Mailing List Archive

[clamav-users] Current replacement for --max-ratio?
I've just come across a presumed-malicious .zip file of about 500K that
contains a ~315M ISO image, which in turn appears to contain a ~315M
executable file.

After a bit of searching and testing I see the --max-ratio option has
been removed from clamscan, and ArchiveMaxCompressionRatio in clamd.conf
has been deprecated.

Are there any remaining (or new?) options that might help flag
hypercompressed files like this?

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Current replacement for --max-ratio? [ In reply to ]
Hi there,

On Fri, 14 Jan 2022, Kris Deugau wrote:

> I've just come across a presumed-malicious .zip file of about 500K that
> contains a ~315M ISO image, which in turn appears to contain a ~315M
> executable file.
>
> After a bit of searching and testing I see the --max-ratio option has been
> removed from clamscan, and ArchiveMaxCompressionRatio in clamd.conf has been
> deprecated.
>
> Are there any remaining (or new?) options that might help flag
> hypercompressed files like this?

If you're using clamd, perhaps try the AlertExceedsMax option together
with the MaxScanSize and/or MaxFileSize options. No it's not the same. :/

Did this arrive in mail, Kris?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Current replacement for --max-ratio? [ In reply to ]
Ged,

When did clamav start scanning iso files?
I just tried this and found a eicar.txt file, so yes it does work.

For email, I always just blocked iso extensions. Still doesn’t like MacOS cdr extensions, but a great improvement.

Sincerely,

Eric Tykwinski

> On Jan 14, 2022, at 6:21 PM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Fri, 14 Jan 2022, Kris Deugau wrote:
>
>> I've just come across a presumed-malicious .zip file of about 500K that contains a ~315M ISO image, which in turn appears to contain a ~315M executable file.
>>
>> After a bit of searching and testing I see the --max-ratio option has been removed from clamscan, and ArchiveMaxCompressionRatio in clamd.conf has been deprecated.
>>
>> Are there any remaining (or new?) options that might help flag hypercompressed files like this?
>
> If you're using clamd, perhaps try the AlertExceedsMax option together
> with the MaxScanSize and/or MaxFileSize options. No it's not the same. :/
>
> Did this arrive in mail, Kris?
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Current replacement for --max-ratio? [ In reply to ]
Hi there,

On Fri, 14 Jan 2022, Eric Tykwinski wrote:

> When did clamav start scanning iso files?

https://blog.clamav.net/2013/09/clamav-098-has-been-released.html

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Current replacement for --max-ratio? [ In reply to ]
G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Fri, 14 Jan 2022, Kris Deugau wrote:
>
>> I've just come across a presumed-malicious .zip file of about 500K
>> that contains a ~315M ISO image, which in turn appears to contain a
>> ~315M executable file.
>>
>> After a bit of searching and testing I see the --max-ratio option has
>> been removed from clamscan, and ArchiveMaxCompressionRatio in
>> clamd.conf has been deprecated.
>>
>> Are there any remaining (or new?) options that might help flag
>> hypercompressed files like this?
>
> If you're using clamd, perhaps try the AlertExceedsMax option together
> with the MaxScanSize and/or MaxFileSize options.  No it's not the same. :/

Hmm. Might work for this case, I'll try some combinations.

> Did this arrive in mail, Kris?

Yes. Indications are it was sent through a cracked hosting account,
with an envelope and reply to a GMail account.

On closer inspection, when originally received the message matched one
of the Sanesecurity "foxhole" signatures, which could collectively be
scored much higher on this particular receiving account (technical role
address). It's a hack and I'm not sure it's worth even that much effort
since this is the first example I've seen in the wild.

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml