Bugzilla – Bug 11959
RAR Version 5 not supported
Last modified: 2019-03-09 15:46:27 EST
hi, do you already know, that RAR fileformat Version 5 is not supported? it's very easy to detect my the different magic number, also see here. https://en.wikipedia.org/wiki/RAR_(file_format) if you want i can also upload samples i catch with my mail filters... br johannes
Johannes, Thanks, we will review for 0.99.4.
steve, thanks for the information. do you want me to upload my malware samples? johannes
Created attachment 7318 [details] rar5 wont scan malware .r11 (rar v5)
Details for attachment: Details: RAR 5 Name: IMGS 20171311.exe Type: File Size: 1564447 Packed size: 1520320 Ratio: 97% mtime: 2017-11-13 04:23,385 Attributes: ..A.... CRC32: 00C83466 Host OS: Windows Compression: RAR 5.0(v0) -m3 -md=2M Clamscan debug: LibClamAV debug: searching for unrar, user-searchpath: LibClamAV debug: searching for unrar: libclamunrar_iface.dll.6.0.4 not found LibClamAV debug: searching for unrar: libclamunrar_iface.dll.6 not found LibClamAV debug: unrar support loaded from libclamunrar_iface unrar LibClamAV debug: in scanrar() LibClamAV debug: No bytecodes loaded, not running builtin test LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized RAR file LibClamAV debug: cache_check: 2d3a2ffa250cb34248e9d6778aee13a1 is negative LibClamAV debug: in scanrar() LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: Descriptor[3]: Can't unpack some data LibClamAV debug: cli_magic_scandesc: returning 0 at line 2559 LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up
Created attachment 7319 [details] sample 1
Created attachment 7320 [details] sample2
Created attachment 7357 [details] sample3
Created attachment 7358 [details] sample4
Created attachment 7368 [details] sample5
Created attachment 7373 [details] sampe6
Thanks for the continued sample submissions. We don't presently have the resources to research & develop code to support RAR v5, but these will help when we get the chance. Sorry it's been so quiet. We're feverishly working on other things at the moment.
do you want me to upload further samples when i got them? johannes
Honestly, haven't had the chance to review any of these yet -- but I won't complain, and it certainly demonstrates your interest in the feature request.
*** Bug 11681 has been marked as a duplicate of this bug. ***
*** Bug 11927 has been marked as a duplicate of this bug. ***
*** Bug 12040 has been marked as a duplicate of this bug. ***
*** Bug 12043 has been marked as a duplicate of this bug. ***
Here is GNU GPL license code that can handle RAR5 at github https://github.com/DrMcCoy/dmc_unrar
*** Bug 12050 has been marked as a duplicate of this bug. ***
Lot's of Rar v5 Malware today: 08/05/2018 08:06 678,662 DELIVERY_ADDRESS_CONFIRMATION.r02 08/05/2018 08:06 678,682 DHL_AWBXXX765647675476565475754.r02 08/05/2018 08:05 219,168 Evidence.rar 08/05/2018 08:04 678,662 INVOICE#001346287897683454545.r02 08/05/2018 08:07 269,806 RFQ#049395,pdf.r00 08/05/2018 08:07 270,345 RFQ456785,PDF.r00 08/05/2018 08:04 678,664 STATEMENT_OF_ACCOUNT.r03 Inside RARv5: 2018-05-07 11:31:56 ....A 993037 678464 DELIVERY ADDRESS CONFIRMATION.jar 2018-05-07 11:31:56 ....A 993037 678464 DHL AWBXXX65675454674646556746467865785.jar 2018-05-06 23:39:04 ....A 655360 219092 Evidence.exe 2018-05-07 11:31:56 ....A 993037 678464 INVOICE#001346287897683454545.jar 2018-05-07 11:31:56 ....A 993037 678464 STATEMENT OF ACCOUNT____PDF___.jar Can't do a hash sig, as nothing extracted, can't do a CDB either. Think this needs bumping up the priority list please.
Yup, we hear you. Adding v5 support is on our short-list for v0.101.
I'm getting close to finishing the development portion of this, though there will quite a bit of testing required. We're switching to Rarlab's C++ based Unrar (5.6.5) library. The good news being that it has better coverage than any other rar extraction library out there. The bad news is that libclamunrar (vanilla unrar from Rarlab) will still have the same "restrictive" GPL-incompatible license (it's freeware, but you may not reverse engineer it to create a RAR archive compressor).
*** Bug 12191 has been marked as a duplicate of this bug. ***
*** Bug 12195 has been marked as a duplicate of this bug. ***
*** Bug 12206 has been marked as a duplicate of this bug. ***
Unrar 5 support implemented and just merged into dev/0.101 in this series of commits that switches to use rarlab's C++ based unrar library: https://github.com/Cisco-Talos/clamav-devel/commit/01eebc1369fbfebec9d19514ac031fbdec5579c2 https://github.com/Cisco-Talos/clamav-devel/commit/78dab009058aefe7cc4922bf7ec554217c1d6c97 https://github.com/Cisco-Talos/clamav-devel/commit/e4aaa6edf0de95ed2162fad5342bd81595b7d431 https://github.com/Cisco-Talos/clamav-devel/commit/959a7b3fa957b5728cc53dc86ca54f3e1def85bf https://github.com/Cisco-Talos/clamav-devel/commit/4f1230269ba445ff98f1d1988e55fa328b3b9494