Hi there,
On Thu, 31 Oct 2019, J.R. via clamav-users wrote:
Is ClamAV scanning the archive as-is, then additionally (hopefully)
decompressing it and scanning individual files?
man clamd.conf (search for 'ScanArchive')
Is there a way to debug with more info to see exactly what is going
on with the process?
More detail about the sort of thing you'd be looking for would help.
As described in the 'man pages there are 'verbose' and 'debug' options
for the scanners and the libraries, I don't know how much help they'll
be to you. As has previously been mentioned, to investigate you can
always use the built-in OS tools to chop a file into parts (although
my preference would usually be to script something with Perl; that's
just because I'm very familiar with Perl's regexes, there's not much
that can't be done with them - nor, for that matter, with Perl.)
The bulk of the signatures are pretty simple, otherwise they'd tend to
be fragile; in my experience most of the time it's easy to understand
what they mean just by inspection. I don't often find myself doing it
but when I do it's usually something like
$ sigtool --datadir=... -fSanesecurity.ScamL.613 | sigtool --decode-sigs
VIRUS NAME: Sanesecurity.ScamL.613
TARGET TYPE: MAIL
OFFSET: *
DECODED SIGNATURE:
REFERENCE NoMBre{WILDCARD_ANY_STRING(LENGTH<=50)}BATCH
NoMBre{WILDCARD_ANY_STRING}W1NN1NG
$
As you can see in this signature there are two variable length strings
with arbitrary content, and one one of them can be any length, and the
entire expression can appear in the file at any offset. The word 'any'
in this usage means very approximately "less than 4GBytes". These are
the sorts of things which can give unexpected results in the likes of
mailbox files, database files and archives which can contain a bunch
of possibly unconnected things that are effectively concatenated. As
far as ClamAV is concerned, they're just long strings. So signature-
writing must be something of an art, one I'm happy to leave to others.
Obviously I changed the words in the command output above so it won't
trigger the match, and you'll get the chance to read this message if
you're using Steve's signatures. :)
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
