Bugtraq mailing list archives
Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
From: Tomasz Papszun <tomek-bug () lodz tpsa pl>
Date: Thu, 17 Mar 2005 12:06:18 +0100
On Tue, 15 Mar 2005 at 22:07:06 -0300, Rodrigo Barbosa wrote:
On Tue, Mar 15, 2005 at 09:06:05PM +0000, Nigel Horne wrote:# unzip -l mixed-eicar.zip Archive: mixed-eicar.zip Length Date Time Name -------- ---- ---- ---- 308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt 308 03-10-05 12:00 eicarcom2.zip -------- ------- 616 2 filesF-Prot seems to detect it correctly:As does clamAV: [njh@njh tmp]$ clamscan mixed-eicar.zip mixed-eicar.zip: Eicar-Test-Signature FOUND Scanned files: 1 Infected files: 1Actually, no. There were 2 infected files in there. ClamAV only found 1. - -- Rodrigo Barbosa <rodrigob () suespammers org>
It's a feature. It's documented, e.g.: http://www.clamav.net/doc/latest/html/node28.html "In case of archives the scanner depends on libclamav and only prints the first virus found within an archive". Scanning the rest of files in the archive when it's already known that it contains at least one infected file is usually just waste of resources. Of course it's possible to force clamscan to do it, but it's not a default way. See the URL above. Also, the number shown in "Scanned files:" means the number of files scanned directly (in this example: the archive itself), not the number of files present inside the archive. As a proof that ClamAV successfully detects the Eicar signature in zipped file with escape sequences in the filename, you can delete the eicarcom2.zip from the archive and scan the archive again: $ unzip -l mixed-eicar.zip Archive: mixed-eicar.zip Length Date Time Name -------- ---- ---- ---- 308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt -------- ------- 308 1 file $ clamscan mixed-eicar.zip mixed-eicar.zip: Eicar-Test-Signature FOUND P.S. I'm not subscribed to full-disclosure, so please Cc: me in case the thread continues on full-disclosure. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros. tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner
Current thread:
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
- Message not available
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 16)
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Tomasz Papszun (Mar 17)
- Message not available
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
- <Possible follow-ups>
- Re: [Full-disclosure] Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)