Should have been file type as reported by the file command. Any usage of ClamAV
outside its design objectives is vulnerable to failure, but the method I pointed
out works, period. But if asked if I thought it was worth it I would say no, of
course not. The OP seems determined though. ClamAV is first and foremost an
acceptable real-time email scanner with limited ability to do file system and
stream scanning.
dp
On 2/3/19 2:37 PM, Ángel wrote:
On 2019-01-25 at 18:43 -0800, Dennis Peterson wrote:
You can easily use the unix split command and cat to scan files of any size. Or
use perl to break stream file segments to the stream. The first file in a split
or segment contains the file time and will need to be concatenated to the
beginning of each split or segment so clamav knows what it is. It doesn't matter
if the file makes no sense just so long as no malware is found. You will need
two split sizes in order to ensure a signature doesn't span splits which means
at least two runs of each large file, but that is trivial when scripted. SSD
drives would be useful.
dp
Sorry, but I think ClamAV is smarter than what you seem to think. While
this will allow clamav to still detect some signatures, your approach
will trivially fail for:
* Extended signatures that specify an offset (can create both False
Positives and Negatives)
* Logical signatures using eg. FileSize or NumberOfSections.
* Container signatures, as the container will be corrupted
* Hash signatures
Kind regards
PS: I assume you meat 'file mime', not 'file time'
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
