > > /Volumes/Macintosh HD/Users/avarnell/Documents/EicarTest.dmg: OK > > LibClamAV debug: Cleaning up phishcheck > > LibClamAV debug: Freeing phishcheck struct > > LibClamAV debug: Phishcheck cleaned up > > > > ----------- SCAN SUMMARY ----------- > > Known viruses: 3778735 > > Engine version: 0.98.6 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 0 > > Data scanned: 7.62 MB > > Data read: 7.55 MB (ratio 1.01:1) > > Time: 7.553 sec (0 m 7 s) > > When I mounted the EicarTest.dmg ClamXav Sentry (real-time process using > clamd) caught it immediately. > ======= > Next I scanned download.dmg which was known to contained the FkCodec > adware. It detected the hash value as expected and also matched three ZIP > segments and the DMG container: > > > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) > > LibClamAV debug: Recognized binary data > > LibClamAV debug: cache_check: b4ece10d1e706b87b065523a654d48a7 is > negative > > LibClamAV debug: in cli_check_mydoom_log() > > LibClamAV debug: Matched signature for file type ZIP-SFX at 376602 > > LibClamAV debug: Matched signature for file type ZIP-SFX at 407295 > > LibClamAV debug: Matched signature for file type ZIP-SFX at 563034 > > LibClamAV debug: Matched signature for file type DMG container file at > 626691 > > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > > LibClamAV debug: Adware.OSX found > > LibClamAV debug: FP SIGNATURE: > b4ece10d1e706b87b065523a654d48a7:627203:Adware.OSX > > LibClamAV debug: cli_magic_scandesc: returning 1 at line 2470 > > /Users/avarnell/Desktop/•Download/Malware/FkCodec-A/download.dmg: > Adware.OSX FOUND > > LibClamAV debug: Cleaning up phishcheck > > LibClamAV debug: Freeing phishcheck struct > > LibClamAV debug: Phishcheck cleaned up > > > > ----------- SCAN SUMMARY ----------- > > Known viruses: 3778290 > > Engine version: 0.98.6 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 1 > > Data scanned: 0.60 MB > > Data read: 0.60 MB (ratio 1.01:1) > > Time: 7.419 sec (0 m 7 s) > > When I mounted the download.dmg Sentry caught Codec-M > Installer.app/Contents/MacOS/Installer: Osx.Trojan.Fakecodecs-1 immediately. > ========= > Last I scanned CleanApp 4.0.8 Mac 中文版.dmg which was known to contain the > Machook or WireLurker malware. I also knew that an unofficail has > signature was available only to ClamXav users. It detects the hash value > as expected but also was able to decompose 13 segments each with several > sections. > > > results available on request. > > When mounting CleanApp 4.0.8 Mac 中文版.dmg Sentry located: > /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/MacOS/CleanApp: > OSX.MacHook/WireLurker.UNOFFICIAL FOUND > /Volumes/CleanApp 4.0.8 Mac > 中文版/CleanApp.app/Contents/Resources/FontMap1.cfg: > OSX.MacHook/WireLurker.A.UNOFFICIAL FOUND > /Volumes/CleanApp 4.0.8 Mac 中文版/CleanApp.app/Contents/Resources/start.sh: > OSX.MacHook/WireLurker.UNOFFICIAL FOUND > ====== > So three somewhat different results for the three .dmg files leads me to > believe that bursting is possible, but no evidence of being able to detect > infected files within a .dmg container. > > -Al- > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
