You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
having custom/non-official signatures uploaded (zip archive and executable specific)
clamav doesn't recognize specific .zip archive with a .vbs file inside as malicious as in the same time if .vbs file will be extracted from the .zip and archived again - it does recognize it as malicious
Worth to mention that while unpacking first .zip file (the one which isn't recognized) using unzip from docker container - unpacks 2 files, but if unpack this file under Windows in-built app - it's reporting that archive is corrupted, if file will be unpacked using 7zip (for example) - it does extract one file only.
How to reproduce the problem
Running:
clamdscan v1.zip - doesn't trigger malicious found message
clamdscan v2.zip - does trigger malicious found message
Describe the bug
How to reproduce the problem
Running:
clamdscan v1.zip - doesn't trigger malicious found message
clamdscan v2.zip - does trigger malicious found message
clamconf -n
`Config file: clamd.conf
LogFile = "/var/log/clamav/clamd.log"
LogTime = "yes"
PidFile = "/tmp/clamd.pid"
LocalSocket = "/tmp/clamd.sock"
TCPSocket = "3310"
User = "clamav"
Config file: freshclam.conf
PidFile = "/tmp/freshclam.pid"
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseMirror = "database.clamav.net"
DatabaseCustomURL = "https://www.rfxn.com/downloads/rfxn.ndb", "https://www.rfxn.com/downloads/rfxn.hdb", "https://www.rfxn.com/downloads/rfxn.yara", "https://www.securiteinfo.com/get/signatures/xxx/securiteinfo.hdb", "https://www.securiteinfo.com/get/signatures/xxx/securiteinfo.ign2", "https://www.securiteinfo.com/get/signatures/xxx/javascript.ndb", "https://www.securiteinfo.com/get/signatures/xxx/spam_marketing.ndb", "https://www.securiteinfo.com/get/signatures/xxx/securiteinfohtml.hdb", "https://www.securiteinfo.com/get/signatures/xxx/securiteinfoascii.hdb", "https://www.securiteinfo.com/get/signatures/xxx/securiteinfoandroid.hdb", "https://www.securiteinfo.com/get/signatures/xxx/securiteinfopdf.hdb", "https://cdn.malware.expert/malware.expert.ndb", "https://cdn.malware.expert/malware.expert.hdb", "https://cdn.malware.expert/malware.expert.ldb", "https://cdn.malware.expert/malware.expert.fp", "https://ftp.swin.edu.au/sanesecurity/MiscreantPunch099-INFO-Low.ldb", "https://ftp.swin.edu.au/sanesecurity/MiscreantPunch099-Low.ldb", "https://ftp.swin.edu.au/sanesecurity/Sanesecurity_BlackEnergy.yara", "https://ftp.swin.edu.au/sanesecurity/Sanesecurity_sigtest.yara", "https://ftp.swin.edu.au/sanesecurity/Sanesecurity_spam.yara", "https://ftp.swin.edu.au/sanesecurity/badmacro.ndb", "https://ftp.swin.edu.au/sanesecurity/blurl.ndb", "https://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb", "https://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb", "https://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb", "https://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb", "https://ftp.swin.edu.au/sanesecurity/crdfam.clamav.hdb", "https://ftp.swin.edu.au/sanesecurity/doppelstern-phishtank.ndb", "https://ftp.swin.edu.au/sanesecurity/doppelstern.hdb", "https://ftp.swin.edu.au/sanesecurity/doppelstern.ndb", "https://ftp.swin.edu.au/sanesecurity/foxhole_all.cdb", "https://ftp.swin.edu.au/sanesecurity/foxhole_all.ndb", "https://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb", "https://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb", "https://ftp.swin.edu.au/sanesecurity/foxhole_js.ndb", "https://ftp.swin.edu.au/sanesecurity/foxhole_mail.cdb", "https://ftp.swin.edu.au/sanesecurity/hackingteam.hsb", "https://ftp.swin.edu.au/sanesecurity/junk.ndb", "https://ftp.swin.edu.au/sanesecurity/jurlbl.ndb", "https://ftp.swin.edu.au/sanesecurity/jurlbla.ndb", "https://ftp.swin.edu.au/sanesecurity/lott.ndb", "https://ftp.swin.edu.au/sanesecurity/malwarehash.hsb", "https://ftp.swin.edu.au/sanesecurity/phish.ndb", "https://ftp.swin.edu.au/sanesecurity/rogue.hdb", "https://ftp.swin.edu.au/sanesecurity/scam.ndb", "https://ftp.swin.edu.au/sanesecurity/scamnailer.ndb", "https://ftp.swin.edu.au/sanesecurity/shelter.ldb", "https://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2", "https://ftp.swin.edu.au/sanesecurity/spam.ldb", "https://ftp.swin.edu.au/sanesecurity/spamattach.hdb", "https://ftp.swin.edu.au/sanesecurity/spamimg.hdb", "https://ftp.swin.edu.au/sanesecurity/spear.ndb", "https://ftp.swin.edu.au/sanesecurity/spearl.ndb", "https://ftp.swin.edu.au/sanesecurity/winnow.attachments.hdb", "https://ftp.swin.edu.au/sanesecurity/winnow.complex.patterns.ldb", "https://ftp.swin.edu.au/sanesecurity/winnow_bad_cw.hdb", "https://ftp.swin.edu.au/sanesecurity/winnow_extended_malware.hdb", "https://ftp.swin.edu.au/sanesecurity/winnow_extended_malware_links.ndb", "https://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb", "https://ftp.swin.edu.au/sanesecurity/winnow_phish_complete.ndb", "https://ftp.swin.edu.au/sanesecurity/winnow_phish_complete_url.ndb", "https://ftp.swin.edu.au/sanesecurity/winnow_spam_complete.ndb", "https://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb", "https://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb", "https://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb", "https://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb", "https://ftp.swin.edu.au/sanesecurity/porcupine.ndb", "https://ftp.swin.edu.au/sanesecurity/phishtank.ndb", "https://ftp.swin.edu.au/sanesecurity/porcupine.hsb"
Config file: clamav-milter.conf
LogFile = "/var/log/clamav/milter.log"
LogTime = "yes"
PidFile = "/tmp/clamav-milter.pid"
User = "clamav"
ClamdSocket = "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock", "unix:/tmp/clamd.sock"
MilterSocket = "inet:7357"
Software settings
Version: 1.1.0
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR
Database information
Database directory: /var/lib/clamav
[3rd Party] lott.ndb: 2338 sigs
[3rd Party] winnow_phish_complete_url.ndb: 53 sigs
[3rd Party] securiteinfo.ign2: 184 sigs
[3rd Party] winnow_bad_cw.hdb: 1 sig
[3rd Party] blurl.ndb: 1934 sigs
[3rd Party] jurlbl.ndb: 18368 sigs
[3rd Party] foxhole_all.cdb: 149 sigs
[3rd Party] rfxn.yara: 11527 sigs
[3rd Party] doppelstern.hdb: 1 sig
[3rd Party] bofhland_phishing_URL.ndb: 72 sigs
[3rd Party] spam.ldb: 2 sigs
[3rd Party] porcupine.ndb: 2600 sigs
bytecode.cvd: version 334, sigs: 91, built on Wed Feb 22 21:33:21 2023
[3rd Party] hackingteam.hsb: 435 sigs
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
[3rd Party] jurlbla.ndb: 687 sigs
[3rd Party] rfxn.hdb: 13030 sigs
[3rd Party] foxhole_mail.cdb: 36 sigs
[3rd Party] scamnailer.ndb: 1 sig
[3rd Party] Sanesecurity_BlackEnergy.yara: 64 sigs
[3rd Party] rogue.hdb: 5324 sigs
[3rd Party] foxhole_filename.cdb: 3516 sigs
[3rd Party] spamattach.hdb: 14 sigs
[3rd Party] spear.ndb: 1 sig
[3rd Party] winnow.attachments.hdb: 1 sig
[3rd Party] winnow_malware.hdb: 1 sig
[3rd Party] phishtank.ndb: 1 sig
[3rd Party] securiteinfo.hdb: 49086 sigs
[3rd Party] scam.ndb: 12913 sigs
[3rd Party] securiteinfoascii.hdb: 36181 sigs
[3rd Party] Sanesecurity_spam.yara: 46 sigs
[3rd Party] bofhland_cracked_URL.ndb: 40 sigs
[3rd Party] malware.expert.ldb: 1 sig
[3rd Party] porcupine.hsb: 255 sigs
[3rd Party] foxhole_js.ndb: 4 sigs
[3rd Party] winnow_extended_malware_links.ndb: 1 sig
[3rd Party] securiteinfohtml.hdb: 32966 sigs
[3rd Party] malware.expert.fp: 1 sig
[3rd Party] spearl.ndb: 1 sig
[3rd Party] foxhole_all.ndb: 101 sigs
[3rd Party] javascript.ndb: 10557 sigs
[3rd Party] crdfam.clamav.hdb: 1 sig
[3rd Party] spamimg.hdb: 221 sigs
[3rd Party] securiteinfoandroid.hdb: 29652 sigs
[3rd Party] phish.ndb: 29735 sigs
[3rd Party] spam_marketing.ndb: 37629 sigs
[3rd Party] malware.expert.ndb: 1 sig
[3rd Party] malware.expert.hdb: 1 sig
[3rd Party] MiscreantPunch099-INFO-Low.ldb: 20 sigs
[3rd Party] winnow_spam_complete.ndb: 26 sigs
[3rd Party] winnow_phish_complete.ndb: 53 sigs
daily.cld: version 26974, sigs: 2039213, built on Wed Jul 19 07:28:18 2023
[3rd Party] doppelstern-phishtank.ndb: 1 sig
[3rd Party] bofhland_malware_attach.hdb: 1836 sigs
[3rd Party] doppelstern.ndb: 1 sig
[3rd Party] badmacro.ndb: 688 sigs
[3rd Party] Sanesecurity_sigtest.yara: 54 sigs
[3rd Party] foxhole_generic.cdb: 214 sigs
[3rd Party] MiscreantPunch099-Low.ldb: 1199 sigs
[3rd Party] bofhland_malware_URL.ndb: 4 sigs
[3rd Party] junk.ndb: 56473 sigs
[3rd Party] sigwhitelist.ign2: 16 sigs
[3rd Party] winnow.complex.patterns.ldb: 3 sigs
[3rd Party] malwarehash.hsb: 1031 sigs
[3rd Party] shelter.ldb: 61 sigs
[3rd Party] securiteinfopdf.hdb: 3408 sigs
[3rd Party] winnow_extended_malware.hdb: 1 sig
[3rd Party] rfxn.ndb: 2053 sigs
Total number of signatures: 9053606
Platform information
uname: Linux 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29) x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.13 (1.2.13), compile flags: a9
platform id: 0x0a21b4b408000000000c0201
Build information
GNU C: 12.2.1 20220924 (12.2.1)
sizeof(void*) = 8
Engine flevel: 180, dconf: 180`
Attachments
v1.zip
v2.zip
The text was updated successfully, but these errors were encountered: