Re: clamscan cannot detect some Mimail.xx viruses

On Thu, 06 Nov 2003 15:26:56 +0800, Jason wrote:

>Hi,
>
> Proof of escape viruses.
> 
> #1 - My clamav version.
> 
> [root@ns /]# clamscan -V
> clamscan / ClamAV version 0.60
> 
> [root@ns /]# rpm -q clamav
> clamav-0.60-5ct
> 
> Clamscan the infected files in my server. The infected files are 
> paul, photos.zip and readnow.zip. The results.....
> ...........
> ...........
> .........
> 
> Is there any idea why all the files are infected (confirmed by your 
> online test scanner) only photos.zip is found infected and the rest 
> escape clamscan?
> 
> Rdgs
> jason


Hi all,
since 3 days I have the same problem
all I've found is that the file readnow.zip is a malformed zip file, 
and that libclamav does'nt unzip it well.
if I unzip the file clamav obviously recognize the worm.
if I zip back the file, clamav still goes well.
More, if ask clamav to not use libclamav (--disable-archive) it works!
The problem is that I use clamav with mailScanner and MailScanner 
does'nt work without libclamav.
So I wait for some good new.


1) Clamscano does'nt recognize Mimailxx inside the zipped file
# clamscan readnow.zip
readnow.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 9923
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 Mb
I/O buffer size: 131072 bytes
Time: 0.338 sec (0 m 0 s)

2) decompress the file
# unzip readnow.zip
Archive:  readnow.zip
warning [readnow.zip]:  3 extra bytes at beginning or within zipfile
  (attempting to process anyway)
file #1:  bad zipfile offset (local header sig):  3
  (attempting to re-compensate)
 extracting: readnow.doc.scr         

3) test the decompressed file : clamscan works well !
# clamscan readnow.doc.scr 
readnow.doc.scr: Worm.Mimail.H FOUND

----------- SCAN SUMMARY -----------
Known viruses: 9923
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.01 Mb
I/O buffer size: 131072 bytes
Time: 0.340 sec (0 m 0 s)

4) re-compress the file in a "normal way"
# zip readnow1.zip readnow.doc.scr
  adding: readnow.doc.scr (deflated 11%)

5) test the new zipped file : clamscan works !
# clamscan readnow1.zip 
readnow1.zip: Worm.Mimail.H FOUND

----------- SCAN SUMMARY -----------
Known viruses: 9923
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.01 Mb
I/O buffer size: 131072 bytes
Time: 0.356 sec (0 m 0 s)

6) Finally, (but not useful for me!) I test the old zipped file WOTHOUT 
libclamav : it works, as one can expected

# clamscan --disable-archive --unzip readnow.zip
Archive:  /biga/usr/local/src/clamav-0.60/test/readnow.zip
warning [/biga/usr/local/src/clamav-0.60/test/readnow.zip]:  3 extra 
bytes at beginning or within zipfile
  (attempting to process anyway)
file #1:  bad zipfile offset (local header sig):  3
  (attempting to re-compensate)
 extracting: readnow.doc.scr         
/tmp/e56a9f2346c9ade4/readnow.doc.scr: Worm.Mimail.H FOUND
/biga/usr/local/src/clamav-0.60/test/readnow.zip: Infected Archive FOUND

----------- SCAN SUMMARY -----------
Known viruses: 9923
Scanned directories: 1
Scanned files: 1
Infected files: 1
Data scanned: 0.01 Mb
I/O buffer size: 131072 bytes
Time: 0.360 sec (0 m 0 s)
# 

Okay, my environment:
Slackware 8, kernel 2.2.19
libzip 1.1.4
# clamscan --version
clamscan / ClamAV version 0.60
# gcc --version
2.95.3
clamav compiled:
$ ./configure --prefix=/usr/local --includedir=/usr/local/include 
--libdir=/usr/local/lib --disable-clamuko --with-gnu-ld --disable-clamav
I've tested even compiling without gnu-ld

Regards
Stefano "Lupo" Luporini
Florence, Italy



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/