Mailing List Archive: [clamav-users] ClamAV does not detect viruses in "ar archive" file format

[clamav-users] ClamAV does not detect viruses in "ar archive" file format

Jul 8, 2022, 7:10 AM

Post #1 of 4 (314 views)

Hey clamav users,

I am trying to scan "ar archive" format like .deb packages are. ClamAV
unfortunately does not detect the eicar inside the ar archive.

Do I miss something to configure so clamav scans/unpacks "ar archive"
formats correctly?

##Virus not found
##clam(d)scan does not detect any virus in ar archive file type
root@vmdxyz:/tmp# clamdscan testvirus.deb
/tmp/gimp/gimp2/gimp3/testvirus.deb: OK

Informations:

## ar file type
root@vmdxyz:/tmp# file testvirus.deb
testvirus.deb: current ar archive

#ar file list with eicar.txt inside
root@vmdxyz:/tmp# ar t testvirus.deb
eicar.txt
debian-binary

#for comparison: .tar.gz eicar inside is detected
root@vmdxyz:/tmp# clamdscan eicar.txt.tar.gz
/tmp/eicar.txt.tar.gz: Eicar-Signature FOUND

Thanky for any help to detect viruses in "ar archive" formats with
clamav :-o :-)

All the best
Schroeffu

Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format [ In reply to ]

clamav-users at lists

Jul 8, 2022, 9:07 AM

Post #2 of 4 (313 views)

Permalink

Hi there,

On Fri, 8 Jul 2022, Schroeffu via clamav-users wrote:

> I am trying to scan "ar archive" format like .deb packages are. ClamAV
> unfortunately does not detect the eicar inside the ar archive.
> Do I miss something to configure so clamav scans/unpacks "ar archive"
> formats correctly?

If you have deduced that ClamAV is not unpacking the archive properly,
then I'm not sure that your deduction is correct. Testing with EICAR
files can be a little tricky because the EICAR specifications are very
particular about what is scanned.

If I create an archive with 'ar' and then scan it here, it my clamd
server does find it:

8<--------------------------------------------------------
$ ar r archive.deb eicar tempscan.pl
ar: creating archive.deb
$ clamdscan archive.deb
/home/ged/archive.deb: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 1.372 sec (0 m 1 s)
Start Date: 2022:07:08 16:44:05
End Date: 2022:07:08 16:44:06
8<--------------------------------------------------------

but this detection is using an UNOFFICIAL signature:

8<--------------------------------------------------------
$grep EICAR /EXPORTS/clamav/databases/*
Binary file daily.cld matches
Binary file main.cld matches
rfxn.hdb:44d88612fea8a8f36de82e1278abb02f:68:{MD5}EICAR.TEST.3.59
rfxn.hdb:69630e4574ec6798239b091cda43dca0:69:{MD5}EICAR.TEST.10.58
rfxn.ndb:{HEX}EICAR.TEST.3:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
rfxn.ndb:{HEX}EICAR.TEST:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
8<--------------------------------------------------------

As you can see the official (daily, main) signatures match on the word
EICAR but it isn't the official signatures which triggered detection.

I believe that the rfxn signatures implement the EICAR specifications
incorrectly, but at least the scanner does seem to be unpacking the
archive. If you search the archives of this mailing list for "EICAR"
you will probably find something more informative.

--

73,
Ged.
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format [ In reply to ]

clamav-users at lists

Jul 11, 2022, 1:27 AM

Post #3 of 4 (307 views)

Permalink

Hi Ged & ClamAV Users,

you are right about eicar, the unofficial signatures are detected in a
.ar archive format.
Beside of this, unfortunately, real malware code and eicar is not
detected in a .tar.gz (gzip) inside of an .ar archive file (like .deb
packages are).

How to reproduce:

- Download my testfile
gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (6MB) (download
here at your own risk!) and run a scan like this:
- wget https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1 -O
/tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan
-z /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (no virus
found) *1)
- unpack & scan gzip file (data.tar.zst) inside, now this way unpacked
.ar archive, viruses are found inside .tar.zst (gzip):
- ar x /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb &&
clamdscan -z /tmp/data.tar.zst (virus will be found) *2)

--> Is this my handling failure, like not configured scan
archive-in-archive, or a bugreport worth?

https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1

*1)

clamdscan -z gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb:
OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 3.508 sec (0 m 3 s)
Start Date: 2022:07:11 10:11:49
End Date: 2022:07:11 10:11:53

*2)

clamdscan -z data.tar.zst
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
Win.Dropper.Corebot-7599208-0 FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
{HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst:
{HEX}EICAR.TEST.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 21.519 sec (0 m 21 s)
Start Date: 2022:07:11 10:11:18
End Date: 2022:07:11 10:11:39

Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format [ In reply to ]

clamav-users at lists

Jul 11, 2022, 1:37 PM

Post #4 of 4 (305 views)

Permalink

Schroeffu, Ged,

ClamAV does not include support for parsing the old AR archive format used for DEB archives ( https://en.wikipedia.org/wiki/Ar_(Unix) ). Adding AR archive parsing would be a new feature. You are welcome to create a feature request issue using the bug report queue on Github https://github.com/Cisco-Talos/clamav/issues/new?assignees=&labels=&template=bug_report.md&title=. But I can't promise if or when we'll add support for DEB-style AR archives.

Ged, the unofficial eicar signature that you shared targets any file (target type 0) at any offset (offset: *):
{HEX}EICAR.TEST.3:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a

For a format like AR or TAR, this signature will match if those eicar bytes are found anywhere in the file. The AR format does not do any compression, so it makes sense that this signature would alert. But this is not the intended use case for the EICAR test file because it doesn't demonstrate any unpacking of the archive.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Schroeffu via clamav-users <clamav-users@lists.clamav.net>
Sent: Monday, July 11, 2022 1:27 AM
To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
Cc: info@schroeffu.ch <info@schroeffu.ch>
Subject: Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format

Hi Ged & ClamAV Users,

you are right about eicar, the unofficial signatures are detected in a .ar archive format.
Beside of this, unfortunately, real malware code and eicar is not detected in a .tar.gz (gzip) inside of an .ar archive file (like .deb packages are).

How to reproduce:

- Download my testfile gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (6MB) (download here at your own risk!) and run a scan like this:
- wget https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1 -O /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan -z /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb (no virus found) *1)
- unpack & scan gzip file (data.tar.zst) inside, now this way unpacked .ar archive, viruses are found inside .tar.zst (gzip):
- ar x /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan -z /tmp/data.tar.zst (virus will be found) *2)

--> Is this my handling failure, like not configured scan archive-in-archive, or a bugreport worth?

https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1

*1)

clamdscan -z gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 3.508 sec (0 m 3 s)
Start Date: 2022:07:11 10:11:49
End Date: 2022:07:11 10:11:53

*2)

clamdscan -z data.tar.zst
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst: Win.Dropper.Corebot-7599208-0 FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/gimp/gimp2/gimp3/gimp_2.10.30-1build1_amd64_eicar3/gimp4/data.tar.zst: {HEX}EICAR.TEST.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 21.519 sec (0 m 21 s)
Start Date: 2022:07:11 10:11:18
End Date: 2022:07:11 10:11:39