clamav-users January 2014 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [clamav-users] QUESTION ABOUT XZ SUPPORT IN VE

Re: [clamav-users] QUESTION ABOUT XZ SUPPORT IN VERSION 0.98.1

From: Steve Basford <steveb_clamav_at_nospam>
Date: Thu Jan 23 2014 - 11:14:20 GMT
To: "ClamAV users ML" <clamav-users@lists.clamav.net>

> I have just compiled and installed version 0.98.1 of Clam on my
> computer. According to the documentation, this version should support
> decompression and scanning of files in the Xz compression format.
> However, when I run clamscan to check an Xz file which I know contains a
> virus (the EICAR test virus) it fails to detect it. Running it with the
> debug option, I get an entry in the log saying the file was recognised
> as a binary.

Here's the windows view... :(

eicar.com: Eicar-Test-Signature FOUND
eicar.com.xz: OK

----------- SCAN SUMMARY -----------
Known viruses: 3082027
Engine version: 0.98.1
Scanned directories: 1
Scanned files: 2
Infected files: 1

LibClamAV debug: * Submodule XZ: On

LibClamAV debug: Bytecode: 42 bytecode prepared with JIT
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized binary data
LibClamAV debug: cache_check: 3904dfb8e6bda8ad4c87c6319dc5f766 is negative
LibClamAV debug: in cli_check_mydoom_log()
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: cli_magic_scandesc: returning 0 at line 2902
LibClamAV debug: cache_add: 3904dfb8e6bda8ad4c87c6319dc5f766 (level 0)
c:\07\eicar.com.xz: OK
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

----------- SCAN SUMMARY -----------
Known viruses: 3082027
Engine version: 0.98.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 14.266 sec (0 m 14 s)

test 1...

Creating an md5 of eicar.... works.... so it's decompression is ok...

sigtool --md5 eicar.com > testdb.hdb
e7e5fa40569514ec442bbdf755d89c2f:70:eicar.com

clamscan eicar.com.xz --database=testdb.hdb
eicar.com.xz: eicar.com.UNOFFICIAL FOUND

test 2....

clamscan eicar.com.xz --database=main.ndb
eicar.com.xz: OK

test 3....

grep -i "EICAR" main.ndb > test.ndb

clamscan eicar.com.xz --database=test.ndb
eicar.com.xz: Eicar-Test-Signature.UNOFFICIAL FOUND

huh?

Cheers,

Steve
Sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml