Task #154 — Enable ClamAv Scanning of Compressed Attachment
-
polarunion
- Normal user
- Posts: 245
- Joined: 2004-04-05 20:21
- Location: Ottawa, Canada
- Contact:
Task #154 — Enable ClamAv Scanning of Compressed Attachment
clam av can scan zipped files, on its own and does so fine, but lately - without my spam blocker i've been recieving .zip files that are infected with the w32.netsky virus and have been passing through to their recipients without issue. only when i download the .zip file to the system (without decompression) does clamav sound the alarm.
-
polarunion
- Normal user
- Posts: 245
- Joined: 2004-04-05 20:21
- Location: Ottawa, Canada
- Contact:
just ran a quick test on the servers ability to pick up infected compressed files.
here is what i did.. I downloaded a test virus from
http://www.eicar.org/anti_virus_test_file.htm
This is a safe virus and used only for testing purposes. Read more on it at that webpage.
I downloaded the test virus to my computer and attempted to send it to my postmaster address from my personal account on my hmailserver. It scanned the virus and stripped the attachment - deleting it.
Afterwards I compressed the attachment in a typical .zip compression and followed the same procedure again. The email transferred through just fine. However when downloading it to my computer and scanning it with ClamWin, a virus was detected.
Noticing that most of the viruses sent to my system now are in the compressed form, this is a real way around the ClamAv integration.
here is what i did.. I downloaded a test virus from
http://www.eicar.org/anti_virus_test_file.htm
This is a safe virus and used only for testing purposes. Read more on it at that webpage.
I downloaded the test virus to my computer and attempted to send it to my postmaster address from my personal account on my hmailserver. It scanned the virus and stripped the attachment - deleting it.
Afterwards I compressed the attachment in a typical .zip compression and followed the same procedure again. The email transferred through just fine. However when downloading it to my computer and scanning it with ClamWin, a virus was detected.
Noticing that most of the viruses sent to my system now are in the compressed form, this is a real way around the ClamAv integration.
-
polarunion
- Normal user
- Posts: 245
- Joined: 2004-04-05 20:21
- Location: Ottawa, Canada
- Contact:
viruses are sent in rar, tar, zip, gzip, gunzip etc. it would probably be best to be able to protect against all compressions - especially those that can be openned by winrar or winzip - the two most popular decompression programs on the net. I believe winrar can do all of those..
but why would ClamWin be able to detect a virus in a compressed folder locally on the system, while not being able to in the email? After all the virus db's of hmailserver are hooked to clamwin.
but why would ClamWin be able to detect a virus in a compressed folder locally on the system, while not being able to in the email? After all the virus db's of hmailserver are hooked to clamwin.
hMailServer is actually hooked to ClamScan and not ClamWin. And ClamScan doesn't scan zip files by default. To me it seems like it supports zip files if I add it to the command line, but for the other formats to work properly you must install a whole bunch of decompressors.but why would ClamWin be able to detect a virus in a compressed folder locally on the system, while not being able to in the email? After all the virus db's of hmailserver are hooked to clamwin.
Could it be that ClamWin has built-in uncompression of compressed files that uncompresses the files to a temporary folder and scans them there?
Try to run ClamScan.exe and you'll see that you must specify the paths to uncompressors... :\
-
polarunion
- Normal user
- Posts: 245
- Joined: 2004-04-05 20:21
- Location: Ottawa, Canada
- Contact:
Clam win is only a GUI for windows using the clamscan.exe to drive AV. You should try it out, it's pretty good.
I can't remember what cygwin is for but here are the dll's included.
cygbz2-1.dll
cyggmp-3.dll
cygwin1.dll
cygz.dll
python23.dll
Do any of those look like they might be used for decompression? You should download this and try it out. Most of your win users would be using this tool for hmailserver as it acts as both a nice little AV scanner for their machine as well as an hmailserver scaner.
more on it at http://www.clamwin.net
I can't remember what cygwin is for but here are the dll's included.
cygbz2-1.dll
cyggmp-3.dll
cygwin1.dll
cygz.dll
python23.dll
Do any of those look like they might be used for decompression? You should download this and try it out. Most of your win users would be using this tool for hmailserver as it acts as both a nice little AV scanner for their machine as well as an hmailserver scaner.
more on it at http://www.clamwin.net
OK Update:
I'm using ClamWin myself. But it's not possible to hook on to ClamWin. It's only possible to hook on to ClamScan.
Take a look on the man page for clamscan:
http://ursine.ca/cgi-bin/dwww?type=man& ... mscan.1.gz
It says that ClamScan has built-in unzipping mechanism. I guess thats what the file cygbz2-1.dll is used for in the ClamWin bin directory. But I can\t find any dlls for the other uncompressing mechanisms.
On this page:
http://clamav.net/doc/0.70/html/node21.htm
it says that ClamScan has built-in support for Zip, Gzip and Bzip2. For others, you will need external decompressors for ClamScan to work with other formats...
I'm using ClamWin myself. But it's not possible to hook on to ClamWin. It's only possible to hook on to ClamScan.
Take a look on the man page for clamscan:
http://ursine.ca/cgi-bin/dwww?type=man& ... mscan.1.gz
It says that ClamScan has built-in unzipping mechanism. I guess thats what the file cygbz2-1.dll is used for in the ClamWin bin directory. But I can\t find any dlls for the other uncompressing mechanisms.
On this page:
http://clamav.net/doc/0.70/html/node21.htm
it says that ClamScan has built-in support for Zip, Gzip and Bzip2. For others, you will need external decompressors for ClamScan to work with other formats...
-
polarunion
- Normal user
- Posts: 245
- Joined: 2004-04-05 20:21
- Location: Ottawa, Canada
- Contact:
hmm.. guess i'll have to look into this a little more when i get some time...
Again, ClamWin is just a ClamAv distro just like any of the ones here.
http://www.clamav.net/3rdparty.html#pagestart
It still uses clamscan.exe which is what i've hooked hmailserver to, in order to get it working - pretty sure of it anyway unless i installed clamav barebones and just forgot about it.
So if clamscan has built in support for zip - how come it's not picking up on the zipped file? did you try my little test? that should clear things up... If it did, let me know how you got it to work.. I'll try to help others with it and include it in my little man page...
Again, ClamWin is just a ClamAv distro just like any of the ones here.
http://www.clamav.net/3rdparty.html#pagestart
It still uses clamscan.exe which is what i've hooked hmailserver to, in order to get it working - pretty sure of it anyway unless i installed clamav barebones and just forgot about it.
So if clamscan has built in support for zip - how come it's not picking up on the zipped file? did you try my little test? that should clear things up... If it did, let me know how you got it to work.. I'll try to help others with it and include it in my little man page...
I just did your test. Downloaded the "virus" (eicar.com), and hMailServer successfully identifies the virus in the zipped filed using ClamScan.
I'm using WinRar to create a zip file though. Perhaps there are different types of zip file compressions and ClamScan can only handle a subset of them. The documentation (http://www.clamav.net/doc/0.73/html/node22.html) says the following about zip uncompression in the command line:
I'm using WinRar to create a zip file though. Perhaps there are different types of zip file compressions and ClamScan can only handle a subset of them. The documentation (http://www.clamav.net/doc/0.73/html/node22.html) says the following about zip uncompression in the command line:
Perhaps your zipper created a zipfile of the type "some file".Usually you don't need this option because Zip format is supported by libclamav. However it may be useful if libclamav fails to unzip some file.
-
polarunion
- Normal user
- Posts: 245
- Joined: 2004-04-05 20:21
- Location: Ottawa, Canada
- Contact:
hmm i don't know because all of the viruses that are being sent then must also be of the type "some file" as well - and are every bit as dangerous.
but you're right, i used another ap to create the zip file.. It's a really good open source alternative to winrar. check it out sometime..
http://www.7-zip.org/
what is your exact config so that you got this to work for you? Are you just using the ClamScan from the clamscan site and no variant of it?
Thanks Martin. You worked a lot on this today.
but you're right, i used another ap to create the zip file.. It's a really good open source alternative to winrar. check it out sometime..
http://www.7-zip.org/
what is your exact config so that you got this to work for you? Are you just using the ClamScan from the clamscan site and no variant of it?
Thanks Martin. You worked a lot on this today.
I'm just using the default ClamWin setup. Hasn't changed any settings at all in it.
I put up my zipped "virus" here:
http://download.hmailserver.com/files/t ... /eicar.zip
This file is correctly identified as a virus by hmailserver on my computer. I'm using version 0.35 of ClamWin if that says anything.
I put up my zipped "virus" here:
http://download.hmailserver.com/files/t ... /eicar.zip
This file is correctly identified as a virus by hmailserver on my computer. I'm using version 0.35 of ClamWin if that says anything.
You bet. 8 hours dayjob and than hmailserver.You worked a lot on this today.
-
polarunion
- Normal user
- Posts: 245
- Joined: 2004-04-05 20:21
- Location: Ottawa, Canada
- Contact:
well as always it never goes unrecognized..
Anyway I uninstalled clamwin and ensured that there was no other virus software running. - including disabling norton.
I then restarted the computer and downloaded the latest clamwin .35 release. I was using 35 before but figured a new install might fix things.
I installed with all default settings and to default locations.
I openned hmailadmin and it autodetected the clamwin. I set - notify sender and recipient of virus. pressed save and downloaded your copy of eicar test virus.
I send a message to a local user account using your .zip file. it went through.
I extracted the eicar virus and sent again - clamwin picked it up and notified sender and receiver.
I attempted this one more time and opened up the taskmanager to watch the processes.
I send the message - hmailserver spiked, then clamwin spiked - showing me that clamwin was scanning the email.
It did not report a virus and got through. Can anyone else test this out??
Anyway I uninstalled clamwin and ensured that there was no other virus software running. - including disabling norton.
I then restarted the computer and downloaded the latest clamwin .35 release. I was using 35 before but figured a new install might fix things.
I installed with all default settings and to default locations.
I openned hmailadmin and it autodetected the clamwin. I set - notify sender and recipient of virus. pressed save and downloaded your copy of eicar test virus.
I send a message to a local user account using your .zip file. it went through.
I extracted the eicar virus and sent again - clamwin picked it up and notified sender and receiver.
I attempted this one more time and opened up the taskmanager to watch the processes.
I send the message - hmailserver spiked, then clamwin spiked - showing me that clamwin was scanning the email.
It did not report a virus and got through. Can anyone else test this out??
I have done the test.
Downloaded the zipped virus (from hmailserver.com) and send it through the hmailserver. (2 local accounts). Virus gets deliverd OK. In logging nothing to find which has to do with anti-virus.
When i send it through te server of my provider. I get nothing deliverd. Perhaps they are scanning to!!
(hmailserver 3.2 Beta 4 / MSSQL / WIN 2003 / CW0.35)
Downloaded the zipped virus (from hmailserver.com) and send it through the hmailserver. (2 local accounts). Virus gets deliverd OK. In logging nothing to find which has to do with anti-virus.
When i send it through te server of my provider. I get nothing deliverd. Perhaps they are scanning to!!
(hmailserver 3.2 Beta 4 / MSSQL / WIN 2003 / CW0.35)
-
Jason Weir
- Normal user
- Posts: 58
- Joined: 2004-02-02 23:41
- Location: Chichester, NH
- Contact:
ClamAV does indeed have native support for archive scanning
Martin is correct, in order to enable archive scanning he needs to specify the switches on the command line.
here is an example
C:\temp>"c:\program files\clamwin\bin\clamscan.exe" --unzip --database="c:\program files\clamwin\db" --include="eicar.zip"
/cygdrive/c/temp/eicar.zip: Eicar-Test-Signature FOUND
notice the complete path is not needed. ClamAV has built in support for the following archive formats
Zip
Gzip
Bzip2
RAR (2.0 only)
refer to this site for more info.
http://www.clamav.net/doc/0.74/html/node22.html
I'd like to see at least an option to enable archive scanning. At least the ones that ClamAV has built in support for
Martin is correct, in order to enable archive scanning he needs to specify the switches on the command line.
here is an example
C:\temp>"c:\program files\clamwin\bin\clamscan.exe" --unzip --database="c:\program files\clamwin\db" --include="eicar.zip"
/cygdrive/c/temp/eicar.zip: Eicar-Test-Signature FOUND
notice the complete path is not needed. ClamAV has built in support for the following archive formats
Zip
Gzip
Bzip2
RAR (2.0 only)
refer to this site for more info.
http://www.clamav.net/doc/0.74/html/node22.html
I'd like to see at least an option to enable archive scanning. At least the ones that ClamAV has built in support for
Duplicate of:
http://www.hmailserver.com/forum/viewto ... viewresult
http://www.hmailserver.com/forum/viewto ... viewresult