Full Disclosure mailing list archives
Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning
From: Tomasz Papszun <tomek-bug () lodz tpsa pl>
Date: Thu, 17 Mar 2005 12:06:18 +0100
On Tue, 15 Mar 2005 at 22:07:06 -0300, Rodrigo Barbosa wrote:
On Tue, Mar 15, 2005 at 09:06:05PM +0000, Nigel Horne wrote:# unzip -l mixed-eicar.zip Archive: mixed-eicar.zip Length Date Time Name -------- ---- ---- ---- 308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt 308 03-10-05 12:00 eicarcom2.zip -------- ------- 616 2 filesF-Prot seems to detect it correctly:As does clamAV: [njh@njh tmp]$ clamscan mixed-eicar.zip mixed-eicar.zip: Eicar-Test-Signature FOUND Scanned files: 1 Infected files: 1Actually, no. There were 2 infected files in there. ClamAV only found 1. - -- Rodrigo Barbosa <rodrigob () suespammers org>
It's a feature. It's documented, e.g.: http://www.clamav.net/doc/latest/html/node28.html "In case of archives the scanner depends on libclamav and only prints the first virus found within an archive". Scanning the rest of files in the archive when it's already known that it contains at least one infected file is usually just waste of resources. Of course it's possible to force clamscan to do it, but it's not a default way. See the URL above. Also, the number shown in "Scanned files:" means the number of files scanned directly (in this example: the archive itself), not the number of files present inside the archive. As a proof that ClamAV successfully detects the Eicar signature in zipped file with escape sequences in the filename, you can delete the eicarcom2.zip from the archive and scan the archive again: $ unzip -l mixed-eicar.zip Archive: mixed-eicar.zip Length Date Time Name -------- ---- ---- ---- 308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt -------- ------- 308 1 file $ clamscan mixed-eicar.zip mixed-eicar.zip: Eicar-Test-Signature FOUND P.S. I'm not subscribed to full-disclosure, so please Cc: me in case the thread continues on full-disclosure. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros. tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Nigel Horne (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Rodrigo Barbosa (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Tomasz Papszun (Mar 17)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning Dr. Peter Bieringer (Mar 15)
- Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning bipin gautam (Mar 15)
- RE: Unfiltered escape sequences in filenamescontained in ZIP archives wouldn't be escaped on displaying orlogging, and can also lead to bypass AV scanning Debasis Mohanty (Mar 15)
- Re: Av issues Thierry Zoller (Mar 15)
- Re: Av issues bipin gautam (Mar 16)
- RE: Re: Av issues Sean Crawford (Mar 16)
- RE: Re: Av issues bipin gautam (Mar 16)
- Re: Re: Av issues Thierry Zoller (Mar 16)