[clamav-users] what is the result when clamav engine scan a broken file ?
hello
what is the result when clamav engine scan a broken file ?
I only know when clamav engine scan a broken pe file , the result depends
on scan options,
if scan options contain CL_SCAN_BLOCKBROKEN , result is CL_VIRUS, or else
result is CL_CLEAN.
for example :
clamav-0.98\libclamav\pe.c
if( ctx->options & CL_SCAN_BLOCKBROKEN && !ctx->corrupted_input)
{
cli_append_virus(ctx,"Heuristics.Broken.Executable");
return CL_VIRUS;
}
but , what is the result when scan other broken file( any except pe ) ?
is it still depend on scan options ?
I don't want clamav engine regards broken file as a virus.
I don't have enough time to confirm by reading source code,
who can tell me , thanks
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
Re: [clamav-users] No filenames listed by clamscan.
I too see these messages on the the console and have found no way of identifying the files by using any of the clamav flags. This is what I would do *sudo /usr/bin/clamscan -r / > /tmp/clamav.log 2>&1* The file */tmp/clamav.libreoffice.log *will contain details of ALL files irrespective of whether they are OK or not, the file will also contain those messages seen on the console. It will be a large file containing at least one line per file in your directory structure. My example above scans the entire file system. then *egrep -A1 "^LibClamAV" /tmp/clamav.libreoffice.log * The above extracts all the line in the log file that start with LibClamAV and also the line after the line that starts with LibClamAV. In the log file I can see this - */home/libreoffice/.ccache/5/d/fb7e4c82bbc0acf0664b9ab2a1ba71-3509238.o: OK* */home/libreoffice/.ccache/5/d/5a1b00240f63278ef298dceb98523b-1546320.o: OK* */home/libreoffice/.ccache/5/d/7641441f2a6a73eabe5bd3eab04695-4826.manifest: OK* *LibClamAV info: scancws: Error decompressing SWF file* */home/libreoffice/.ccache/5/d/e9c2480dc82b1ac2fd541728fdd3fa-1003231.d: OK* */home/libreoffice/.ccache/5/d/485a27796c31ee597839897d86cc30-4847808.o: OK* */home/libreoffice/.ccache/5/d/cf47c848fe7a19f06675314689d095-3470256.d: OK* running the grep against it I get this *LibClamAV info: scancws: Error decompressing SWF file* */home/libreoffice/.ccache/5/d/e9c2480dc82b1ac2fd541728fdd3fa-1003231.d: OK* Running a clamav against just this invidual file I get this *$ clamscan /home/libreoffice/.ccache/5/d/e9c2480dc82b1ac2fd541728fdd3fa-1003231.d* *LibClamAV info: scancws: Error decompressing SWF file* */home/libreoffice/.ccache/5/d/e9c2480dc82b1ac2fd541728fdd3fa-1003231.d: OK* *--- SCAN SUMMARY ---* *Known viruses: 3138993* *Engine version: 0.98.1* *Scanned directories: 0* *Scanned files: 1* *Infected files: 0* *Data scanned: 0.02 MB* *Data read: 0.02 MB (ratio 1.00:1)* *Time: 21.493 sec (0 m 21 s)* I hope this helps. Alex Alex On Saturday 01 Mar 2014 17:01:20 J. W. Andersen wrote: > After upgrading from 0.97.6 to 0.98.1 I get the following messages on > the console: > > LibClamAV: Warning: SWF: Invalid tag length. > LibClamAV: Warning: SWF: Invalid tag length. > LibClamAV: Warning: SWF: Invalid tag length. > LibClamAV: Warning: SWF: Invalid tag length. > LibClamAV: Warning: fmap: map allocation failed. > LibClamAV: Error: CRITICAL: fmap () failed. > LibClamAV: Warning: SWF: Invalid tag length. > > upon scanning a large linux directory (some 60 GB) with clamscan. > > The real problem is, that clamscan does not tell me which scanned files > it is actually complaining about, not in sysout and not in syserr. With some > 10,000 files in the directory it is impossible for me to find out which > files to correct or get rid of. I can prevent the "Invalid tag length" by > setting the --scan-archives to no, but that is hardly a solution if I want > the archives thoroughly scanned. > > Can anyone tell me, what I shall do to retrieve the name of the > problematic files ? > > Regards, Joern W. Andersen ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] No filenames listed by clamscan.
Ignore the asterisks in my previous note they just encapsulate the highlighted parts of the note. Alex On Tuesday 04 Mar 2014 09:08:15 mcmurchy1917-cla...@yahoo.co.uk wrote: > I too see these messages on the the console and have found no way of > identifying the files by using any of the clamav flags. > > This is what I would do > > *sudo /usr/bin/clamscan -r / > /tmp/clamav.log 2>&1* > > The file */tmp/clamav.libreoffice.log *will contain details of ALL files > irrespective of whether they are OK or not, the file will also contain those > messages seen on the console. It will be a large file containing at least one > line per file in your directory structure. My example above scans the entire > file system. > > then > > *egrep -A1 "^LibClamAV" /tmp/clamav.libreoffice.log * > > The above extracts all the line in the log file that start with LibClamAV and > also the line after the line that starts with LibClamAV. > > In the log file I can see this - > > */home/libreoffice/.ccache/5/d/fb7e4c82bbc0acf0664b9ab2a1ba71-3509238.o: OK* > */home/libreoffice/.ccache/5/d/5a1b00240f63278ef298dceb98523b-1546320.o: OK* > */home/libreoffice/.ccache/5/d/7641441f2a6a73eabe5bd3eab04695-4826.manifest: > OK* > *LibClamAV info: scancws: Error decompressing SWF file* > */home/libreoffice/.ccache/5/d/e9c2480dc82b1ac2fd541728fdd3fa-1003231.d: OK* > */home/libreoffice/.ccache/5/d/485a27796c31ee597839897d86cc30-4847808.o: OK* > */home/libreoffice/.ccache/5/d/cf47c848fe7a19f06675314689d095-3470256.d: OK* > > > running the grep against it I get this > > *LibClamAV info: scancws: Error decompressing SWF file* > */home/libreoffice/.ccache/5/d/e9c2480dc82b1ac2fd541728fdd3fa-1003231.d: OK* > > Running a clamav against just this invidual file I get this > > *$ clamscan > /home/libreoffice/.ccache/5/d/e9c2480dc82b1ac2fd541728fdd3fa-1003231.d* > *LibClamAV info: scancws: Error decompressing SWF file* > */home/libreoffice/.ccache/5/d/e9c2480dc82b1ac2fd541728fdd3fa-1003231.d: OK* > > *--- SCAN SUMMARY ---* > *Known viruses: 3138993* > *Engine version: 0.98.1* > *Scanned directories: 0* > *Scanned files: 1* > *Infected files: 0* > *Data scanned: 0.02 MB* > *Data read: 0.02 MB (ratio 1.00:1)* > *Time: 21.493 sec (0 m 21 s)* > > > I hope this helps. > > Alex > > > > > > > Alex > > > > > > > On Saturday 01 Mar 2014 17:01:20 J. W. Andersen wrote: > > After upgrading from 0.97.6 to 0.98.1 I get the following messages on > > the console: > > > > LibClamAV: Warning: SWF: Invalid tag length. > > LibClamAV: Warning: SWF: Invalid tag length. > > LibClamAV: Warning: SWF: Invalid tag length. > > LibClamAV: Warning: SWF: Invalid tag length. > > LibClamAV: Warning: fmap: map allocation failed. > > LibClamAV: Error: CRITICAL: fmap () failed. > > LibClamAV: Warning: SWF: Invalid tag length. > > > > upon scanning a large linux directory (some 60 GB) with clamscan. > > > > The real problem is, that clamscan does not tell me which scanned files > > it is actually complaining about, not in sysout and not in syserr. With some > > 10,000 files in the directory it is impossible for me to find out which > > files to correct or get rid of. I can prevent the "Invalid tag length" by > > setting the --scan-archives to no, but that is hardly a solution if I want > > the archives thoroughly scanned. > > > > Can anyone tell me, what I shall do to retrieve the name of the > > problematic files ? > > > > Regards, Joern W. Andersen > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] No filenames listed by clamscan.
On Sat, Mar 1, 2014 at 11:01 AM, J. W. Andersen wrote: > After upgrading from 0.97.6 to 0.98.1 I get the following messages on the > console: > > LibClamAV: Warning: SWF: Invalid tag length. > LibClamAV: Warning: SWF: Invalid tag length. > LibClamAV: Warning: SWF: Invalid tag length. > LibClamAV: Warning: SWF: Invalid tag length. > LibClamAV: Warning: fmap: map allocation failed. > LibClamAV: Error: CRITICAL: fmap () failed. > LibClamAV: Warning: SWF: Invalid tag length. > > upon scanning a large linux directory (some 60 GB) with clamscan. > > The real problem is, that clamscan does not tell me which scanned files > it is actually complaining about, not in sysout and not in syserr. With > some > 10,000 files in the directory it is impossible for me to find out which > files to correct or get rid of. I can prevent the "Invalid tag length" by > setting the --scan-archives to no, but that is hardly a solution if I want > the archives thoroughly scanned. > > Can anyone tell me, what I shall do to retrieve the name of the > problematic files ? > > Regards, Joern W. Andersen > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > It is probable that these are all tied to the Flash file scanning (which was completely disabled in 0.97.6). Try this: Run your scan with "--scan-swf=no" instead of "--scan-archives=no". That is a more targeted shut-off. Let me know how it goes. I'm tracking a possibly-related issue. Dave R. -- --- Dave Raynor Vulnerability Research Team dray...@sourcefire.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] No filenames listed by clamscan.
Hi Alex - thanks for the tip. I followed your suggestions to generate the huge logfile, and helped by a good editor (Uedit) I could search for the LibClamAV message directly, and then point out the preceeding filename. It was all stuff, that was obsolete long ago, and could be deleted without further ado. Thanks again, Joern.- Den 04-03-2014 10:13, mcmurchy1917-cla...@yahoo.co.uk skrev: Ignore the asterisks in my previous note they just encapsulate the highlighted parts of the note. Alex On Tuesday 04 Mar 2014 09:08:15 mcmurchy1917-cla...@yahoo.co.uk wrote: I too see these messages on the the console and have found no way of identifying the files by using any of the clamav flags. This is what I would do *sudo /usr/bin/clamscan -r / > /tmp/clamav.log 2>&1* The file */tmp/clamav.libreoffice.log *will contain details of ALL files irrespective of whether they are OK or not, the file will also contain those messages seen on the console. It will be a large file containing at least one line per file in your directory structure. My example above scans the entire file system. then *egrep -A1 "^LibClamAV" /tmp/clamav.libreoffice.log * The above extracts all the line in the log file that start with LibClamAV and also the line after the line that starts with LibClamAV. In the log file I can see this - */home/libreoffice/.ccache/5/d/fb7e4c82bbc0acf0664b9ab2a1ba71-3509238.o: OK* */home/libreoffice/.ccache/5/d/5a1b00240f63278ef298dceb98523b-1546320.o: OK* */home/libreoffice/.ccache/5/d/7641441f2a6a73eabe5bd3eab04695-4826.manifest: OK* *LibClamAV info: scancws: Error decompressing SWF file* */home/libreoffice/.ccache/5/d/e9c2480dc82b1ac2fd541728fdd3fa-1003231.d: OK* */home/libreoffice/.ccache/5/d/485a27796c31ee597839897d86cc30-4847808.o: OK* */home/libreoffice/.ccache/5/d/cf47c848fe7a19f06675314689d095-3470256.d: OK* running the grep against it I get this *LibClamAV info: scancws: Error decompressing SWF file* */home/libreoffice/.ccache/5/d/e9c2480dc82b1ac2fd541728fdd3fa-1003231.d: OK* Running a clamav against just this invidual file I get this *$ clamscan /home/libreoffice/.ccache/5/d/e9c2480dc82b1ac2fd541728fdd3fa-1003231.d* *LibClamAV info: scancws: Error decompressing SWF file* */home/libreoffice/.ccache/5/d/e9c2480dc82b1ac2fd541728fdd3fa-1003231.d: OK* *--- SCAN SUMMARY ---* *Known viruses: 3138993* *Engine version: 0.98.1* *Scanned directories: 0* *Scanned files: 1* *Infected files: 0* *Data scanned: 0.02 MB* *Data read: 0.02 MB (ratio 1.00:1)* *Time: 21.493 sec (0 m 21 s)* I hope this helps. Alex Alex On Saturday 01 Mar 2014 17:01:20 J. W. Andersen wrote: After upgrading from 0.97.6 to 0.98.1 I get the following messages on the console: LibClamAV: Warning: SWF: Invalid tag length. LibClamAV: Warning: SWF: Invalid tag length. LibClamAV: Warning: SWF: Invalid tag length. LibClamAV: Warning: SWF: Invalid tag length. LibClamAV: Warning: fmap: map allocation failed. LibClamAV: Error: CRITICAL: fmap () failed. LibClamAV: Warning: SWF: Invalid tag length. upon scanning a large linux directory (some 60 GB) with clamscan. The real problem is, that clamscan does not tell me which scanned files it is actually complaining about, not in sysout and not in syserr. With some 10,000 files in the directory it is impossible for me to find out which files to correct or get rid of. I can prevent the "Invalid tag length" by setting the --scan-archives to no, but that is hardly a solution if I want the archives thoroughly scanned. Can anyone tell me, what I shall do to retrieve the name of the problematic files ? Regards, Joern W. Andersen ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml -- ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] No filenames listed by clamscan. (solved)
Hi David - thanks for your reply. As I already wrote in reply to mcmurchy1917-cla...@yahoo.co.uk, I created a large logfile with all good and bad stuff logged, and then searched out LibClamAV messages. A search exclusively for .SWF files in the specified directory gave nothing, but the troublesome files were obviously hidden in various archives, in this case one .cab file, one .iso image file, and two self-installing .exe programs. Thans again for your efforts. Joern.- # Den 04-03-2014 16:59, David Raynor skrev: On Sat, Mar 1, 2014 at 11:01 AM, J. W. Andersen wrote: After upgrading from 0.97.6 to 0.98.1 I get the following messages on the console: LibClamAV: Warning: SWF: Invalid tag length. LibClamAV: Warning: SWF: Invalid tag length. LibClamAV: Warning: SWF: Invalid tag length. LibClamAV: Warning: SWF: Invalid tag length. LibClamAV: Warning: fmap: map allocation failed. LibClamAV: Error: CRITICAL: fmap () failed. LibClamAV: Warning: SWF: Invalid tag length. upon scanning a large linux directory (some 60 GB) with clamscan. The real problem is, that clamscan does not tell me which scanned files it is actually complaining about, not in sysout and not in syserr. With some 10,000 files in the directory it is impossible for me to find out which files to correct or get rid of. I can prevent the "Invalid tag length" by setting the --scan-archives to no, but that is hardly a solution if I want the archives thoroughly scanned. Can anyone tell me, what I shall do to retrieve the name of the problematic files ? Regards, Joern W. Andersen ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml It is probable that these are all tied to the Flash file scanning (which was completely disabled in 0.97.6). Try this: Run your scan with "--scan-swf=no" instead of "--scan-archives=no". That is a more targeted shut-off. Let me know how it goes. I'm tracking a possibly-related issue. Dave R. -- ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
