Problem with virus - INVOICES email

remikk

Verified User
Joined
Apr 30, 2008
Messages
165
Location
Poland
Recently, many emails with attachments with a rar extension in which there are viruses reach my server. They are in files such as vbs. Clamav does not respond to them at all and does not unpack these files despite the fact that in the default configuration the archive scanning option is enabled.
I have added additional virus databases to Clamav, but it's still useless.
I have the impression that the problem lies with Clamav, who does not check the contents of the archives of the rar.
The following is a quote from the ESET Antivirus operation already at the Windows station.

Code:
  faktura_021118_3308704.rar - VBS/TrojanDownloader.Agent.QIN kon trojanski - usuniety
   faktura_021118_3308704.rar > RAR5 > faktura_021118_3308704.vbs - VBS/TrojanDownloader.Agent.QIN kon trojanski - usuniety

What else can I do?
 
Hello,

Does ClamAV find a virus if you scan the rar archive manually in a shell console? What output do you have there?
 
Clamav scan result:

Code:
clamscan faktura_051118_770933.rar
faktura_051118_770933.rar: OK

----------- SCAN SUMMARY -----------
Known viruses: 10750546
Engine version: 0.100.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 53.617 sec (0 m 53 s)
 
and this way

Code:
clamscan -v --archive-verbose faktura_051118_770933.rar
?

it lists files in the rar archive on my end.
 
Code:
clamscan -v --archive-verbose faktura_051118_770933.rar
Scanning faktura_051118_770933.rar
faktura_051118_770933.rar: OK

----------- SCAN SUMMARY -----------
Known viruses: 10750546
Engine version: 0.100.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 59.292 sec (0 m 59 s)

I tried unpack this file but

Code:
root@da:/home/admin# unrar faktura_051118_770933.rar

unrar 0.0.1  Copyright (C) 2004  Ben Asselstine, Jeroen Dekkers


Extracting from /home/admin/faktura_051118_770933.rar

unknown archive type, only plain RAR 2.0 supported(normal and solid archives), SFX and Volumes are NOT supported!
All OK
 
What you see with

Code:
file [COLOR=#333333]faktura_051118_770933.rar
?[/COLOR]
 
Code:
file faktura_051118_770933.rar
faktura_051118_770933.rar: RAR archive data, v5
 
Well, the file format is detected fine, but `unrar` can not open it.... probably your version is too old.

I've got UNRAR 4.00 freeware, and you?

Code:
unrar | head


But there is 5.61 already available https://www.rarlab.com/
 
I've installed from apt.

Code:
 dpkg -l | grep unrar
ii  unrar-free                       1:0.0.1+cvs20140707-1+b2       amd64        Unarchiver for .rar files
But when I used from website rarlab, now is unpacked

Code:
UNRAR 5.61 freeware      Copyright (c) 1993-2018 Alexander Roshal


Extracting from /home/admin/faktura_051118_770933.rar

Extracting  faktura_051118_770933.vbs                                 OK
All OK

So where is a problem? Why Clamav not blocking vbs in rar archive? Or maybe Exim?
 
Too old unrar version installed with *.deb package which can not unpack archives created by a newer RAR version.

Try and re-send an email to see whether or not the issues is solved with a newer unrar.
 
Did you install ClamAV from a deb package? Or by custombuild?

Well, rar/unrar is a commercial software. And I don't have a straightforward answer here whether or not they have unrar compiled. Probably somebody else could share their thoughts here.

Anyway, I've searched in internet and here is what I've found:

Q.: Any hints on how to check if the unrar library is installed correctly?

A: depends on yout OS/distro.
on debian gnu/linux you need libclamunrar* package installed, currently
libclamunrar7. It comes in non-free section.

If this is the case then libclamunrar version might effect it.

http://lists.clamav.net/pipermail/clamav-users/2018-July/006667.html


Then here: https://www.securiteinfo.com/divers/Clamav_LibClamAV_Warning_RAR_code_not_compiled-in.shtml they say:

Since 0.92, Debian cannot distribute Clamav packages with the unrar 3.0 code compiled in for license reasons.

and if this is case ClamAV might use an external unpacker. So it might rely on your unrar version.

Anyway try and locate libclamunrar.so on your Debian server.

Code:
updatedb
locate libclamunrar.so

On CentOS I have:

Code:
/usr/local/lib64/libclamunrar.so
/usr/local/lib64/libclamunrar.so.7
/usr/local/lib64/libclamunrar.so.7.1.1


So I suppose ClamAV is built with unrar support.

ClamAV on the server on my side is outdated, and library versions might be old. Nevertheless if I remove or rename the files clamscan fails to unpack a rar archive.

If I remove/rename /usr/bin/unrar then clamscan unpacks a rar archive fine. So at least on CentOS /usr/bin/unrar is not used with clamscan.


But.... Exim does not use clamscan. ;)

It uses clamdscan instead...connecting to its port.

Code:
av_scanner = clamd:127.0.0.1 3310

And clamdscan on my end does not seem to unpack a rar archive when checking it.

Code:
# clamdscan -v --stdout file.rar

file.rar: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)

And does it work on your end on Debian?
 
By the way try this too:

Code:
perl -pi -e "s/#ScanArchive.*/ScanArchive yes/" /etc/clamd.conf

and restart clamd.
 
By the way try this too:

Code:
perl -pi -e "s/#ScanArchive.*/ScanArchive yes/" /etc/clamd.conf

and restart clamd.

I did yesterday also.


I check libclamunrar

Code:
ls -l /usr/local/lib/libclamunrar*
-rwxr-xr-x 1 root staff   1005 paź  9 15:07 /usr/local/lib/libclamunrar_iface.la
lrwxrwxrwx 1 root staff     27 paź  9 15:07 /usr/local/lib/libclamunrar_iface.so -> libclamunrar_iface.so.7.1.1
lrwxrwxrwx 1 root staff     27 paź  9 15:07 /usr/local/lib/libclamunrar_iface.so.7 -> libclamunrar_iface.so.7.1.1
-rwxr-xr-x 1 root staff  33648 paź  9 15:07 /usr/local/lib/libclamunrar_iface.so.7.1.1
-rwxr-xr-x 1 root staff    937 paź  9 15:07 /usr/local/lib/libclamunrar.la
lrwxrwxrwx 1 root staff     21 paź  9 15:07 /usr/local/lib/libclamunrar.so -> libclamunrar.so.7.1.1
lrwxrwxrwx 1 root staff     21 paź  9 15:07 /usr/local/lib/libclamunrar.so.7 -> libclamunrar.so.7.1.1
-rwxr-xr-x 1 root staff 200800 paź  9 15:07 /usr/local/lib/libclamunrar.so.7.1.1

I tried use clamdscan like you and result :

Code:
clamdscan -v --stdout faktura_051118_770933.rar
/home/admin/faktura_051118_770933.rar: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 57.476 sec (0 m 57 s)

I could understand that clamav database doesn't have repository that vbs file inside rar is a virus. But I need to block these files inside rar. Because every vbs, bat, exe are potentially dangerous.
 
It seems it fails to unpack... I don't anything to add yet. Probably somebody else have more ideas.
 
If you aren't looking for alternative solutions you might need to contact ClamAV community or developers for more assistance. While searching the Internet I've found similar cases (I'm sure you've already seen them too), and they do not offer a solution...
 
Back
Top