Discussion:
[Clamav-users] Anomaly when scanning a tar.gz file
(too old to reply)
Paul Kosinski
2009-04-04 23:51:53 UTC
Permalink
Hi,

I noticed the following anomaly when scanning a tar.gz file compared
to scanning the result of untarring it. Scanning the tar.gz file
results in less "data read" than scanning the files which it expands
to (as one would expect), but the "data scanned" amount is *much* more
for the tar.gz file than for the resultant files in the directory
tree.

Does this indicate some problem with the way clamav handles
compressed files, or is it some peculiarity of this tar.gz file?

Paul Kosinski


----------------------------------------------------------------------

09:51:08 ***@host:~/src/openssl> clamscan -ri openssl-0.9.8k/

----------- SCAN SUMMARY -----------
Known viruses: 537879
Engine version: 0.95
Scanned directories: 134
Scanned files: 2003
Infected files: 0
Data scanned: 13.86 MB
Data read: 12.99 MB (ratio 1.07:1)
Time: 10.665 sec (0 m 10 s)



09:51:24 ***@host:~/src/openssl> clamscan openssl-0.9.8k.tar.gz
openssl-0.9.8k.tar.gz: OK

----------- SCAN SUMMARY -----------
Known viruses: 537879
Engine version: 0.95
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 35.54 MB
Data read: 3.67 MB (ratio 9.68:1)
Time: 14.661 sec (0 m 14 s)
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Nathan Brink
2009-04-05 02:52:03 UTC
Permalink
Post by Paul Kosinski
Hi,
I noticed the following anomaly when scanning a tar.gz file compared
to scanning the result of untarring it. Scanning the tar.gz file
results in less "data read" than scanning the files which it expands
to (as one would expect), but the "data scanned" amount is *much* more
for the tar.gz file than for the resultant files in the directory
tree.
Does this indicate some problem with the way clamav handles
compressed files, or is it some peculiarity of this tar.gz file?
I don't think this is a problem with clamav's handling of compressed
files. I think it is a feature.

The following is just a bunch of assumptions, though:
When clamav scans a tar.gz, it initially scans the raw tar.gz data and
tries to match that against virus patterns. Then it scans the ungzip-ed
tar and tries to match some hashes of that data against virus defs. And
then it scans the individual files in the tar, possibly scanning and
then expanding and scanning other archives that are found in the tar.
The result is that more data is scanned. This is a feature for two
reasons: 1) signatures that match against the part of a tar archive that
represents a file will catch a virus more efficiently than having clamav
expand the viral file and then scan it. This improves clam's efficiency
as, IIRC, clam stops scanning once it encounters a virus match. 2) the
gzip or tar stream may be specially crafted to take advantage of
exploits in buggy versions of gzip, GNU tar, or proprietary
implementations of the programs. Clamav should detect this, not just
viruses stored in tars or files encoded using gzip.
Is your username really ``user'' and hostname really ``host''?
--
binki

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Sarocet
2009-04-05 13:24:23 UTC
Permalink
Post by Paul Kosinski
----------- SCAN SUMMARY -----------
Known viruses: 537879
Engine version: 0.95
Scanned directories: 134
Scanned files: 2003
Infected files: 0
Data scanned: 13.86 MB
Data read: 12.99 MB (ratio 1.07:1)
Time: 10.665 sec (0 m 10 s)
openssl-0.9.8k.tar.gz: OK
----------- SCAN SUMMARY -----------
Known viruses: 537879
Engine version: 0.95
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 35.54 MB
Data read: 3.67 MB (ratio 9.68:1)
Time: 14.661 sec (0 m 14 s)
______________________________________________
3.67MB + 18 MB + 13.86 MB = 35.53 MB plus rounding errors, the reported
35.54 MB.
(tar.gz size + tar size + uncompressed scanned size)

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Loading...