search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.44k stars 706 forks source link

Heuristics.Limits.Exceeded.MaxScanSize for file way smaller than MaxScanSize #1147

Open michaelwittig opened 10 months ago

michaelwittig commented 10 months ago

Hi!

I recently received a Heuristics.Limits.Exceeded.MaxScanSize for a file that is much smaller than my MaxScanSize (4294967295) limit using clamd. The file is a 670 MB (more accurately 636631040 bytes) text file. The file has a .txt extension but actually contains a large bash script.

clamscan --debug (full output).

[...]
LibClamAV debug: cl_scandesc_callback: File too large (636631040 bytes), ignoring
[...]

I can scan files larger than 670 MB. Just this one file is special. I saw other issues where the file was matching against signatures but my case looks different (no matching at all).

Unfortunately, I can not share the file. Any ideas what could cause this?

clamconf output:

Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
AlertExceedsMax = "yes"
PreludeEnable disabled
PreludeAnalyzerName disabled
LogFile disabled
LogFileUnlock disabled
LogFileMaxSize = "1048576"
LogTime disabled
LogClean disabled
LogSyslog = "yes"
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate disabled
ExtendedDetectionInfo disabled
PidFile disabled
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/run/clamd.scan/clamd.sock"
LocalSocketGroup disabled
LocalSocketMode disabled
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "200"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "10"
ReadTimeout = "120"
CommandReadTimeout = "30"
SendBufTimeout = "500"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "600"
ConcurrentDatabaseReload disabled
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamscan"
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "10000"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
ScanPE = "yes"
ScanELF = "yes"
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
HeuristicAlerts = "yes"
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
AlertBrokenExecutables disabled
AlertBrokenMedia disabled
AlertEncrypted = "yes"
StructuredCCOnly disabled
AlertEncryptedArchive disabled
AlertEncryptedDoc disabled
AlertOLE2Macros disabled
AlertPhishingSSLMismatch disabled
AlertPhishingCloak disabled
AlertPartitionIntersection disabled
ScanPDF = "yes"
ScanSWF = "yes"
ScanXMLDOCS = "yes"
ScanHWP3 = "yes"
ScanArchive = "yes"
ForceToDisk disabled
MaxScanTime disabled
MaxScanSize = "4294967295"
MaxFileSize = "4294967295"
MaxRecursion = "160"
MaxFiles disabled
MaxEmbeddedPE = "104857600"
MaxHTMLNormalize = "104857600"
MaxHTMLNoTags = "20971520"
MaxScriptNormalize = "52428800"
MaxZipTypeRcg = "10485760"
MaxPartitions = "500"
MaxIconsPE = "1000"
MaxRecHWP3 = "160"
PCREMatchLimit = "1000000"
PCRERecMatchLimit = "20000"
PCREMaxFileSize = "262144000"
OnAccessMountPath disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeRootUID disabled
OnAccessExcludeUID disabled
OnAccessExcludeUname disabled
OnAccessMaxFileSize = "5242880"
OnAccessDisableDDD disabled
OnAccessPrevention disabled
OnAccessExtraScanning disabled
OnAccessCurlTimeout = "5000"
OnAccessMaxThreads = "5"
OnAccessRetryAttempts disabled
OnAccessDenyOnError disabled
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled
AlgorithmicDetection = "yes"
BlockMax disabled
PhishingAlwaysBlockSSLMismatch disabled
PhishingAlwaysBlockCloak disabled
PartitionIntersection disabled
OLE2BlockMacros disabled
ArchiveBlockEncrypted disabled

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "1048576"
LogTime disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate disabled
PidFile disabled
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled
UpdateLogFile disabled
DatabaseOwner = "clamupdate"
Checks = "12"
DNSDatabaseInfo = "no"
DatabaseMirror = "https://bucketav-clamav-mirror-eu-west-2.s3.eu-west-2.amazonaws.com"
PrivateMirror disabled
MaxAttempts = "3"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
ExcludeDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamd.d/scan.conf"
OnUpdateExecute = "/bin/touch /tmp/freshclam.done"
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout disabled
Bytecode = "yes"

mail/clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.10
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
daily.cvd: version 27161, sigs: 2051323, built on Sun Jan 21 09:38:57 2024
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
bytecode.cvd: version 334, sigs: 91, built on Wed Feb 22 21:33:21 2023
Total number of signatures: 8698841

Platform information
--------------------
uname: Linux 4.14.326-245.539.amzn2.x86_64 #1 SMP Tue Sep 26 09:59:02 UTC 2023 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.7 (1.2.7), compile flags: a9
platform id: 0x0a2181810800000000040805

Build information
-----------------
GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1  -m64 -mtune=generic -fno-strict-aliasing   -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1  -m64 -mtune=generic
LDFLAGS: -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed  -lprelude
Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1  -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1  -m64 -mtune=generic' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 129, dconf: 129
micahsnyder commented 9 months ago

ClamAV normalizes text files and then scans boths versions, so the total amount of data scanned may be significantly higher than the files being scanned. I wouldn't expect a 670 MB text file to end up scanning more than 4GB. That does seem a little strange. Perhaps it is finding some attached content and extracting that and scanning that as well.

I'm not sure I would consider this to be a bug. But if you want to investigate more -- can you attach the output from running clamscan with these additional options: --debug --gen-json

fawind commented 3 months ago

I'm running into a similar issue trying to upgrade ClamAV from the 0.x LTS to 1.x. Note that ClamAV 1.0.5 reports this as MaxScanSize while ClamAV 1.3.1 flags this as MaxFileSize and no warning is emitted on 0.103.8.

The file I'm scanning is an arm64 binary of size 28Mb. Looking at the output of --debug --gen-json the following looks interesting (snippets, full debug output below):

$ clamscan -d db/daily.cvd --alert-exceeds-max=yes --max-filesize=2048M --max-scansize=0 --max-scantime=0 --max-recursion=40 arm64-binary --debug --gen-json
[...]
// Seems to correctly classify the file as "executable"
LibClamAV debug: ELF: File type: Executable
LibClamAV debug: ELF: Machine type: Unknown (0xb7)
[...]
// The overall file finishes without a finding
LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected
[...]
// Within the binary, ClamAV seems to detect a RAR-SFX signature?
LibClamAV debug: Matched signature for file type ZIP-SFX at 19076080
LibClamAV debug: Matched signature for file type RAR-SFX at 19076520
LibClamAV debug: Matched signature for file type RAR-SFX at 19076520
LibClamAV debug: Matched signature for file type HTML data at 20077476
LibClamAV debug: Matched signature for file type HTML data
LibClamAV debug: Matched signature for file type HTML data
[...]
unrar_open: Opened archive: /var/folders/ln/vqtgf6r50jj7llpd28yrv60d082fsw/T//20240730_210831-scantemp.fe25d32168/clamav-d4aed806711af70417a1e533c7ea5fc1.tmp
unrar_peek_file_header:   Name:
unrar_peek_file_header:   Directory?:    0
unrar_peek_file_header:   Target Dir:    0
unrar_peek_file_header:   RAR Version:   3
unrar_peek_file_header:   Packed Size:   8719941959316996884
unrar_peek_file_header:   Unpacked Size: 9080236526577124131
// Seems to detect a RAR entry of an insane size
LibClamAV debug: RAR: Next file is too large (9080236526577124131 bytes); it would exceed max scansize.  Skipping to next file.
[...]

/Volumes/git/sandbox/clamav-debug/arm64-binary: Heuristics.Limits.Exceeded.MaxFileSize FOUND
----------- SCAN SUMMARY -----------
Scanned files: 1
Infected files: 1
Data scanned: 29.86 MB
Data read: 28.04 MB (ratio 1.06:1)

My interpretation is that ClamAV wrongfully identifies the binary as a RAR archive and then reads inaccurate size metadata?

Full debug log Using `ClamAV 1.3.1` ``` $ clamscan -d db/daily.cvd --alert-exceeds-max=yes --max-filesize=2048M --max-scansize=0 --max-scantime=0 --max-recursion=40 arm64-binary --debug --gen-json LibClamAV debug: searching for unrar, user-searchpath: /opt/homebrew/Cellar/clamav/1.3.1/lib LibClamAV debug: searching for unrar: /opt/homebrew/Cellar/clamav/1.3.1/lib/libclamunrar_iface.dylib.12.0.2 not found LibClamAV debug: searching for unrar: /opt/homebrew/Cellar/clamav/1.3.1/lib/libclamunrar_iface.dylib.12 not found LibClamAV debug: unrar support loaded from /opt/homebrew/Cellar/clamav/1.3.1/lib/libclamunrar_iface.dylib LibClamAV debug: Initialized 1.3.1 engine LibClamAV debug: Initializing phishcheck module LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$ LibClamAV debug: Phishcheck module initialized LibClamAV debug: Bytecode initialized in interpreter mode LibClamAV debug: clean_cache_init: Requested cache size: 65536. Actual cache size: 65536. Trees: 256. Nodes per tree: 256. LibClamAV debug: in cli_cvdload() LibClamAV debug: cli_versig: Digital signature is correct. LibClamAV debug: in cli_tgzload() LibClamAV debug: daily.info loaded LibClamAV debug: in cli_tgzload_cleanup() LibClamAV debug: in cli_tgzload() LibClamAV debug: daily.cfg loaded LibClamAV debug: daily.ign loaded LibClamAV debug: daily.ign2 loaded LibClamAV debug: Initializing engine matching structures LibClamAV debug: Loaded 158 filetype definitions LibClamAV debug: daily.ftm loaded LibClamAV debug: daily.hdb loaded LibClamAV debug: daily.hdu skipped LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 64 LibClamAV debug: hashtab.c: new capacity: 128 LibClamAV debug: Table 0x102c4eae8 size after grow: 128 LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 128 LibClamAV debug: hashtab.c: new capacity: 256 LibClamAV debug: Table 0x102c4eae8 size after grow: 256 LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 256 LibClamAV debug: hashtab.c: new capacity: 512 LibClamAV debug: Table 0x102c4eae8 size after grow: 512 LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 512 LibClamAV debug: hashtab.c: new capacity: 1024 LibClamAV debug: Table 0x102c4eae8 size after grow: 1024 LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 1024 LibClamAV debug: hashtab.c: new capacity: 2048 LibClamAV debug: Table 0x102c4eae8 size after grow: 2048 LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 2048 LibClamAV debug: hashtab.c: new capacity: 4096 LibClamAV debug: Table 0x102c4eae8 size after grow: 4096 LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 4096 LibClamAV debug: hashtab.c: new capacity: 8192 LibClamAV debug: Table 0x102c4eae8 size after grow: 8192 LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 8192 LibClamAV debug: hashtab.c: new capacity: 16384 LibClamAV debug: Table 0x102c4eae8 size after grow: 16384 LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 16384 LibClamAV debug: hashtab.c: new capacity: 32768 LibClamAV debug: Table 0x102c4eae8 size after grow: 32768 LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 32768 LibClamAV debug: hashtab.c: new capacity: 65536 LibClamAV debug: Table 0x102c4eae8 size after grow: 65536 LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 65536 LibClamAV debug: hashtab.c: new capacity: 131072 LibClamAV debug: Table 0x102c4eae8 size after grow: 131072 LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eae8, because it has exceeded maxfill, old size: 131072 LibClamAV debug: hashtab.c: new capacity: 262144 LibClamAV debug: Table 0x102c4eae8 size after grow: 262144 LibClamAV debug: hashtab.c:Growing hashtable 0x102c4eb28, because it has exceeded maxfill, old size: 64 LibClamAV debug: hashtab.c: new capacity: 128 LibClamAV debug: Table 0x102c4eb28 size after grow: 128 LibClamAV debug: daily.hsb loaded LibClamAV debug: daily.hsu skipped LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 64 LibClamAV debug: hashtab.c: new capacity: 128 LibClamAV debug: Table 0x10827bc00 size after grow: 128 LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 128 LibClamAV debug: hashtab.c: new capacity: 256 LibClamAV debug: Table 0x10827bc00 size after grow: 256 LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 256 LibClamAV debug: hashtab.c: new capacity: 512 LibClamAV debug: Table 0x10827bc00 size after grow: 512 LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 512 LibClamAV debug: hashtab.c: new capacity: 1024 LibClamAV debug: Table 0x10827bc00 size after grow: 1024 LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 1024 LibClamAV debug: hashtab.c: new capacity: 2048 LibClamAV debug: Table 0x10827bc00 size after grow: 2048 LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 2048 LibClamAV debug: hashtab.c: new capacity: 4096 LibClamAV debug: Table 0x10827bc00 size after grow: 4096 LibClamAV debug: hashtab.c:Growing hashtable 0x10827bc00, because it has exceeded maxfill, old size: 4096 LibClamAV debug: hashtab.c: new capacity: 8192 LibClamAV debug: Table 0x10827bc00 size after grow: 8192 LibClamAV debug: daily.mdb loaded LibClamAV debug: daily.mdu skipped LibClamAV debug: daily.msb loaded LibClamAV debug: daily.msu skipped LibClamAV debug: Initializing engine matching structures LibClamAV debug: daily.ndb loaded LibClamAV debug: daily.ndu skipped LibClamAV debug: Initializing engine matching structures LibClamAV debug: daily.ldb loaded LibClamAV debug: daily.ldu skipped LibClamAV debug: daily.idb loaded LibClamAV debug: hashtab.c:Growing hashtable 0x13a3529e8, because it has exceeded maxfill, old size: 64 LibClamAV debug: hashtab.c: new capacity: 128 LibClamAV debug: Table 0x13a3529e8 size after grow: 128 LibClamAV debug: hashtab.c:Growing hashtable 0x13a3529e8, because it has exceeded maxfill, old size: 128 LibClamAV debug: hashtab.c: new capacity: 256 LibClamAV debug: Table 0x13a3529e8 size after grow: 256 LibClamAV debug: hashtab.c:Growing hashtable 0x13a3529e8, because it has exceeded maxfill, old size: 256 LibClamAV debug: hashtab.c: new capacity: 512 LibClamAV debug: Table 0x13a3529e8 size after grow: 512 LibClamAV debug: hashtab.c:Growing hashtable 0x13a3529e8, because it has exceeded maxfill, old size: 512 LibClamAV debug: hashtab.c: new capacity: 1024 LibClamAV debug: Table 0x13a3529e8 size after grow: 1024 LibClamAV debug: daily.fp loaded LibClamAV debug: daily.sfp loaded LibClamAV debug: Loading regex_list LibClamAV debug: daily.pdb loaded LibClamAV debug: Loading regex_list LibClamAV debug: daily.wdb loaded LibClamAV debug: Number of certs: 29 LibClamAV debug: daily.crb loaded LibClamAV debug: daily.cdb loaded LibClamAV debug: in cli_tgzload_cleanup() LibClamAV debug: db-2-98/daily.cvd loaded LibClamAV debug: Using filter for trie 0 LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 3704 (reloff: 8, absoff: 0) BM sigs: 4 (reloff: 0, absoff: 1) PCREs: 17 (reloff: 0, absoff: 0) maxpatlen 8000 LibClamAV debug: Using filter for trie 1 LibClamAV debug: Matcher[1]: PE: AC sigs: 1172099 (reloff: 19, absoff: 0) BM sigs: 2 (reloff: 2, absoff: 0) PCREs: 17 (reloff: 0, absoff: 0) maxpatlen 3501 LibClamAV debug: Matcher[2]: OLE2: AC sigs: 15821 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 11 (reloff: 0, absoff: 0) maxpatlen 3548 (ac_only mode) LibClamAV debug: Matcher[3]: HTML: AC sigs: 428 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 4 (reloff: 0, absoff: 0) maxpatlen 244 (ac_only mode) LibClamAV debug: Using filter for trie 4 LibClamAV debug: Matcher[4]: MAIL: AC sigs: 171 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 169 (reloff: 0, absoff: 0) maxpatlen 23 (ac_only mode) LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 14 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 1 (reloff: 0, absoff: 0) maxpatlen 32 (ac_only mode) LibClamAV debug: Matcher[6]: ELF: AC sigs: 17798 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 320 (ac_only mode) LibClamAV debug: Using filter for trie 7 LibClamAV debug: Matcher[7]: ASCII: AC sigs: 1902 (reloff: 17, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 28 (reloff: 0, absoff: 0) maxpatlen 256 (ac_only mode) LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode) LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 3048 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 273 (ac_only mode) LibClamAV debug: Matcher[10]: PDF: AC sigs: 163 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 6 (reloff: 0, absoff: 0) maxpatlen 388 (ac_only mode) LibClamAV debug: Matcher[11]: FLASH: AC sigs: 20 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 34 (ac_only mode) LibClamAV debug: Matcher[12]: JAVA: AC sigs: 146 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 7 (reloff: 0, absoff: 0) maxpatlen 95 (ac_only mode) LibClamAV debug: Matcher[13]: INTERNAL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode) LibClamAV debug: Matcher[14]: OTHER: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode) LibClamAV debug: Building regex list LibClamAV debug: Using filter for trie 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: Building regex list LibClamAV debug: Using filter for trie 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: Dynamic engine configuration settings: LibClamAV debug: -------------------------------------- LibClamAV debug: Module PE: On LibClamAV debug: * Submodule PARITE: On LibClamAV debug: * Submodule KRIZ: On LibClamAV debug: * Submodule MAGISTR: On LibClamAV debug: * Submodule POLIPOS: On LibClamAV debug: * Submodule MD5SECT: On LibClamAV debug: * Submodule UPX: On LibClamAV debug: * Submodule FSG: On LibClamAV debug: * Submodule SWIZZOR: ** Off ** LibClamAV debug: * Submodule PETITE: On LibClamAV debug: * Submodule PESPIN: On LibClamAV debug: * Submodule YC: On LibClamAV debug: * Submodule WWPACK: On LibClamAV debug: * Submodule NSPACK: On LibClamAV debug: * Submodule MEW: On LibClamAV debug: * Submodule UPACK: On LibClamAV debug: * Submodule ASPACK: On LibClamAV debug: * Submodule CATALOG: On LibClamAV debug: * Submodule CERTS: On LibClamAV debug: * Submodule MATCHICON: On LibClamAV debug: * Submodule IMPTBL: On LibClamAV debug: Module ELF: On LibClamAV debug: Module MACHO: On LibClamAV debug: Module ARCHIVE: On LibClamAV debug: * Submodule RAR: On LibClamAV debug: * Submodule ZIP: On LibClamAV debug: * Submodule GZIP: On LibClamAV debug: * Submodule BZIP: On LibClamAV debug: * Submodule ARJ: On LibClamAV debug: * Submodule SZDD: On LibClamAV debug: * Submodule CAB: On LibClamAV debug: * Submodule CHM: On LibClamAV debug: * Submodule OLE2: On LibClamAV debug: * Submodule TAR: On LibClamAV debug: * Submodule CPIO: On LibClamAV debug: * Submodule BINHEX: On LibClamAV debug: * Submodule SIS: On LibClamAV debug: * Submodule NSIS: On LibClamAV debug: * Submodule AUTOIT: On LibClamAV debug: * Submodule ISHIELD: On LibClamAV debug: * Submodule 7zip: On LibClamAV debug: * Submodule ISO9660: On LibClamAV debug: * Submodule DMG: On LibClamAV debug: * Submodule XAR: On LibClamAV debug: * Submodule HFSPLUS: On LibClamAV debug: * Submodule XZ: On LibClamAV debug: * Submodule PASSWD: On LibClamAV debug: * Submodule MBR: On LibClamAV debug: * Submodule GPT: On LibClamAV debug: * Submodule APM: On LibClamAV debug: * Submodule EGG: On LibClamAV debug: * Submodule UDF: On LibClamAV debug: Module DOCUMENT: On LibClamAV debug: * Submodule HTML: On LibClamAV debug: * Submodule RTF: On LibClamAV debug: * Submodule PDF: On LibClamAV debug: * Submodule SCRIPT: On LibClamAV debug: * Submodule HTMLSKIPRAW: On LibClamAV debug: * Submodule JSNORM: On LibClamAV debug: * Submodule SWF: On LibClamAV debug: * Submodule OOXML: On LibClamAV debug: * Submodule MSPML: On LibClamAV debug: * Submodule HWP: On LibClamAV debug: * Submodule ONENOTE: On LibClamAV debug: Module MAIL: On LibClamAV debug: * Submodule MBOX: On LibClamAV debug: * Submodule TNEF: On LibClamAV debug: Module OTHER: On LibClamAV debug: * Submodule UUENCODED: On LibClamAV debug: * Submodule SCRENC: On LibClamAV debug: * Submodule RIFF: On LibClamAV debug: * Submodule JPEG: On LibClamAV debug: * Submodule CRYPTFF: On LibClamAV debug: * Submodule DLP: On LibClamAV debug: * Submodule MYDOOMLOG: On LibClamAV debug: * Submodule PREFILTERING: On LibClamAV debug: * Submodule PDFNAMEOBJ: On LibClamAV debug: * Submodule PRTNINTXN: On LibClamAV debug: * Submodule LZW: On LibClamAV debug: * Submodule GIF: On LibClamAV debug: * Submodule PNG: On LibClamAV debug: * Submodule TIFF: On LibClamAV debug: Module PHISHING On LibClamAV debug: * Submodule ENGINE: On LibClamAV debug: * Submodule ENTCONV: On LibClamAV debug: Module BYTECODE On LibClamAV debug: * Submodule INTERPRETER: On LibClamAV debug: * Submodule JIT X86: On LibClamAV debug: * Submodule JIT PPC: On LibClamAV debug: * Submodule JIT ARM: ** Off ** LibClamAV debug: Module STATS Off LibClamAV debug: Module PCRE On LibClamAV debug: * Submodule SUPPORT: On LibClamAV debug: * Submodule OPTIONS: On LibClamAV debug: * Submodule GLOBAL: On LibClamAV debug: pool memory used: 734.312 MB LibClamAV debug: No bytecodes loaded, not running builtin test LibClamAV debug: Checking realpath of arm64-binary LibClamAV debug: cli_get_filepath_from_filedesc: File path for fd [3] is: /Volumes/git/sandbox/clamav-debug/arm64-binary LibClamAV debug: Recognized ELF file LibClamAV debug: clean_cache_check: collect metadata feature enabled, skipping cache LibClamAV debug: in cli_scanelf LibClamAV debug: ELF: ELF class 2 (64-bit) LibClamAV debug: ELF: File is little-endian - conversion not required LibClamAV debug: ELF: File type: Executable LibClamAV debug: ELF: Machine type: Unknown (0xb7) LibClamAV debug: ELF: Number of program headers: 6 LibClamAV debug: ELF: Program header table offset: 64 LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Segment #0 LibClamAV debug: ELF: Segment type: 0x6 LibClamAV debug: ELF: Segment offset: 0x40 LibClamAV debug: ELF: Segment virtual address: 0x10040 LibClamAV debug: ELF: Segment real size: 0x150 LibClamAV debug: ELF: Segment virtual size: 0x150 LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Segment #1 LibClamAV debug: ELF: Segment type: 0x4 LibClamAV debug: ELF: Segment offset: 0xf9c LibClamAV debug: ELF: Segment virtual address: 0x10f9c LibClamAV debug: ELF: Segment real size: 0x64 LibClamAV debug: ELF: Segment virtual size: 0x64 LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Segment #2 LibClamAV debug: ELF: Segment type: 0x1 LibClamAV debug: ELF: Segment offset: 0x0 LibClamAV debug: ELF: Segment virtual address: 0x10000 LibClamAV debug: ELF: Segment real size: 0x89deb4 LibClamAV debug: ELF: Segment virtual size: 0x89deb4 LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Segment #3 LibClamAV debug: ELF: Segment type: 0x1 LibClamAV debug: ELF: Segment offset: 0x8a0000 LibClamAV debug: ELF: Segment virtual address: 0x8b0000 LibClamAV debug: ELF: Segment real size: 0x980630 LibClamAV debug: ELF: Segment virtual size: 0x980630 LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Segment #4 LibClamAV debug: ELF: Segment type: 0x1 LibClamAV debug: ELF: Segment offset: 0x1230000 LibClamAV debug: ELF: Segment virtual address: 0x1240000 LibClamAV debug: ELF: Segment real size: 0x15b820 LibClamAV debug: ELF: Segment virtual size: 0x1a4778 LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Segment #5 LibClamAV debug: ELF: Segment type: 0x6474e551 LibClamAV debug: ELF: Segment offset: 0x0 LibClamAV debug: ELF: Segment virtual address: 0x0 LibClamAV debug: ELF: Segment real size: 0x0 LibClamAV debug: ELF: Segment virtual size: 0x0 LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Entry point address: 0x000000000007ded0 LibClamAV debug: ELF: Entry point offset: 0x000000000006ded0 (450256) LibClamAV debug: ELF: Number of sections: 23 LibClamAV debug: ELF: Section header table offset: 400 LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 0 LibClamAV debug: ELF: Section offset: 0 LibClamAV debug: ELF: Section size: 0 LibClamAV debug: ELF: Section type: Null (no associated section) LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 1 LibClamAV debug: ELF: Section offset: 4096 LibClamAV debug: ELF: Section size: 9031348 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ELF: Section occupies memory LibClamAV debug: ELF: Section contains executable code LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 2 LibClamAV debug: ELF: Section offset: 9043968 LibClamAV debug: ELF: Section size: 3610275 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ELF: Section occupies memory LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 3 LibClamAV debug: ELF: Section offset: 12654272 LibClamAV debug: ELF: Section size: 263 LibClamAV debug: ELF: Section type: String table LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 4 LibClamAV debug: ELF: Section offset: 12654560 LibClamAV debug: ELF: Section size: 25392 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ELF: Section occupies memory LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 5 LibClamAV debug: ELF: Section offset: 12679968 LibClamAV debug: ELF: Section size: 10984 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ELF: Section occupies memory LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 6 LibClamAV debug: ELF: Section offset: 12690952 LibClamAV debug: ELF: Section size: 0 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ELF: Section occupies memory LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 7 LibClamAV debug: ELF: Section offset: 12690976 LibClamAV debug: ELF: Section size: 6316048 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ELF: Section occupies memory LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 8 LibClamAV debug: ELF: Section offset: 19070976 LibClamAV debug: ELF: Section size: 4912 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ELF: Section contains writable data LibClamAV debug: ELF: Section occupies memory LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 9 LibClamAV debug: ELF: Section offset: 19075904 LibClamAV debug: ELF: Section size: 1243460 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ELF: Section contains writable data LibClamAV debug: ELF: Section occupies memory LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 10 LibClamAV debug: ELF: Section offset: 20319392 LibClamAV debug: ELF: Section size: 174960 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ELF: Section contains writable data LibClamAV debug: ELF: Section occupies memory LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 11 LibClamAV debug: ELF: Section offset: 20494368 LibClamAV debug: ELF: Section size: 250776 LibClamAV debug: ELF: Section type: Empty section (NOBITS) LibClamAV debug: ELF: Section contains writable data LibClamAV debug: ELF: Section occupies memory LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 12 LibClamAV debug: ELF: Section offset: 20745152 LibClamAV debug: ELF: Section size: 48056 LibClamAV debug: ELF: Section type: Empty section (NOBITS) LibClamAV debug: ELF: Section contains writable data LibClamAV debug: ELF: Section occupies memory LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 13 LibClamAV debug: ELF: Section offset: 20512768 LibClamAV debug: ELF: Section size: 309 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 14 LibClamAV debug: ELF: Section offset: 20513077 LibClamAV debug: ELF: Section size: 1182422 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 15 LibClamAV debug: ELF: Section offset: 21695499 LibClamAV debug: ELF: Section size: 340918 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 16 LibClamAV debug: ELF: Section offset: 22036417 LibClamAV debug: ELF: Section size: 51 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 17 LibClamAV debug: ELF: Section offset: 22036468 LibClamAV debug: ELF: Section size: 2483808 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 18 LibClamAV debug: ELF: Section offset: 24520276 LibClamAV debug: ELF: Section size: 1981186 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 19 LibClamAV debug: ELF: Section offset: 26501462 LibClamAV debug: ELF: Section size: 553207 LibClamAV debug: ELF: Section type: Program information LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 20 LibClamAV debug: ELF: Section offset: 3996 LibClamAV debug: ELF: Section size: 100 LibClamAV debug: ELF: Section type: Note section LibClamAV debug: ELF: Section occupies memory LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 21 LibClamAV debug: ELF: Section offset: 27054672 LibClamAV debug: ELF: Section size: 757704 LibClamAV debug: ELF: Section type: Symbol table LibClamAV debug: ------------------------------------ LibClamAV debug: ELF: Section 22 LibClamAV debug: ELF: Section offset: 27812376 LibClamAV debug: ELF: Section size: 1592073 LibClamAV debug: ELF: Section type: String table LibClamAV debug: ------------------------------------ LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected LibClamAV debug: in cli_elfheader LibClamAV debug: ELF: ELF class 2 (64-bit) LibClamAV debug: ELF: Number of program headers: 6 LibClamAV debug: ELF: Number of sections: 23 LibClamAV debug: Matched signature for file type ZIP-SFX at 19076080 LibClamAV debug: Matched signature for file type RAR-SFX at 19076520 LibClamAV debug: Matched signature for file type RAR-SFX at 19076520 LibClamAV debug: Matched signature for file type HTML data at 20077476 LibClamAV debug: Matched signature for file type HTML data LibClamAV debug: Matched signature for file type HTML data LibClamAV debug: matcher_run: performing regex matching on full map: 29291136+113313(29404449) >= 29404449 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: CL_TYPE_ZIPSFX signature found at 19076080 LibClamAV debug: in cli_unzip_single LibClamAV debug: cli_unzip: local header - ZMDNAME:1:���:4294967295:4294927982:692d6c6c:46376:0:1 LibClamAV debug: CDBNAME:CL_TYPE_ZIP:4294927982:���:4294927982:4294967295:1:0:1764584556:0x0 LibClamAV debug: cli_unzip: local header - has data desc LibClamAV debug: CL_TYPE_RARSFX signature found at 19076520 LibClamAV debug: fmap_dump_to_file: dumping fmap not backed by file... LibClamAV debug: in scanrar() unrar_open: Comments are not present in this archive. unrar_open: Volume attribute (archive volume): no unrar_open: Archive comment present: no unrar_open: Archive lock attribute: no unrar_open: Solid attribute (solid archive): no unrar_open: New volume naming scheme ('volname.partN.rar'): no unrar_open: Authenticity information present (obsolete): no unrar_open: Recovery record present: no unrar_open: Block headers are encrypted: no unrar_open: First volume (set only by RAR 3.0 and later): no unrar_open: Opened archive: /var/folders/ln/vqtgf6r50jj7llpd28yrv60d082fsw/T//20240730_210831-scantemp.fe25d32168/clamav-d4aed806711af70417a1e533c7ea5fc1.tmp unrar_peek_file_header: Name: unrar_peek_file_header: Directory?: 0 unrar_peek_file_header: Target Dir: 0 unrar_peek_file_header: RAR Version: 3 unrar_peek_file_header: Packed Size: 8719941959316996884 unrar_peek_file_header: Unpacked Size: 9080236526577124131 LibClamAV debug: RAR: , crc32: 0x35033103, encrypted: 0, compressed: 52232980, normal: 52953891, method: 97, ratio: 1 LibClamAV debug: CDBNAME:CL_TYPE_RAR:8719941959316996884::8719941959316996884:9080236526577124131:0:1:889401603:0x0 LibClamAV debug: RAR: filesize exceeded (allowed: 2147483645, needed: 9080236526577124131) LibClamAV debug: FP SIGNATURE: 312cc9:10327929:Heuristics.Limits.Exceeded.MaxFileSize # Name: n/a, Type: CL_TYPE_RAR LibClamAV debug: FP SIGNATURE: 5e5e9c:29404449:Heuristics.Limits.Exceeded.MaxFileSize # Name: arm64-binary, Type: CL_TYPE_ELF LibClamAV debug: Heuristics.Limits.Exceeded.MaxFileSize: scanning may be incomplete and additional analysis needed for this file. LibClamAV debug: RAR: Next file is too large (9080236526577124131 bytes); it would exceed max scansize. Skipping to next file. unrar_skip_file: File skipped. unrar_retcode: Bad data / File CRC error. LibClamAV debug: RAR: Error (4) reading file header! LibClamAV debug: RAR: Exit code: 0 LibClamAV debug: CL_TYPE_RARSFX signature found at 19076520 LibClamAV debug: fmap_dump_to_file: dumping fmap not backed by file... LibClamAV debug: in scanrar() unrar_open: Comments are not present in this archive. unrar_open: Volume attribute (archive volume): no unrar_open: Archive comment present: no unrar_open: Archive lock attribute: no unrar_open: Solid attribute (solid archive): no unrar_open: New volume naming scheme ('volname.partN.rar'): no unrar_open: Authenticity information present (obsolete): no unrar_open: Recovery record present: no unrar_open: Block headers are encrypted: no unrar_open: First volume (set only by RAR 3.0 and later): no unrar_open: Opened archive: /var/folders/ln/vqtgf6r50jj7llpd28yrv60d082fsw/T//20240730_210831-scantemp.fe25d32168/clamav-3d5e7e2157c138de5bd860f56bc2ce0d.tmp unrar_peek_file_header: Name: unrar_peek_file_header: Directory?: 0 unrar_peek_file_header: Target Dir: 0 unrar_peek_file_header: RAR Version: 3 unrar_peek_file_header: Packed Size: 8719941959316996884 unrar_peek_file_header: Unpacked Size: 9080236526577124131 LibClamAV debug: RAR: , crc32: 0x35033103, encrypted: 0, compressed: 52232980, normal: 52953891, method: 97, ratio: 1 LibClamAV debug: CDBNAME:CL_TYPE_RAR:8719941959316996884::8719941959316996884:9080236526577124131:0:1:889401603:0x0 LibClamAV debug: RAR: filesize exceeded (allowed: 2147483645, needed: 9080236526577124131) LibClamAV debug: RAR: Next file is too large (9080236526577124131 bytes); it would exceed max scansize. Skipping to next file. unrar_skip_file: File skipped. unrar_retcode: Bad data / File CRC error. LibClamAV debug: RAR: Error (4) reading file header! LibClamAV debug: RAR: Exit code: 0 LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected LibClamAV debug: Running bytecode hook LibClamAV debug: Bytecode executing hook id 261 (0 hooks) LibClamAV debug: Bytecode: no logical signature matched, no bytecode executed LibClamAV debug: Finished running bytecode hook LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected LibClamAV debug: cli_magic_scan: returning 0 at line 5037 LibClamAV debug: { "Magic":"CLAMJSONv0", "RootFileType":"CL_TYPE_ELF", "FileName":"arm64-binary", "FileType":"CL_TYPE_ELF", "FileSize":29404449, "FileMD5":"5e5e9c", "EmbeddedObjects":[ { "FileType":"CL_TYPE_ZIPSFX", "Offset":19076080 }, { "FileType":"CL_TYPE_RARSFX", "Offset":19076520, "Viruses":[ "Heuristics.Limits.Exceeded.MaxFileSize" ], "ParseErrors":[ "Heuristics.Limits.Exceeded.MaxFileSize" ] }, { "FileType":"CL_TYPE_RARSFX", "Offset":19076520 } ] } LibClamAV debug: Bytecode executing hook id 260 (0 hooks) LibClamAV debug: Bytecode: no logical signature matched, no bytecode executed /Volumes/git/sandbox/clamav-debug/arm64-binary: Heuristics.Limits.Exceeded.MaxFileSize FOUND LibClamAV debug: Descriptor[3]: halting after file scan because: Virus(es) detected LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up ----------- SCAN SUMMARY ----------- Known viruses: 2038591 Engine version: 1.3.1 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 29.86 MB Data read: 28.04 MB (ratio 1.06:1) Time: 6.226 sec (0 m 6 s) Start Date: 2024:07:30 21:08:26 End Date: 2024:07:30 21:08:32 ```

Unfortuantely, I can't share the concrete binary. But happy to dig up more debug information if helpful!

fawind commented 3 months ago

Did some more digging and think this has the same cause as https://github.com/Cisco-Talos/clamav/issues/1143#issuecomment-1894595948.

This is also a compiled golang binary which contains the rar header bytes because go stdlib defines this as string here: https://github.com/golang/go/blob/b44f6378233ada888f0dc79e0ac56def4673d9ed/src/net/http/sniff.go#L183-L190

Hex of the scanned file at the referenced offset:

Screenshot 2024-08-01 at 11 14 57

ClamAV then assumes that this is the beginning of a RAR archive, and tries to read the PACK_SIZE and UNP_SIZE RAR headers to get the archive size. However given this is not actually a RAR archive, the locations contains effectively random bytes which result in ClamAV assuming its a 9 PB archive.

unrar_peek_file_header:   Name:
unrar_peek_file_header:   Directory?:    0
unrar_peek_file_header:   Target Dir:    0
unrar_peek_file_header:   RAR Version:   3
unrar_peek_file_header:   Packed Size:   8719941959316996884
unrar_peek_file_header:   Unpacked Size: 9080236526577124131

Can we improve the RAR archive detection here? Not sure in what ways we already do this, but maybe we can check for the presence of the HEAD_TYPE bytes or even check if the HEAD_CRC is present?

Currently, any golang binary containing net/http/sniff (or other static references to the rar header) will likely run into a FP here.