Mailing List Archive

On 04/02/2020 11:38, Ntek, SIA Janis wrote:
> Hello!
>
> I have Debian 9.7 w/ postfix and ClamAV 0.100.2  I have made custom
> definition file /var/lib/clamav/archive_exe.cdb containing:
> Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
> So that every archive packed with exe would be treated as a virus. This
> works with .zip files and .7zip files but not with .rar files. I
> installed unrar package and libclamunrar9, restarted daemons and the
> system but still .rar files containing exe are let through.
> I read that at some point unrar code was removed from ClamAV and now it
> only supports rar versions 1-2 but not 3. How to work around this?
> Someone suggested using --unrar option, but where do I put it? Conf file
> syntax doesn't seem to support this.
>
Just build ClamAV from source, with "--enable-unrar" and anything else
you need, thus avoiding any reliance on someone else building it with
what you want.

Cheers,
Gary B-)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On February 4, 2020 1:28:45 AM UTC, "Gary R. Schmidt" <grschmidt@acm.org> wrote:
>On 04/02/2020 11:38, Ntek, SIA Janis wrote:
>> Hello!
>>
>> I have Debian 9.7 w/ postfix and ClamAV 0.100.2  I have made custom
>> definition file /var/lib/clamav/archive_exe.cdb containing:
>> Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
>> So that every archive packed with exe would be treated as a virus.
>This
>> works with .zip files and .7zip files but not with .rar files. I
>> installed unrar package and libclamunrar9, restarted daemons and the
>> system but still .rar files containing exe are let through.
>> I read that at some point unrar code was removed from ClamAV and now
>it
>> only supports rar versions 1-2 but not 3. How to work around this?
>> Someone suggested using --unrar option, but where do I put it? Conf
>file
>> syntax doesn't seem to support this.
>>
>Just build ClamAV from source, with "--enable-unrar" and anything else
>you need, thus avoiding any reliance on someone else building it with
>what you want.

That doesn't actually address the OP's question. With libclamunrar9 installed, the Debian package has the same capability as if you build from source. Whatever problem they are having is very unlikely to be related to using our packages.

Scott K

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Tue, 4 Feb 2020, Ntek, SIA Janis wrote:

> I have Debian 9.7 w/ postfix and ClamAV 0.100.2? I have made custom
> definition file /var/lib/clamav/archive_exe.cdb containing:
> Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
> So that every archive packed with exe would be treated as a virus.

Please explain exactly what you mean by "every archive packed with exe".
Do you mean "every archive which contains an executable file"? Please
be aware that very many executable files do not have names like '*.exe'

> This works with .zip files and .7zip files but not with .rar files. I
> installed unrar package and libclamunrar9, restarted daemons and the
> system but still .rar files containing exe are let through.

Have you scanned the test files which the ClamAV sources provide?

mail6:~/src/net/mail/clamav-devel-dev-0.102/test$ >>> clamdscan ./clam-v3.rar
/home/ged/src/net/mail/clamav-devel-dev-0.102/test/./clam-v3.rar: PUA.Win.Packer.AcprotectUltraprotect-1 FOUND

You might get some help with your signatures from e.g. this one.

Do you see anything apart from executable files compressed with RAR?
You might consider simply blocking all .rar files. That's what I do,
but then I'm the BOFH. There are very many other ways of compressing
and/or obfuscating executable files, so if you want protection from
this route of sneaking past scanners you really need to recognize all
of them. Perhaps it would be easier to recognize instead just those
things which are _not_ compressed and/or obfuscated.

> I read that at some point unrar code was removed from ClamAV and now it
> only supports rar versions 1-2 but not 3. How to work around this?

Please check dates on information you read on the Internet. You may
find that those comments were dated around December 2007 (yes, that's
over 12 years ago). As far as the Debian distribution is concerned,
there was a fundamental issue with the licences but I believe that it
was essentially resolved by repackaging the software so the libunrar
code could be separated.

As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5,
although I see no test files distributed for V5 RAR archives. Perhaps
you will need to upgrade to Debian 10 (Buster) to make use of v101.x;
I use Debian a great deal but not the packaged ClamAV - I always build
from source. Amongst other things this avoids noise in the logs about
outdated software (which could potentially hide some kinds of problem,
a bit like hiding an elephant).

> Someone suggested using --unrar option, but where do I put it? Conf file
> syntax doesn't seem to support this.

The --unrar option is deprecated, and is ignored by any recent ClamAV.
Perhaps the suggestion was in a very old document, or perhaps it was a
mistake, and the _configure_ option --enable-unrar was what was meant.
This would mean that the discussion was about building ClamAV from
source, but as Mr. Kitterman says it is not normally necessary to do
that on Debian as the binaries are built with unrar already enabled.

As an aside there is a potential issue with incompatibility with old
libraries but I do not think you will come across it - see for example
the ClamAV blog for Friday, December 21, 2018:

https://blog.clamav.net/2018/

Please take a look at the documentation for more information.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

i had to install libclamunrar9 before my clam mailscanner knew how to
deal with rar files.

On 04/02/2020 17:18, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Tue, 4 Feb 2020, Ntek, SIA Janis wrote:
>
>> I have Debian 9.7 w/ postfix and ClamAV 0.100.2? I have made custom
>> definition file /var/lib/clamav/archive_exe.cdb containing:
>> Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
>> So that every archive packed with exe would be treated as a virus.
>
> Please explain exactly what you mean by "every archive packed with exe".
> Do you mean "every archive which contains an executable file"? Please
> be aware that very many executable files do not have names like '*.exe'
>
>> This works with .zip files and .7zip files but not with .rar files. I
>> installed unrar package and libclamunrar9, restarted daemons and the
>> system but still .rar files containing exe are let through.
>
> Have you scanned the test files which the ClamAV sources provide?
>
> mail6:~/src/net/mail/clamav-devel-dev-0.102/test$ >>> clamdscan
> ./clam-v3.rar
> /home/ged/src/net/mail/clamav-devel-dev-0.102/test/./clam-v3.rar:
> PUA.Win.Packer.AcprotectUltraprotect-1 FOUND
>
> You might get some help with your signatures from e.g. this one.
>
> Do you see anything apart from executable files compressed with RAR?
> You might consider simply blocking all .rar files.? That's what I do,
> but then I'm the BOFH.? There are very many other ways of compressing
> and/or obfuscating executable files, so if you want protection from
> this route of sneaking past scanners you really need to recognize all
> of them.? Perhaps it would be easier to recognize instead just those
> things which are _not_ compressed and/or obfuscated.
>
>> I read that at some point unrar code was removed from ClamAV and now
>> it only supports rar versions 1-2 but not 3. How to work around this?
>
> Please check dates on information you read on the Internet.? You may
> find that those comments were dated around December 2007 (yes, that's
> over 12 years ago).? As far as the Debian distribution is concerned,
> there was a fundamental issue with the licences but I believe that it
> was essentially resolved by repackaging the software so the libunrar
> code could be separated.
>
> As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5,
> although I see no test files distributed for V5 RAR archives. Perhaps
> you will need to upgrade to Debian 10 (Buster) to make use of v101.x;
> I use Debian a great deal but not the packaged ClamAV - I always build
> from source.? Amongst other things this avoids noise in the logs about
> outdated software (which could potentially hide some kinds of problem,
> a bit like hiding an elephant).
>
>> Someone suggested using --unrar option, but where do I put it? Conf
>> file syntax doesn't seem to support this.
>
> The --unrar option is deprecated, and is ignored by any recent ClamAV.
> Perhaps the suggestion was in a very old document, or perhaps it was a
> mistake, and the _configure_ option --enable-unrar was what was meant.
> This would mean that the discussion was about building ClamAV from
> source, but as Mr. Kitterman says it is not normally necessary to do
> that on Debian as the binaries are built with unrar already enabled.
>
> As an aside there is a potential issue with incompatibility with old
> libraries but I do not think you will come across it - see for example
> the ClamAV blog for Friday, December 21, 2018:
>
> https://blog.clamav.net/2018/
>
> Please take a look at the documentation for more information.
>
--
Jon 'Boli' Copeland
Systems Engineer
IT Support
All sales enquiries : sales@itss.co.tz
All support enquiries : support@itss.co.tz
Emergencies Only : +255 (0) 685 374780


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> Do you mean "every archive which contains an executable file"?? Please
> be aware that very many executable files do not have names like '*.exe'
That's what I meant to say.
I have a long list with executable file types in archives. For
simplicity's sake I mentioned only one.

> As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5,
> although I see no test files distributed for V5 RAR archives. Perhaps
> you will need to upgrade to Debian 10 (Buster) to make use of v101.x;
Yes, I also was thinking about it today.

> You may
> find that those comments were dated around December 2007 (yes, that's
> over 12 years ago).
Yes that may be the case. Internet's getting old :D



On 04.02.20 16:18, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Tue, 4 Feb 2020, Ntek, SIA Janis wrote:
>
>> I have Debian 9.7 w/ postfix and ClamAV 0.100.2? I have made custom
>> definition file /var/lib/clamav/archive_exe.cdb containing:
>> Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
>> So that every archive packed with exe would be treated as a virus.
>
> Please explain exactly what you mean by "every archive packed with exe".
> Do you mean "every archive which contains an executable file"? Please
> be aware that very many executable files do not have names like '*.exe'
>
>> This works with .zip files and .7zip files but not with .rar files. I
>> installed unrar package and libclamunrar9, restarted daemons and the
>> system but still .rar files containing exe are let through.
>
> Have you scanned the test files which the ClamAV sources provide?
>
> mail6:~/src/net/mail/clamav-devel-dev-0.102/test$ >>> clamdscan
> ./clam-v3.rar
> /home/ged/src/net/mail/clamav-devel-dev-0.102/test/./clam-v3.rar:
> PUA.Win.Packer.AcprotectUltraprotect-1 FOUND
>
> You might get some help with your signatures from e.g. this one.
>
> Do you see anything apart from executable files compressed with RAR?
> You might consider simply blocking all .rar files.? That's what I do,
> but then I'm the BOFH.? There are very many other ways of compressing
> and/or obfuscating executable files, so if you want protection from
> this route of sneaking past scanners you really need to recognize all
> of them.? Perhaps it would be easier to recognize instead just those
> things which are _not_ compressed and/or obfuscated.
>
>> I read that at some point unrar code was removed from ClamAV and now
>> it only supports rar versions 1-2 but not 3. How to work around this?
>
> Please check dates on information you read on the Internet.? You may
> find that those comments were dated around December 2007 (yes, that's
> over 12 years ago).? As far as the Debian distribution is concerned,
> there was a fundamental issue with the licences but I believe that it
> was essentially resolved by repackaging the software so the libunrar
> code could be separated.
>
> As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5,
> although I see no test files distributed for V5 RAR archives. Perhaps
> you will need to upgrade to Debian 10 (Buster) to make use of v101.x;
> I use Debian a great deal but not the packaged ClamAV - I always build
> from source.? Amongst other things this avoids noise in the logs about
> outdated software (which could potentially hide some kinds of problem,
> a bit like hiding an elephant).
>
>> Someone suggested using --unrar option, but where do I put it? Conf
>> file syntax doesn't seem to support this.
>
> The --unrar option is deprecated, and is ignored by any recent ClamAV.
> Perhaps the suggestion was in a very old document, or perhaps it was a
> mistake, and the _configure_ option --enable-unrar was what was meant.
> This would mean that the discussion was about building ClamAV from
> source, but as Mr. Kitterman says it is not normally necessary to do
> that on Debian as the binaries are built with unrar already enabled.
>
> As an aside there is a potential issue with incompatibility with old
> libraries but I do not think you will come across it - see for example
> the ClamAV blog for Friday, December 21, 2018:
>
> https://blog.clamav.net/2018/
>
> Please take a look at the documentation for more information.
>


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> libclamunrar9
I already had that, didn't help. I will upgrade Debian 9.7 to 10


On 04.02.20 16:30, Jon 'Boli' Copeland wrote:
> i had to install libclamunrar9 before my clam mailscanner knew how to
> deal with rar files.
>
> On 04/02/2020 17:18, G.W. Haywood via clamav-users wrote:
>> Hi there,
>>
>> On Tue, 4 Feb 2020, Ntek, SIA Janis wrote:
>>
>>> I have Debian 9.7 w/ postfix and ClamAV 0.100.2? I have made custom
>>> definition file /var/lib/clamav/archive_exe.cdb containing:
>>> Archived_EXE:*:*:.*\.exe:*:*:*:*:*:*
>>> So that every archive packed with exe would be treated as a virus.
>>
>> Please explain exactly what you mean by "every archive packed with exe".
>> Do you mean "every archive which contains an executable file"? Please
>> be aware that very many executable files do not have names like '*.exe'
>>
>>> This works with .zip files and .7zip files but not with .rar files.
>>> I installed unrar package and libclamunrar9, restarted daemons and
>>> the system but still .rar files containing exe are let through.
>>
>> Have you scanned the test files which the ClamAV sources provide?
>>
>> mail6:~/src/net/mail/clamav-devel-dev-0.102/test$ >>> clamdscan
>> ./clam-v3.rar
>> /home/ged/src/net/mail/clamav-devel-dev-0.102/test/./clam-v3.rar:
>> PUA.Win.Packer.AcprotectUltraprotect-1 FOUND
>>
>> You might get some help with your signatures from e.g. this one.
>>
>> Do you see anything apart from executable files compressed with RAR?
>> You might consider simply blocking all .rar files.? That's what I do,
>> but then I'm the BOFH.? There are very many other ways of compressing
>> and/or obfuscating executable files, so if you want protection from
>> this route of sneaking past scanners you really need to recognize all
>> of them.? Perhaps it would be easier to recognize instead just those
>> things which are _not_ compressed and/or obfuscated.
>>
>>> I read that at some point unrar code was removed from ClamAV and now
>>> it only supports rar versions 1-2 but not 3. How to work around this?
>>
>> Please check dates on information you read on the Internet.? You may
>> find that those comments were dated around December 2007 (yes, that's
>> over 12 years ago).? As far as the Debian distribution is concerned,
>> there was a fundamental issue with the licences but I believe that it
>> was essentially resolved by repackaging the software so the libunrar
>> code could be separated.
>>
>> As of December 2018 (ClamAV version 101.0) ClamAV supports UNRAR V5,
>> although I see no test files distributed for V5 RAR archives. Perhaps
>> you will need to upgrade to Debian 10 (Buster) to make use of v101.x;
>> I use Debian a great deal but not the packaged ClamAV - I always build
>> from source.? Amongst other things this avoids noise in the logs about
>> outdated software (which could potentially hide some kinds of problem,
>> a bit like hiding an elephant).
>>
>>> Someone suggested using --unrar option, but where do I put it? Conf
>>> file syntax doesn't seem to support this.
>>
>> The --unrar option is deprecated, and is ignored by any recent ClamAV.
>> Perhaps the suggestion was in a very old document, or perhaps it was a
>> mistake, and the _configure_ option --enable-unrar was what was meant.
>> This would mean that the discussion was about building ClamAV from
>> source, but as Mr. Kitterman says it is not normally necessary to do
>> that on Debian as the binaries are built with unrar already enabled.
>>
>> As an aside there is a potential issue with incompatibility with old
>> libraries but I do not think you will come across it - see for example
>> the ClamAV blog for Friday, December 21, 2018:
>>
>> https://blog.clamav.net/2018/
>>
>> Please take a look at the documentation for more information.
>>


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Tuesday, February 4, 2020 3:26:42 PM EST Ntek, SIA Janis wrote:
> > libclamunrar9
>
> I already had that, didn't help. I will upgrade Debian 9.7 to 10

It's extremely unlikely to make any difference. They both have clamav 0.101
available and after this weekend's point release they will both have 0.102.
If you want, you can enable stretch-proposed-updates (or buster-proposed-
updates if you've upgraded in the meantime) and get 0.102 now.

Unlike most packages in Debian we aim to keep stable Debian releases updated
with the current clamav release to give our users the best tools for trying to
keep up in this never ending arms race.

Scott K

Thank you, everyone!

[Solved]
I upgraded Debian from 9.7 to 9.11, this meant my Clam version changed
from 0.100.2 to 0.101.4
libclamunrar9 package started to work it's magic and rar files are
beeing scanned. Yay!
Unrar shows that my rar test file is RAR 5, so the latest version and
libclamunrar9 unpacked it.
In mail log I get what I wanted: status=VIRUS:Archived_EXE.UNOFFICIAL
Unofficial because I mark every exe in archive as a virus. (as explained
previously)



On 04.02.20 22:33, Scott Kitterman via clamav-users wrote:
> On Tuesday, February 4, 2020 3:26:42 PM EST Ntek, SIA Janis wrote:
>>> libclamunrar9
>> I already had that, didn't help. I will upgrade Debian 9.7 to 10
> It's extremely unlikely to make any difference. They both have clamav 0.101
> available and after this weekend's point release they will both have 0.102.
> If you want, you can enable stretch-proposed-updates (or buster-proposed-
> updates if you've upgraded in the meantime) and get 0.102 now.
>
> Unlike most packages in Debian we aim to keep stable Debian releases updated
> with the current clamav release to give our users the best tools for trying to
> keep up in this never ending arms race.
>
> Scott K
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Debian 9.7 was released on January 23, 2019. You really should apply updates
more than once a year. Trouble with UNRAR scanning is probably a small part
of the risk associated with non-updated systems (it'd be less bad if you've
been applying security updates and not others, but still there's a lot of bug
fixes you're leaving on the table even if it's just the non-security changes).

Scott K

On Tuesday, February 4, 2020 4:15:15 PM EST Ntek, SIA Janis wrote:
> Thank you, everyone!
>
> [Solved]
> I upgraded Debian from 9.7 to 9.11, this meant my Clam version changed
> from 0.100.2 to 0.101.4
> libclamunrar9 package started to work it's magic and rar files are
> beeing scanned. Yay!
> Unrar shows that my rar test file is RAR 5, so the latest version and
> libclamunrar9 unpacked it.
> In mail log I get what I wanted: status=VIRUS:Archived_EXE.UNOFFICIAL
> Unofficial because I mark every exe in archive as a virus. (as explained
> previously)
>
> On 04.02.20 22:33, Scott Kitterman via clamav-users wrote:
> > On Tuesday, February 4, 2020 3:26:42 PM EST Ntek, SIA Janis wrote:
> >>> libclamunrar9
> >>
> >> I already had that, didn't help. I will upgrade Debian 9.7 to 10
> >
> > It's extremely unlikely to make any difference. They both have clamav
> > 0.101 available and after this weekend's point release they will both
> > have 0.102. If you want, you can enable stretch-proposed-updates (or
> > buster-proposed- updates if you've upgraded in the meantime) and get
> > 0.102 now.
> >
> > Unlike most packages in Debian we aim to keep stable Debian releases
> > updated with the current clamav release to give our users the best tools
> > for trying to keep up in this never ending arms race.
> >
> > Scott K
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml

On 04.02.20 23:15, Ntek, SIA Janis wrote:
>I upgraded Debian from 9.7 to 9.11, this meant my Clam version changed
>from 0.100.2 to 0.101.4
>libclamunrar9 package started to work it's magic and rar files are
>beeing scanned. Yay!

I guess that the previous version 0.100.2 used libclamunrar7.

how did you install libclamunrar9 while having clamav 0.100.2 ?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml