We are primarily creating the large archive scanning to support the use case of 
scanning bundled collections of software, VM images, etc.

Large MP4/MOV/AVI/etc media files are not traditional archives even if they do 
technically archive media streams. But media streams are not a significant 
threat concern. As you mentioned, the biggest concern is probably a malicious 
media file exploiting a vulnerable application to get code execution. Media 
streams would not otherwise be executable.

Someone may add support to later to extract and scan media streams, but without 
signature content or special logic coded in a custom media-stream parser 
written to detect exploits, the scanning of such files is pointless. We have 
some of that kind of logic to inspect some picture formats (JPEG, PNG, etc) for 
correctness, but don't have any support for H265, AAC, or other video or audio 
file formats.

Respectfully,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

________________________________
From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Paul 
Kosinski via clamav-users <clamav-users@lists.clamav.net>
Sent: Monday, November 13, 2023 7:28 PM
To: Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net>
Cc: Paul Kosinski <clamav-us...@iment.com>
Subject: Re: [clamav-users] Question About MaxFileSize / news of upcoming Large 
Archive Scanner tool

Large archive files may be the most obvious case, especially if things like 
disk images and installation images are included, but make sure that large 
multimedia files are also handled.

In today's Internet environment, there are probably far, far more large video 
files floating around than traditional archives. And in some sense multimedia 
"container" files (like MP4, MOV, AVI etc.) are archives of their media streams 
(like H.264/5, AAC, etc.) -- but these archives are, of course, interleaved for 
real-time playback.

I might add that there have been recent reports of malformed (perhaps 
malicious) multimedia files causing crashes or unwanted code execution in 
software such as FFMPEG.


On Mon, 13 Nov 2023 20:32:38 +0000
"Micah Snyder \(micasnyd\) via clamav-users" <clamav-users@lists.clamav.net> 
wrote:

> In case anyone else is looking into this, I wanted to share some news.
>
> We have been getting some help to create a tool to recursively unpack (or 
> mount) and scan large archives (greater than 2000MB).
>
> This effort has progressed to the point where we've started code review and 
> writing documentation. I'm not entirely sure how we will package it for 
> people to use.  I'll share more when we go to open source it. I wanted to 
> share the news now in case anyone else was going to work on it and so they're 
> not as frustrated when it turns out we've done the same.
>
> I don't have a specific release date in mind.  It likely won't be until early 
> next year.  While we've started code review and testing, the developer that 
> has built the tool for us is now working on adding the allmatch-mode feature 
> support.
>
> Best regards,
> Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
> ________________________________
> From: Andrew C Aitchison <cla...@aitchison.me.uk>
> Sent: Thursday, June 8, 2023 6:25 PM
> To: Micah Snyder (micasnyd) <micas...@cisco.com>
> Cc: ClamAV users ML <clamav-users@lists.clamav.net>
> Subject: Re: [clamav-users] Question About MaxFileSize
>
> On Thu, 8 Jun 2023, Micah Snyder (micasnyd) wrote:
>
> > I agree with you.  I suspect the majority of cases today is when
> > people have a large archive of files to scan.
> >
> > I think best case scenario for people with a need to scan files
> > larger than the present internal 2GB limit is that archives larger
> > than 2GB are decompressed and then the files inside are scanned, but
> > without actually scanning the very large outer archive.
> >
> > The way to do this as things work today is to script something
> > around clamscan or clamdscan that if the file is too large, handle
> > some assorted file types:
> >
> >  1.  if file is a tar.gz, un-tar.gz it and then scan the files within.
> >  2.  if file is a zip, un-zip it and then scan the files within.
> >  3.  etc.
> >
> > I think everyone would like if clamav could do this automatically
> > for select archive types. And I think the advantage would be that we
> > would perhaps keep the extracted files in memory, or else at least
> > delete the temp files as we go without extracting all of it to disk
> > before starting to scan.
> >
> > However, it would be far easier to make a shell script or a python
> > script that wraps clamscan/clamdscan and uses native tools like
> > "tar", "unzip", etc.
>
> Good idea.
>
> Simply untarring or unzipping into a pipe does not separate the packed files.
> However at least tar does have an option which allow us to write a one-liner:
> (tar xf ~/viruses.tar --to-command='clamdscan -v - || echo "  found in 
> $TAR_REALNAME\n\n---"' ) |& egrep -i found
> stream: Eicar-Signature FOUND
>    found in viruses/EICAR.COM.TAR
> stream: Eicar-Signature FOUND
>    found in viruses/eicar.com.txt
> stream: Eicar-Signature FOUND
>    found in viruses/URLEICAR.COM.TAR
> stream: Eicar-Signature FOUND
>    found in viruses/4DOSBOX/EICAR.COM
> stream: Eicar-Signature FOUND
>    found in viruses/EICAR.COM
>
> The echo is needed to show the name of the file inside the archive.
>
> This appears not to write the unpacked files to disk.
>
> --
> Andrew C. Aitchison                      Kendal, UK
>                     and...@aitchison.me.uk
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Reply via email to