search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.21k stars 686 forks source link

Feature Request: Support unpack AR archive format (.deb Packages) #636

Open Schroeffu opened 2 years ago

Schroeffu commented 2 years ago

Feature Request

Would it may be possible to enhance ClamAV to support unpacking "AR" Archive format. This would make it possible to scan all .deb packages for malware inside, what not yet seems to be working as long as inside .deb other archives are (GZIP).

.deb packages are "AR" Archive format. Viruses in mypackage.deb (AR Archive Type) > data.tar.zst (gzip archive type) > Viruses inside of this GZIP are not detected.

Clamav-Users Mailinglist discussion about that: https://lists.clamav.net/pipermail/clamav-users/2022-July/012780.html

How to reproduce the problem

  1. Create a testfile.deb file with malware inside of AR > GZIP > myvirus.file

-- mysoftware_version_1-1.deb [AR Archive Type] --- data.tar.zst > [GZIP Archive Type] ------ /usr/bin/mysoftware/xyz/files_myvirus_abc

  1. Or scan my prepared .deb with malware + EICAR inside (real malware inside, Dropper .exe)

wget "https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1" -O /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan -z /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb

Now unpack & scan again, malware detected:

ar x /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan -z /tmp/data.tar.zst

root@vmd95035:~# wget "https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1" -O /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan -z /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb
--2022-07-15 15:36:54--  https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1
Resolving seafile.schroeffu.ch (seafile.schroeffu.ch)... 75.119.159.75
Connecting to seafile.schroeffu.ch (seafile.schroeffu.ch)|75.119.159.75|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://seafile.schroeffu.ch/seafhttp/files/f6f272c2-46eb-4846-9214-661ac5133932/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb [following]
--2022-07-15 15:36:54--  https://seafile.schroeffu.ch/seafhttp/files/f6f272c2-46eb-4846-9214-661ac5133932/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb
Reusing existing connection to seafile.schroeffu.ch:443.
HTTP request sent, awaiting response... 200 OK
Length: 7215918 (6.9M) [application/octet-stream]
Saving to: ‘/tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb’

/tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalwar 100%[=====================================================================================================================>]   6.88M  22.8MB/s    in 0.3s    

2022-07-15 15:36:55 (22.8 MB/s) - ‘/tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb’ saved [7215918/7215918]

/tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 3.742 sec (0 m 3 s)
Start Date: 2022:07:15 15:36:55
End Date:   2022:07:15 15:36:58
root@vmd95035:~# ar x /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan -z /tmp/data.tar.zst
/tmp/data.tar.zst: Win.Dropper.Corebot-7599208-0 FOUND
/tmp/data.tar.zst: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/data.tar.zst: {HEX}EICAR.TEST.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 22.353 sec (0 m 22 s)
Start Date: 2022:07:15 15:37:04
End Date:   2022:07:15 15:37:27
root@vmd95035:~# clamconf -n
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
PreludeAnalyzerName = "ClamAV"
LogFile = "/var/log/clamav/clamav.log"
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
MaxConnectionQueueLength = "15"
StreamMaxLength = "52428800"
MaxThreads = "12"
ReadTimeout = "180"
SendBufTimeout = "200"
MaxDirectoryRecursion = "100"
SelfCheck = "3600"
DisableCache = "yes"
User = "clamav"
BytecodeTimeout = "60000"
MaxScanTime = "120000"
MaxRecursion = "16"
MaxEmbeddedPE = "20971520"
MaxHTMLNormalize = "20971520"
MaxHTMLNoTags = "4194304"
MaxScriptNormalize = "10485760"
MaxZipTypeRcg = "2097152"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
OnAccessMaxFileSize = "15728640"
OLE2BlockMacros = "yes"

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
Checks = "24"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.6
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON 

Database information
--------------------
Database directory: /var/lib/clamav
[3rd Party] CVE-2018-20250.yar: 22 sigs
[3rd Party] spear.ndb: 1 sig 
[3rd Party] winnow.attachments.hdb: 1 sig 
[3rd Party] bofhland_malware_attach.hdb: 1836 sigs
[3rd Party] sanesecurity.ftm: 184 sigs
[3rd Party] spamattach.hdb: 14 sigs
[3rd Party] bofhland_phishing_URL.ndb: 72 sigs
[3rd Party] CVE-2015-2545.yar: 76 sigs
[3rd Party] blurl.ndb: 4507 sigs
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 16:21:51 2021
[3rd Party] Sanesecurity_sigtest.yara: 54 sigs
[3rd Party] MiscreantPunch099-Low.ldb: 1199 sigs
[3rd Party] whitelist.fp: 3081 sigs
[3rd Party] bofhland_malware_URL.ndb: 4 sigs
[3rd Party] Email_fake_it_maintenance_bulletin.yar: 29 sigs
[3rd Party] CVE-2015-5119.yar: 22 sigs
[3rd Party] Sanesecurity_spam.yara: 46 sigs
[3rd Party] lott.ndb: 2338 sigs
[3rd Party] CVE-2012-0158.yar: 27 sigs
[3rd Party] phish.ndb: 28542 sigs
[3rd Party] badmacro.ndb: 640 sigs
[3rd Party] foxhole_filename.cdb: 3169 sigs
[3rd Party] email_Ukraine_BE_powerattack.yar: 33 sigs
[3rd Party] WShell_ASPXSpy.yar: 21 sigs
[3rd Party] CVE-2010-1297.yar: 20 sigs
[3rd Party] CVE-2016-5195.yar: 40 sigs
[3rd Party] rfxn.ndb: 2039 sigs
[3rd Party] CVE-2013-0422.yar: 25 sigs
[3rd Party] CVE-2015-2426.yar: 49 sigs
[3rd Party] jurlbla.ndb: 1606 sigs
[3rd Party] interserver256.hdb: 28576 sigs
[3rd Party] bofhland_cracked_URL.ndb: 40 sigs
[3rd Party] scam.ndb: 12824 sigs
[3rd Party] Email_quota_limit_warning.yar: 31 sigs
[3rd Party] spam.ldb: 2 sigs
[3rd Party] EMAIL_Cryptowall.yar: 52 sigs
[3rd Party] WShell_Drupalgeddon2_icos.yar: 26 sigs
[3rd Party] interservertopline.db: 1139 sigs
[3rd Party] jurlbl.ndb: 5855 sigs
[3rd Party] porcupine.hsb: 423 sigs
[3rd Party] spamimg.hdb: 216 sigs
[3rd Party] sigwhitelist.ign2: 15 sigs
[3rd Party] rfxn.hdb: 12946 sigs
[3rd Party] spearl.ndb: 1 sig 
[3rd Party] rfxn.yara: 11527 sigs
[3rd Party] winnow_extended_malware.hdb: 1 sig 
[3rd Party] foxhole_js.ndb: 4 sigs
[3rd Party] foxhole_generic.cdb: 213 sigs
[3rd Party] shelter.ldb: 49 sigs
[3rd Party] winnow.complex.patterns.ldb: 3 sigs
[3rd Party] porcupine.ndb: 7578 sigs
[3rd Party] CVE-2018-4878.yar: 39 sigs
[3rd Party] winnow_spam_complete.ndb: 26 sigs
[3rd Party] winnow_extended_malware_links.ndb: 1 sig 
[3rd Party] scam.yar: 35 sigs
[3rd Party] EK_BleedingLife.yar: 112 sigs
[3rd Party] CVE-2010-0805.yar: 19 sigs
[3rd Party] foxhole_js.cdb: 48 sigs
[3rd Party] winnow_bad_cw.hdb: 1 sig 
[3rd Party] CVE-2015-1701.yar: 30 sigs
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
[3rd Party] CVE-2013-0074.yar: 22 sigs
[3rd Party] junk.ndb: 56018 sigs
[3rd Party] winnow_malware_links.ndb: 133 sigs
[3rd Party] hackingteam.hsb: 435 sigs
[3rd Party] CVE-2017-11882.yar: 66 sigs
[3rd Party] winnow_phish_complete_url.ndb: 54 sigs
[3rd Party] winnow_malware.hdb: 1 sig 
[3rd Party] CVE-2010-0887.yar: 22 sigs
daily.cld: version 26602, sigs: 1990123, built on Fri Jul 15 09:57:14 2022
[3rd Party] phishtank.ndb: 4588 sigs
[3rd Party] rogue.hdb: 3038 sigs
[3rd Party] malwarehash.hsb: 771 sigs
Total number of signatures: 8834319

Platform information
--------------------
uname: Linux 5.4.0-105-generic #119-Ubuntu SMP Mon Mar 7 18:49:24 UTC 2022 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
Full OS version: Ubuntu 20.04.4 LTS
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a217f7f0800000000090400

Build information
-----------------
GNU C: 9.4.0 (9.4.0)
CPPFLAGS: -Wdate-time -D_FORTIFY_SOURCE=2
CFLAGS: -g -O2 -fdebug-prefix-map=/build/clamav-1RbSOK/clamav-0.103.6+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -g -O2 -fdebug-prefix-map=/build/clamav-1RbSOK/clamav-0.103.6+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64
LDFLAGS: -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-1RbSOK/clamav-0.103.6+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-1RbSOK/clamav-0.103.6+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-system-libmspack' '--with-libcurl=/usr' '--with-gnu-ld' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu' 'OBJCFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-1RbSOK/clamav-0.103.6+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security'
sizeof(void*) = 8
Engine flevel: 127, dconf: 127
Sanesecurity commented 6 months ago

Some rust ar packages can be used?

https://repology.org/project/rust:ar/packages

micahsnyder commented 5 months ago

@Sanesecurity your link seems to be broken. But yeah would be easier to bring in an AR support from an existing Rust crate.

We're presently integrating support for two archive types in Rust: ALZ and LHZ.

The LHZ one is using an existing Rust crate (delharc) and may be a decent example if someone wants to do the same for AR support.

Sanesecurity commented 5 months ago

Odd... here's some separate links

https://crates.io/crates/ar https://sources.debian.org/src/rust-ar/0.9.0-1/ https://github.com/mdsteele/rust-ar

Schroeffu commented 2 weeks ago

Is this implemented with 1.4.0? See Cgangelog https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.4.0

micahsnyder commented 2 weeks ago

Is this implemented with 1.4.0? See Cgangelog https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.4.0

Just ALZ and LHA/LZH file types. Not AR. So .deb AR archives are still just treated as binary data.