Hi everybody!

I just discovered that CLAMSCAN.EXE can't scan a .RAR archive if this is an attachment embedded into an email file.

I tried different switches (unrar, unzip) but no matter how hard I try, the messages is always ignored.

Several archives in .GZ, .RAR, .ZIP, .BZ2 get correctly detected. But a RAR inside an .EML file doesn't.

Is this a bug? I use clamscan inside a script on my email server, and as of now I have no way of checking those archives.

Best regards
Vanni

RAR support is very limited in clamav, it only supports RAR2 archives. You should be able to use unrar.exe (from unix port) with --unrar=<path to unrar.exe> command line option. The next update should have improved RAR files support.

Thank you for your quick reply!

Yes, I noticed that the support was lacking, and I copied in the system path the latest unrar.exe from rarlabs.

The point is, clamscan manages to extract with --unrar when it finds a .RAR archive file. The test file gets extracted, scanned and correctly identified.
On the other side, if I put the complete email message somewhere, and try to scan that file with clamscan, only executables alone and other archives (zip, gz, bz2) or plain executables get correctly handled.

Seems like clamscan can't identify the attachment as a .RAR archive and goes on checking without triggering the archive handler. But ONLY when the archive is .RAR and inside an email message.

Hope this helps you

do you have "Treat files as Mailboxes" option selected in clamwin advanced options? (turning this option off adds --no-mail parameter to clamscan.exe command line)

no, I'm using a script to automatically perform the scan of each email arriving on my server.

As I said, other archives inside email files get correctly identified, trigger the extraction part, then get scanned and identified. The mail server sees the trigger from the errorlevel the script leaves and forwards the virus to me rather than delivering it. The only kind of archive that's not treated is .RAR

Ah, also .7z is unknown, luckily I haven't seen it used that much.

Thanks for the good work

hmm, odd. I'll test here when get a abit of free time. 7z is not supported by clamav yet

hi

I just remembered the --debug feature and I'm giving it a try to see what's up with that email with a rar inside. As of now, the email is correctly identified, the unrarlib gets called but then something goes wrong.



Now I'll do some more tests with different unrar executables to see what the results are.

edit 31-08-2006 09:45

The attachment decoding routine does well, decodes the attachment, then passes on the control to the unpacking routine. This one calls unrarlib and when this fails due to unknown compression method, instead of correctly interpreting the --UNRAR cmd line parameter, simply quits right after printing the last line.

Here is the output from the same scan done on the archive without email wrapping.



Seems to me that only in case of email wrapped archive the unrarlib failure isn't correctly recognized, leading to the archive not being passed through the external unrar routine, even if specified.
This happens both with unrar from unxutils and with unrar from the winrar site.

meanwhile I think I'll setup a filter not letting through RAR archives. one never knows

edit 31-08-2006 10:48

While browsing I found the clamav native port https://www.bandsman.co.uk/clamav.htm here.

Seems to be compiled against clamav CVS, and seems to have fixed this issue. While I still wait to see it fixed with clamwin, I'll try to use that as a temporary fix.

Bye
Vanni