Results 1 to 17 of 17

Thread: Problem with virus - INVOICES email

  1. #1
    Join Date
    Apr 2008
    Location
    Poland
    Posts
    152

    Problem with virus - INVOICES email

    Recently, many emails with attachments with a rar extension in which there are viruses reach my server. They are in files such as vbs. Clamav does not respond to them at all and does not unpack these files despite the fact that in the default configuration the archive scanning option is enabled.
    I have added additional virus databases to Clamav, but it's still useless.
    I have the impression that the problem lies with Clamav, who does not check the contents of the archives of the rar.
    The following is a quote from the ESET Antivirus operation already at the Windows station.

    Code:
      faktura_021118_3308704.rar - VBS/TrojanDownloader.Agent.QIN kon trojanski - usuniety
       faktura_021118_3308704.rar > RAR5 > faktura_021118_3308704.vbs - VBS/TrojanDownloader.Agent.QIN kon trojanski - usuniety
    What else can I do?

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,498
    Hello,

    Does ClamAV find a virus if you scan the rar archive manually in a shell console? What output do you have there?

  3. #3
    Join Date
    Apr 2008
    Location
    Poland
    Posts
    152
    Clamav scan result:

    Code:
    clamscan faktura_051118_770933.rar
    faktura_051118_770933.rar: OK
    
    ----------- SCAN SUMMARY -----------
    Known viruses: 10750546
    Engine version: 0.100.2
    Scanned directories: 0
    Scanned files: 1
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 53.617 sec (0 m 53 s)

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,498
    and this way

    Code:
    clamscan -v --archive-verbose faktura_051118_770933.rar
    ?

    it lists files in the rar archive on my end.

  5. #5
    Join Date
    Apr 2008
    Location
    Poland
    Posts
    152
    Code:
    clamscan -v --archive-verbose faktura_051118_770933.rar
    Scanning faktura_051118_770933.rar
    faktura_051118_770933.rar: OK
    
    ----------- SCAN SUMMARY -----------
    Known viruses: 10750546
    Engine version: 0.100.2
    Scanned directories: 0
    Scanned files: 1
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 59.292 sec (0 m 59 s)
    I tried unpack this file but

    Code:
    
    root@da:/home/admin# unrar faktura_051118_770933.rar
    
    unrar 0.0.1  Copyright (C) 2004  Ben Asselstine, Jeroen Dekkers
    
    
    Extracting from /home/admin/faktura_051118_770933.rar
    
    unknown archive type, only plain RAR 2.0 supported(normal and solid archives), SFX and Volumes are NOT supported!
    All OK

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,498
    What you see with

    Code:
    file faktura_051118_770933.rar
    ?

  7. #7
    Join Date
    Apr 2008
    Location
    Poland
    Posts
    152
    Code:
    file faktura_051118_770933.rar
    faktura_051118_770933.rar: RAR archive data, v5

  8. #8
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,498
    Well, the file format is detected fine, but `unrar` can not open it.... probably your version is too old.

    I've got UNRAR 4.00 freeware, and you?

    Code:
    unrar | head

    But there is 5.61 already available https://www.rarlab.com/

  9. #9
    Join Date
    Apr 2008
    Location
    Poland
    Posts
    152
    I've installed from apt.

    Code:
     
     dpkg -l | grep unrar
    ii  unrar-free                       1:0.0.1+cvs20140707-1+b2       amd64        Unarchiver for .rar files
    But when I used from website rarlab, now is unpacked

    Code:
    UNRAR 5.61 freeware      Copyright (c) 1993-2018 Alexander Roshal
    
    
    Extracting from /home/admin/faktura_051118_770933.rar
    
    Extracting  faktura_051118_770933.vbs                                 OK
    All OK
    So where is a problem? Why Clamav not blocking vbs in rar archive? Or maybe Exim?

  10. #10
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,498
    Too old unrar version installed with *.deb package which can not unpack archives created by a newer RAR version.

    Try and re-send an email to see whether or not the issues is solved with a newer unrar.

  11. #11
    Join Date
    Apr 2008
    Location
    Poland
    Posts
    152
    Does Clamav use 3rd party software like unrar to unpack archive?

  12. #12
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,498
    Did you install ClamAV from a deb package? Or by custombuild?

    Well, rar/unrar is a commercial software. And I don't have a straightforward answer here whether or not they have unrar compiled. Probably somebody else could share their thoughts here.

    Anyway, I've searched in internet and here is what I've found:

    Q.: Any hints on how to check if the unrar library is installed correctly?

    A: depends on yout OS/distro.
    on debian gnu/linux you need libclamunrar* package installed, currently
    libclamunrar7. It comes in non-free section.
    If this is the case then libclamunrar version might effect it.

    http://lists.clamav.net/pipermail/cl...ly/006667.html


    Then here: https://www.securiteinfo.com/divers/...piled-in.shtml they say:

    Since 0.92, Debian cannot distribute Clamav packages with the unrar 3.0 code compiled in for license reasons.
    and if this is case ClamAV might use an external unpacker. So it might rely on your unrar version.

    Anyway try and locate libclamunrar.so on your Debian server.

    Code:
    updatedb
    locate libclamunrar.so
    On CentOS I have:

    Code:
    /usr/local/lib64/libclamunrar.so
    /usr/local/lib64/libclamunrar.so.7
    /usr/local/lib64/libclamunrar.so.7.1.1

    So I suppose ClamAV is built with unrar support.

    ClamAV on the server on my side is outdated, and library versions might be old. Nevertheless if I remove or rename the files clamscan fails to unpack a rar archive.

    If I remove/rename /usr/bin/unrar then clamscan unpacks a rar archive fine. So at least on CentOS /usr/bin/unrar is not used with clamscan.


    But.... Exim does not use clamscan.

    It uses clamdscan instead...connecting to its port.

    Code:
    av_scanner = clamd:127.0.0.1 3310
    And clamdscan on my end does not seem to unpack a rar archive when checking it.

    Code:
    # clamdscan -v --stdout file.rar
    
    file.rar: OK
    
    ----------- SCAN SUMMARY -----------
    Infected files: 0
    Time: 0.000 sec (0 m 0 s)
    And does it work on your end on Debian?

  13. #13
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,498
    By the way try this too:

    Code:
    perl -pi -e "s/#ScanArchive.*/ScanArchive yes/" /etc/clamd.conf
    and restart clamd.

  14. #14
    Join Date
    Apr 2008
    Location
    Poland
    Posts
    152
    Quote Originally Posted by zEitEr View Post
    By the way try this too:

    Code:
    perl -pi -e "s/#ScanArchive.*/ScanArchive yes/" /etc/clamd.conf
    and restart clamd.
    I did yesterday also.


    I check libclamunrar

    Code:
    ls -l /usr/local/lib/libclamunrar*
    -rwxr-xr-x 1 root staff   1005 paź  9 15:07 /usr/local/lib/libclamunrar_iface.la
    lrwxrwxrwx 1 root staff     27 paź  9 15:07 /usr/local/lib/libclamunrar_iface.so -> libclamunrar_iface.so.7.1.1
    lrwxrwxrwx 1 root staff     27 paź  9 15:07 /usr/local/lib/libclamunrar_iface.so.7 -> libclamunrar_iface.so.7.1.1
    -rwxr-xr-x 1 root staff  33648 paź  9 15:07 /usr/local/lib/libclamunrar_iface.so.7.1.1
    -rwxr-xr-x 1 root staff    937 paź  9 15:07 /usr/local/lib/libclamunrar.la
    lrwxrwxrwx 1 root staff     21 paź  9 15:07 /usr/local/lib/libclamunrar.so -> libclamunrar.so.7.1.1
    lrwxrwxrwx 1 root staff     21 paź  9 15:07 /usr/local/lib/libclamunrar.so.7 -> libclamunrar.so.7.1.1
    -rwxr-xr-x 1 root staff 200800 paź  9 15:07 /usr/local/lib/libclamunrar.so.7.1.1
    I tried use clamdscan like you and result :

    Code:
    clamdscan -v --stdout faktura_051118_770933.rar
    /home/admin/faktura_051118_770933.rar: OK
    
    ----------- SCAN SUMMARY -----------
    Infected files: 0
    Time: 57.476 sec (0 m 57 s)
    I could understand that clamav database doesn't have repository that vbs file inside rar is a virus. But I need to block these files inside rar. Because every vbs, bat, exe are potentially dangerous.

  15. #15
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,498
    It seems it fails to unpack... I don't anything to add yet. Probably somebody else have more ideas.

  16. #16
    Join Date
    Apr 2008
    Location
    Poland
    Posts
    152
    Someone can help?

  17. #17
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,498
    If you aren't looking for alternative solutions you might need to contact ClamAV community or developers for more assistance. While searching the Internet I've found similar cases (I'm sure you've already seen them too), and they do not offer a solution...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •