Mailing List Archive

clamscan tar archive
Hello all,


ClamAV documentation states that tar archives are supported. I've created a small sample tar archive that includes an eicar sample. Clamscan seems to only look at the tar archive as a single file and does not hit on the eicar sample within. I've tried using the "-a" and "--scan-archive=yes" flags with no improvements. I would appreciate advice as to if clamscan can actively scan tar archives directly.


Thanks


Steve
Re: clamscan tar archive [ In reply to ]
Hart, Steven A. via clamav-users wrote:
> Hello all,
>
>
> ClamAV documentation states that tar archives are supported.? ?I've
> created a small sample tar archive that includes an eicar sample.
> Clamscan seems to only look at the tar archive as a single file and does
> not hit on the eicar sample within.? ?I've tried using the "-a" and
> "--scan-archive=yes" flags with no improvements.? I would appreciate
> advice as to if clamscan can actively scan tar archives directly.

WorksForMe(TM):

kdeugau@ele:~/$ tar -c ~kdeugau/dev/eicar >testeicar.tar
tar: Removing leading `/' from member names
kdeugau@ele:~/$ clamscan
/home/kdeugau/testeicar.tar: Eicar-Signature FOUND
[...]

kdeugau@ele:~/$ clamscan -V
ClamAV 0.103.3/26393/Mon Dec 20 04:19:51 2021

(Debian package; only Debian testing and unstable have 0.103.4 so far,
no sign of 0.104.)

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [EXT] Re: clamscan tar archive [ In reply to ]
And now it's working for me too. Nice magic you have there!


Problem solved.....I guess....so weird.


Thanks

________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Kris Deugau <kdeugau@vianet.ca>
Sent: Monday, December 20, 2021 4:09:26 PM
To: ClamAV users ML
Subject: [EXT] Re: [clamav-users] clamscan tar archive

APL external email warning: Verify sender clamav-users-bounces@lists.clamav.net before clicking links or attachments

Hart, Steven A. via clamav-users wrote:
> Hello all,
>
>
> ClamAV documentation states that tar archives are supported. I've
> created a small sample tar archive that includes an eicar sample.
> Clamscan seems to only look at the tar archive as a single file and does
> not hit on the eicar sample within. I've tried using the "-a" and
> "--scan-archive=yes" flags with no improvements. I would appreciate
> advice as to if clamscan can actively scan tar archives directly.

WorksForMe(TM):

kdeugau@ele:~/$ tar -c ~kdeugau/dev/eicar >testeicar.tar
tar: Removing leading `/' from member names
kdeugau@ele:~/$ clamscan
/home/kdeugau/testeicar.tar: Eicar-Signature FOUND
[...]

kdeugau@ele:~/$ clamscan -V
ClamAV 0.103.3/26393/Mon Dec 20 04:19:51 2021

(Debian package; only Debian testing and unstable have 0.103.4 so far,
no sign of 0.104.)

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [EXT] Re: clamscan tar archive [ In reply to ]
I retract my retraction.


Original scan of test directory:

$ clamscan -ir test/
test/eicar.com: Eicar-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8584449
Engine version: 0.103.4
Scanned directories: 1
Scanned files: 6
Infected files: 1
Data scanned: 0.63 MB
Data read: 333.32 MB (ratio 0.00:1)
Time: 10.682 sec (0 m 10 s)
Start Date: 2021:12:20 16:29:39
End Date: 2021:12:20 16:29:50

$ tar -cvf test.tar test/


$ tar -tvf test.tar | grep eicar
-rw-rw-r-- XXXXX/XXXXX 69 2021-12-06 10:18 test/eicar.com

$ clamscan -ir test.tar

----------- SCAN SUMMARY -----------
Known viruses: 8584449
Engine version: 0.103.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 333.34 MB (ratio 0.00:1)
Time: 10.408 sec (0 m 10 s)
Start Date: 2021:12:20 16:32:07
End Date: 2021:12:20 16:32:17

This is on RHEL8. If I do a simple tar of just the eicar.com file into a tar archive it detects on scanning the tar file. The above sample test directory has 5 other simple files including the eicar.com file.

Thanks!


________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Hart, Steven A. via clamav-users <clamav-users@lists.clamav.net>
Sent: Monday, December 20, 2021 4:17:28 PM
To: ClamAV users ML
Cc: Hart, Steven A.
Subject: Re: [clamav-users] [EXT] Re: clamscan tar archive

APL external email warning: Verify sender clamav-users-bounces@lists.clamav.net before clicking links or attachments



And now it's working for me too. Nice magic you have there!


Problem solved.....I guess....so weird.


Thanks

________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Kris Deugau <kdeugau@vianet.ca>
Sent: Monday, December 20, 2021 4:09:26 PM
To: ClamAV users ML
Subject: [EXT] Re: [clamav-users] clamscan tar archive

APL external email warning: Verify sender clamav-users-bounces@lists.clamav.net before clicking links or attachments

Hart, Steven A. via clamav-users wrote:
> Hello all,
>
>
> ClamAV documentation states that tar archives are supported. I've
> created a small sample tar archive that includes an eicar sample.
> Clamscan seems to only look at the tar archive as a single file and does
> not hit on the eicar sample within. I've tried using the "-a" and
> "--scan-archive=yes" flags with no improvements. I would appreciate
> advice as to if clamscan can actively scan tar archives directly.

WorksForMe(TM):

kdeugau@ele:~/$ tar -c ~kdeugau/dev/eicar >testeicar.tar
tar: Removing leading `/' from member names
kdeugau@ele:~/$ clamscan
/home/kdeugau/testeicar.tar: Eicar-Signature FOUND
[...]

kdeugau@ele:~/$ clamscan -V
ClamAV 0.103.3/26393/Mon Dec 20 04:19:51 2021

(Debian package; only Debian testing and unstable have 0.103.4 so far,
no sign of 0.104.)

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [EXT] Re: clamscan tar archive [ In reply to ]
Hi there,

On Mon, 20 Dec 2021, Hart, Steven A. via clamav-users wrote:

> ...
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 333.34 MB (ratio 0.00:1)
> ...

Perhaps you should let us have the output of

clamconf -n

or whatever passes for that on RHEL.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [EXT] Re: clamscan tar archive [ In reply to ]
$ clamconf -n
Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
LogFile = "/var/log/clamd.scan"
LogFileMaxSize = "2097152"
LogTime = "yes"
LogRotate = "yes"
LocalSocket = "/run/clamd.scan/clamd.sock"
LocalSocketMode = "660"
TCPAddr = "127.0.0.1"
User = "clamscan"
OnAccessMountPath = "/home"
OnAccessIncludePath = "/home"
OnAccessExcludeRootUID = "yes"
OnAccessExcludeUname = "clamav"
OnAccessDisableDDD = "yes"
OnAccessPrevention = "yes"

freshclam.conf not found

mail/clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.4
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 08:32:42 2021
bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 10:21:51 2021
daily.cld: version 26393, sigs: 1952289, built on Mon Dec 20 04:19:51 2021
Total number of signatures: 8599808

Platform information
--------------------
uname: Linux 4.18.0-348.2.1.el8_5.x86_64 #1 SMP Mon Nov 8 13:30:15 EST 2021 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a217d7d0800000002080401

Build information
-----------------
GNU C: 8.4.1 20200928 (Red Hat 8.4.1-1) (8.4.1)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
LDFLAGS: -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed -lprelude
Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 125, dconf: 125


________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of G.W. Haywood via clamav-users <clamav-users@lists.clamav.net>
Sent: Monday, December 20, 2021 6:33:53 PM
To: Hart, Steven A. via clamav-users
Cc: G.W. Haywood
Subject: Re: [clamav-users] [EXT] Re: clamscan tar archive

APL external email warning: Verify sender clamav-users-bounces@lists.clamav.net before clicking links or attachments

Hi there,

On Mon, 20 Dec 2021, Hart, Steven A. via clamav-users wrote:

> ...
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 333.34 MB (ratio 0.00:1)
> ...

Perhaps you should let us have the output of

clamconf -n

or whatever passes for that on RHEL.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [EXT] Re: clamscan tar archive [ In reply to ]
Looks like I got it. I was unfamiliar with how to search through the ClamAV users archives but now I found a previous post suggesting to up the max-filesize and max-scansize. Doing that worked for me. It's just odd that a tarball that is extremely small, still needs these parameters set to work.


Thanks for the help! Problem appears to be resolved for me.

________________________________
From: Hart, Steven A.
Sent: Monday, December 20, 2021 4:35:29 PM
To: ClamAV users ML
Subject: Re: [clamav-users] [EXT] Re: clamscan tar archive


I retract my retraction.


Original scan of test directory:

$ clamscan -ir test/
test/eicar.com: Eicar-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8584449
Engine version: 0.103.4
Scanned directories: 1
Scanned files: 6
Infected files: 1
Data scanned: 0.63 MB
Data read: 333.32 MB (ratio 0.00:1)
Time: 10.682 sec (0 m 10 s)
Start Date: 2021:12:20 16:29:39
End Date: 2021:12:20 16:29:50

$ tar -cvf test.tar test/


$ tar -tvf test.tar | grep eicar
-rw-rw-r-- XXXXX/XXXXX 69 2021-12-06 10:18 test/eicar.com

$ clamscan -ir test.tar

----------- SCAN SUMMARY -----------
Known viruses: 8584449
Engine version: 0.103.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 333.34 MB (ratio 0.00:1)
Time: 10.408 sec (0 m 10 s)
Start Date: 2021:12:20 16:32:07
End Date: 2021:12:20 16:32:17

This is on RHEL8. If I do a simple tar of just the eicar.com file into a tar archive it detects on scanning the tar file. The above sample test directory has 5 other simple files including the eicar.com file.

Thanks!


________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Hart, Steven A. via clamav-users <clamav-users@lists.clamav.net>
Sent: Monday, December 20, 2021 4:17:28 PM
To: ClamAV users ML
Cc: Hart, Steven A.
Subject: Re: [clamav-users] [EXT] Re: clamscan tar archive

APL external email warning: Verify sender clamav-users-bounces@lists.clamav.net before clicking links or attachments



And now it's working for me too. Nice magic you have there!


Problem solved.....I guess....so weird.


Thanks

________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Kris Deugau <kdeugau@vianet.ca>
Sent: Monday, December 20, 2021 4:09:26 PM
To: ClamAV users ML
Subject: [EXT] Re: [clamav-users] clamscan tar archive

APL external email warning: Verify sender clamav-users-bounces@lists.clamav.net before clicking links or attachments

Hart, Steven A. via clamav-users wrote:
> Hello all,
>
>
> ClamAV documentation states that tar archives are supported. I've
> created a small sample tar archive that includes an eicar sample.
> Clamscan seems to only look at the tar archive as a single file and does
> not hit on the eicar sample within. I've tried using the "-a" and
> "--scan-archive=yes" flags with no improvements. I would appreciate
> advice as to if clamscan can actively scan tar archives directly.

WorksForMe(TM):

kdeugau@ele:~/$ tar -c ~kdeugau/dev/eicar >testeicar.tar
tar: Removing leading `/' from member names
kdeugau@ele:~/$ clamscan
/home/kdeugau/testeicar.tar: Eicar-Signature FOUND
[...]

kdeugau@ele:~/$ clamscan -V
ClamAV 0.103.3/26393/Mon Dec 20 04:19:51 2021

(Debian package; only Debian testing and unstable have 0.103.4 so far,
no sign of 0.104.)

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [EXT] Re: clamscan tar archive [ In reply to ]
Hi there,

On Tue, 21 Dec 2021, Hart, Steven A. via clamav-users wrote:

> Looks like I got it. I was unfamiliar with how to search through
> the ClamAV users archives but now I found a previous post suggesting
> to up the max-filesize and max-scansize. Doing that worked for me.
> It's just odd that a tarball that is extremely small, still needs
> these parameters set to work.
>
> Thanks for the help! Problem appears to be resolved for me.
> ...

I was in the middle of replying when your post came in. :)

Yes, the default limits are a bit conservative. It's mainly about
preventing denial of service, which with something that can scan an
entire filesystem recursively for ten million different threats is
pretty easy to accomplish. You might find that some of the logging
helps, you can increase the verbosity. Also I saw you were using the
clamscan '-i' switch, which silences some output for clean files but
sometimes that output can be useful.

> ...
> ----------- SCAN SUMMARY -----------
> Known viruses: 8584449
> Engine version: 0.103.4
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 333.34 MB (ratio 0.00:1)
> Time: 10.408 sec (0 m 10 s)
> ...

According to the report you seem to have read quite a lot of data but
not scanned very much so that's a clue. But be warned that the 'Data
scanned' and 'Data read' values are by (compiled in) default limited
to (I think) 4kbyte blocks so they can be a bit misleading. Sometimes
I've patched the source to increase the granularity but there might be
a performance implication.

As always, be aware that just because ClamAV doesn't find anything it
doesn't necessarily mean that there's nothing there to be found.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml