Mailing List Archive

Hello Brent,


> https://www.bamsoftware.com/hacks/zipbomb/
>
> I took the liberty of spinning up a vagrant instance to find out for
> myself.
>
> Here you can see I scanned the zip file, thats made available from the
> above site. As you can see, clamav (inconjunction with Sanesecurity),
> the file passed.
>
> vagrant@stretch:~/src$ clamscan zbsm.zip
> zbsm.zip: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8944025
> Engine version: 0.101.4
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 63.13 MB
> Data read: 0.04 MB (ratio 1616.20:1)
> Time: 196.787 sec (3 m 16 s)


No need 3rd party signatures, official ClamAV seems to work fine with
these files :

clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M
/var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND
/var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND
/var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8748540
Engine version: 0.101.4
Scanned directories: 1
Scanned files: 3
Infected files: 3
Data scanned: 169.38 MB
Data read: 53.22 MB (ratio 3.18:1)
Time: 396.918 sec (6 m 36 s)


--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : aj@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Good day Arnaud

Thanks so much for this.

Really appreciate the fast reply and help.

Regards
Brent Clark

On 2019/11/08 10:23, Arnaud Jacques wrote:
> Hello Brent,
>
>
>> https://www.bamsoftware.com/hacks/zipbomb/
>>
>> I took the liberty of spinning up a vagrant instance to find out for
>> myself.
>>
>> Here you can see I scanned the zip file, thats made available from the
>> above site. As you can see, clamav (inconjunction with Sanesecurity),
>> the file passed.
>>
>> vagrant@stretch:~/src$ clamscan zbsm.zip
>> zbsm.zip: OK
>>
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 8944025
>> Engine version: 0.101.4
>> Scanned directories: 0
>> Scanned files: 1
>> Infected files: 0
>> Data scanned: 63.13 MB
>> Data read: 0.04 MB (ratio 1616.20:1)
>> Time: 196.787 sec (3 m 16 s)
>
>
> No need 3rd party signatures, official ClamAV seems to work fine with
> these files :
>
> clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M
> /var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND
> /var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND
> /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8748540
> Engine version: 0.101.4
> Scanned directories: 1
> Scanned files: 3
> Infected files: 3
> Data scanned: 169.38 MB
> Data read: 53.22 MB (ratio 3.18:1)
> Time: 396.918 sec (6 m 36 s)
>
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Fri, 8 Nov 2019, Arnaud Jacques wrote:
...Brent wrote:
>>
>> https://www.bamsoftware.com/hacks/zipbomb/
>>
>> Here you can see I scanned the zip file, thats made available from the
>> above site. As you can see, clamav (inconjunction with Sanesecurity),
>> the file passed.
>>
>> vagrant@stretch:~/src$ clamscan zbsm.zip
>> zbsm.zip: OK
>
> No need 3rd party signatures, official ClamAV seems to work fine with
> these files :
>
> clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M
> /var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND
> /var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND
> /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND

It seems that there might be room for improvement in Brent's client's
ClamAV configuration, perhaps we should be trying to understand why it
is in this state. It should be a deliberate choice to disable a test
for excessive resource usage, not an accident.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Am 08.11.2019 11:58, schrieb G.W. Haywood via clamav-users:
> Hi there,
>
> On Fri, 8 Nov 2019, Arnaud Jacques wrote:
> ...Brent wrote:

[...]
>> clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M
>> /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND
>
> It seems that there might be room for improvement in Brent's client's
> ClamAV configuration, perhaps we should be trying to understand why it
> is in this state. It should be a deliberate choice to disable a test
> for excessive resource usage, not an accident.

The alerting on exceed is disabled by default.
So you have to set the config option.
I think it is disabled because the default limits on file-sizes,
archive-sizes and so on are bit low.
So without adapting all this to your needs you will most likely see
false-positiv exceed warnings.
Maybe there should be options to enable/disable the different exceed
types separately.

Markus

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Fri, 8 Nov 2019, Markus Kolb via clamav-users wrote:
> Am 08.11.2019 11:58, schrieb G.W. Haywood via clamav-users:
> > On Fri, 8 Nov 2019, Arnaud Jacques wrote:
> > ...Brent wrote:
> [...]
> > > clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M
> > > /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND
> >
> > It seems that there might be room for improvement in Brent's client's
> > ClamAV configuration, perhaps we should be trying to understand why it
> > is in this state. It should be a deliberate choice to disable a test
> > for excessive resource usage, not an accident.
>
> The alerting on exceed is disabled by default.

Ah, good point. I'd forgotten that long ago I'd set 'AlertExceedsMax' to
'yes' in the base configuration that I usually use as a starting point.

Maybe that should default to 'yes', perhaps with higher values for some of
the limits if that's an issue? I must say that I don't recall any problems
with the default values for archive limits in many years of using ClamAV.
There was one contract draughtsman who for some time insisted on sending 30-
megabyte emails to the QA manager at his client, but it was a Sendmail limit
which rejected the messages, not ClamAV. In the end they stopped using him. :/

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml