Task #154 — Enable ClamAv Scanning of Compressed Attachment

This forum contains features that has been archived. This section contains implemented features, duplicate requests, and requests which we have decided not to implement.
Post Reply
polarunion
Normal user
Normal user
Posts: 245
Joined: 2004-04-05 20:21
Location: Ottawa, Canada
Contact:

Task #154 — Enable ClamAv Scanning of Compressed Attachment

Post by polarunion » 2004-06-28 22:07

clam av can scan zipped files, on its own and does so fine, but lately - without my spam blocker i've been recieving .zip files that are infected with the w32.netsky virus and have been passing through to their recipients without issue. only when i download the .zip file to the system (without decompression) does clamav sound the alarm.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-06-28 22:31

Would it be enough with zip files?
Or are there viruses sent in rar/tar files or other formats as well?

polarunion
Normal user
Normal user
Posts: 245
Joined: 2004-04-05 20:21
Location: Ottawa, Canada
Contact:

Post by polarunion » 2004-06-28 22:35

just ran a quick test on the servers ability to pick up infected compressed files.

here is what i did.. I downloaded a test virus from

http://www.eicar.org/anti_virus_test_file.htm

This is a safe virus and used only for testing purposes. Read more on it at that webpage.

I downloaded the test virus to my computer and attempted to send it to my postmaster address from my personal account on my hmailserver. It scanned the virus and stripped the attachment - deleting it.

Afterwards I compressed the attachment in a typical .zip compression and followed the same procedure again. The email transferred through just fine. However when downloading it to my computer and scanning it with ClamWin, a virus was detected.

Noticing that most of the viruses sent to my system now are in the compressed form, this is a real way around the ClamAv integration.

polarunion
Normal user
Normal user
Posts: 245
Joined: 2004-04-05 20:21
Location: Ottawa, Canada
Contact:

Post by polarunion » 2004-06-28 22:38

viruses are sent in rar, tar, zip, gzip, gunzip etc. it would probably be best to be able to protect against all compressions - especially those that can be openned by winrar or winzip - the two most popular decompression programs on the net. I believe winrar can do all of those..

but why would ClamWin be able to detect a virus in a compressed folder locally on the system, while not being able to in the email? After all the virus db's of hmailserver are hooked to clamwin.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-06-28 22:54

but why would ClamWin be able to detect a virus in a compressed folder locally on the system, while not being able to in the email? After all the virus db's of hmailserver are hooked to clamwin.
hMailServer is actually hooked to ClamScan and not ClamWin. And ClamScan doesn't scan zip files by default. To me it seems like it supports zip files if I add it to the command line, but for the other formats to work properly you must install a whole bunch of decompressors.

Could it be that ClamWin has built-in uncompression of compressed files that uncompresses the files to a temporary folder and scans them there?

Try to run ClamScan.exe and you'll see that you must specify the paths to uncompressors... :\

polarunion
Normal user
Normal user
Posts: 245
Joined: 2004-04-05 20:21
Location: Ottawa, Canada
Contact:

Post by polarunion » 2004-06-28 23:04

Clam win is only a GUI for windows using the clamscan.exe to drive AV. You should try it out, it's pretty good.

I can't remember what cygwin is for but here are the dll's included.

cygbz2-1.dll
cyggmp-3.dll
cygwin1.dll
cygz.dll
python23.dll

Do any of those look like they might be used for decompression? You should download this and try it out. Most of your win users would be using this tool for hmailserver as it acts as both a nice little AV scanner for their machine as well as an hmailserver scaner.

more on it at http://www.clamwin.net

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-06-28 23:10

OK Update:
I'm using ClamWin myself. But it's not possible to hook on to ClamWin. It's only possible to hook on to ClamScan.

Take a look on the man page for clamscan:
http://ursine.ca/cgi-bin/dwww?type=man& ... mscan.1.gz

It says that ClamScan has built-in unzipping mechanism. I guess thats what the file cygbz2-1.dll is used for in the ClamWin bin directory. But I can\t find any dlls for the other uncompressing mechanisms.

On this page:
http://clamav.net/doc/0.70/html/node21.htm
it says that ClamScan has built-in support for Zip, Gzip and Bzip2. For others, you will need external decompressors for ClamScan to work with other formats...

polarunion
Normal user
Normal user
Posts: 245
Joined: 2004-04-05 20:21
Location: Ottawa, Canada
Contact:

Post by polarunion » 2004-06-28 23:30

hmm.. guess i'll have to look into this a little more when i get some time...

Again, ClamWin is just a ClamAv distro just like any of the ones here.

http://www.clamav.net/3rdparty.html#pagestart

It still uses clamscan.exe which is what i've hooked hmailserver to, in order to get it working - pretty sure of it anyway unless i installed clamav barebones and just forgot about it.

So if clamscan has built in support for zip - how come it's not picking up on the zipped file? did you try my little test? that should clear things up... If it did, let me know how you got it to work.. I'll try to help others with it and include it in my little man page...

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-06-28 23:39

I just did your test. Downloaded the "virus" (eicar.com), and hMailServer successfully identifies the virus in the zipped filed using ClamScan.

I'm using WinRar to create a zip file though. Perhaps there are different types of zip file compressions and ClamScan can only handle a subset of them. The documentation (http://www.clamav.net/doc/0.73/html/node22.html) says the following about zip uncompression in the command line:
Usually you don't need this option because Zip format is supported by libclamav. However it may be useful if libclamav fails to unzip some file.
Perhaps your zipper created a zipfile of the type "some file". :-)

polarunion
Normal user
Normal user
Posts: 245
Joined: 2004-04-05 20:21
Location: Ottawa, Canada
Contact:

Post by polarunion » 2004-06-28 23:47

hmm i don't know because all of the viruses that are being sent then must also be of the type "some file" as well - and are every bit as dangerous.

but you're right, i used another ap to create the zip file.. It's a really good open source alternative to winrar. check it out sometime..

http://www.7-zip.org/

what is your exact config so that you got this to work for you? Are you just using the ClamScan from the clamscan site and no variant of it?

Thanks Martin. You worked a lot on this today.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-06-28 23:53

I'm just using the default ClamWin setup. Hasn't changed any settings at all in it.

I put up my zipped "virus" here:
http://download.hmailserver.com/files/t ... /eicar.zip
This file is correctly identified as a virus by hmailserver on my computer. I'm using version 0.35 of ClamWin if that says anything.
You worked a lot on this today.
You bet. 8 hours dayjob and than hmailserver. :)

polarunion
Normal user
Normal user
Posts: 245
Joined: 2004-04-05 20:21
Location: Ottawa, Canada
Contact:

Post by polarunion » 2004-06-29 00:47

well as always it never goes unrecognized..

Anyway I uninstalled clamwin and ensured that there was no other virus software running. - including disabling norton.

I then restarted the computer and downloaded the latest clamwin .35 release. I was using 35 before but figured a new install might fix things.
I installed with all default settings and to default locations.

I openned hmailadmin and it autodetected the clamwin. I set - notify sender and recipient of virus. pressed save and downloaded your copy of eicar test virus.

I send a message to a local user account using your .zip file. it went through.
I extracted the eicar virus and sent again - clamwin picked it up and notified sender and receiver.

I attempted this one more time and opened up the taskmanager to watch the processes.

I send the message - hmailserver spiked, then clamwin spiked - showing me that clamwin was scanning the email.

It did not report a virus and got through. Can anyone else test this out??

User avatar
Bram
Senior user
Senior user
Posts: 417
Joined: 2004-05-24 22:57
Location: The Netherlands
Contact:

Post by Bram » 2004-06-29 08:21

I have done the test.

Downloaded the zipped virus (from hmailserver.com) and send it through the hmailserver. (2 local accounts). Virus gets deliverd OK. In logging nothing to find which has to do with anti-virus.

When i send it through te server of my provider. I get nothing deliverd. Perhaps they are scanning to!!

(hmailserver 3.2 Beta 4 / MSSQL / WIN 2003 / CW0.35)

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-06-29 12:28

RealDesign:
I guess you have turned on virus scanning before doing this test? :)

User avatar
Bram
Senior user
Senior user
Posts: 417
Joined: 2004-05-24 22:57
Location: The Netherlands
Contact:

Post by Bram » 2004-06-29 12:43

Yes i did! :lol:
I also tested with the not compressed file. Then it just worsk fine!!

Will do a couple of other test this weekend.

User avatar
Jason Weir
Normal user
Normal user
Posts: 58
Joined: 2004-02-02 23:41
Location: Chichester, NH
Contact:

Post by Jason Weir » 2004-07-02 19:41

ClamAV does indeed have native support for archive scanning

Martin is correct, in order to enable archive scanning he needs to specify the switches on the command line.

here is an example

C:\temp>"c:\program files\clamwin\bin\clamscan.exe" --unzip --database="c:\program files\clamwin\db" --include="eicar.zip"
/cygdrive/c/temp/eicar.zip: Eicar-Test-Signature FOUND

notice the complete path is not needed. ClamAV has built in support for the following archive formats

Zip
Gzip
Bzip2
RAR (2.0 only)

refer to this site for more info.

http://www.clamav.net/doc/0.74/html/node22.html

I'd like to see at least an option to enable archive scanning. At least the ones that ClamAV has built in support for

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-07-02 22:28

OK. Support in compressed files will be added to 3.3.
Wish I had seen that earlier..

Will add a couple of new checkboxes:

Scan compressed files:
- Zip
- Rar

User avatar
Bram
Senior user
Senior user
Posts: 417
Joined: 2004-05-24 22:57
Location: The Netherlands
Contact:

Post by Bram » 2004-07-03 09:30

Can you also make it possible to specify you onw tekst which is put into the body of the email when a virus is found?

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2006-01-29 02:37


Post Reply