Bug 12621 – problems with compressed rar files with special characters

Bug 12621 - problems with compressed rar files with special characters


Summary:	problems with compressed rar files with special characters

Status:	RESOLVED FIXED

Product:	ClamAV
Classification:	ClamAV
Component:	clamscan
Version:	0.102.4
Hardware:	x86_64 GNU/Linux

Importance:	P3 normal
Target Milestone:	0.101.0
Assigned To:	ClamAV team

URL:
Whiteboard:
Keywords:

Duplicates:	12373 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-10-05 04:40 EDT by Iulian
Modified:	2020-10-06 19:56 EDT (History)
CC List:	4 users (show)

See Also:
QA Contact:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Iulian 2020-10-05 04:40:50 EDT

Hello,

If a rar archive contains files that have special characters(in this case Ă)  than the name of the file is truncated. This also means that file loose extension and possibly to create regexp signatures.

Problem does not apear on zip/7z/gz or other types of archives tested.
Problem does not apear if special characters are not present in the file name.

how to replicate:

touch CONSILIERE\ PLATĂ_Pdf.exe
echo test > CONSILIERE\ PLATĂ_Pdf.exe
rar a just.rar CONSILIERE\ PLATĂ_Pdf.exe

clamscan --debug -d ../../my_exe_in_archive.cdb just.rar
LibClamAV debug: searching for unrar, user-searchpath: /usr/lib64
LibClamAV debug: unrar support loaded from /usr/lib64/libclamunrar_iface.so.9.0.4 libclamunrar_iface_so_9_0
LibClamAV debug: Initialized 0.102.4 engine
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
LibClamAV debug: Bytecode initialized in interpreter mode
LibClamAV debug: ../../my_exe_in_archive.cdb loaded
LibClamAV debug: Initializing engine->root[0]
LibClamAV debug: Initializing AC pattern matcher of root[0]
LibClamAV debug: cli_initroots: Initializing BM tables of root[0]
LibClamAV debug: Initializing engine->root[1]
LibClamAV debug: Initializing AC pattern matcher of root[1]
LibClamAV debug: cli_initroots: Initializing BM tables of root[1]
LibClamAV debug: Initializing engine->root[2]
LibClamAV debug: Initializing AC pattern matcher of root[2]
LibClamAV debug: Initializing engine->root[3]
LibClamAV debug: Initializing AC pattern matcher of root[3]
LibClamAV debug: Initializing engine->root[4]
LibClamAV debug: Initializing AC pattern matcher of root[4]
LibClamAV debug: Initializing engine->root[5]
LibClamAV debug: Initializing AC pattern matcher of root[5]
LibClamAV debug: Initializing engine->root[6]
LibClamAV debug: Initializing AC pattern matcher of root[6]
LibClamAV debug: Initializing engine->root[7]
LibClamAV debug: Initializing AC pattern matcher of root[7]
LibClamAV debug: Initializing engine->root[8]
LibClamAV debug: Initializing AC pattern matcher of root[8]
LibClamAV debug: Initializing engine->root[9]
LibClamAV debug: Initializing AC pattern matcher of root[9]
LibClamAV debug: Initializing engine->root[10]
LibClamAV debug: Initializing AC pattern matcher of root[10]
LibClamAV debug: Initializing engine->root[11]
LibClamAV debug: Initializing AC pattern matcher of root[11]
LibClamAV debug: Initializing engine->root[12]
LibClamAV debug: Initializing AC pattern matcher of root[12]
LibClamAV debug: Initializing engine->root[13]
LibClamAV debug: Initializing AC pattern matcher of root[13]
LibClamAV debug: Initializing engine->root[14]
LibClamAV debug: Initializing AC pattern matcher of root[14]
LibClamAV debug: Loaded 155 filetype definitions
LibClamAV debug: Using filter for trie 0
LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 82 (reloff: 1, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 32
LibClamAV debug: Using filter for trie 1
LibClamAV debug: Matcher[1]: PE: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0
LibClamAV debug: Matcher[2]: OLE2: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[3]: HTML: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Using filter for trie 4
LibClamAV debug: Matcher[4]: MAIL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[6]: ELF: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Using filter for trie 7
LibClamAV debug: Matcher[7]: ASCII: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[10]: PDF: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[11]: FLASH: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[12]: JAVA: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[13]: INTERNAL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[14]: OTHER: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Dynamic engine configuration settings:
LibClamAV debug: --------------------------------------
LibClamAV debug: Module PE: On
LibClamAV debug:    * Submodule     PARITE:     On
LibClamAV debug:    * Submodule       KRIZ:     On
LibClamAV debug:    * Submodule    MAGISTR:     On
LibClamAV debug:    * Submodule    POLIPOS:     On
LibClamAV debug:    * Submodule    MD5SECT:     On
LibClamAV debug:    * Submodule        UPX:     On
LibClamAV debug:    * Submodule        FSG:     On
LibClamAV debug:    * Submodule    SWIZZOR:     ** Off **
LibClamAV debug:    * Submodule     PETITE:     On
LibClamAV debug:    * Submodule     PESPIN:     On
LibClamAV debug:    * Submodule         YC:     On
LibClamAV debug:    * Submodule     WWPACK:     On
LibClamAV debug:    * Submodule     NSPACK:     On
LibClamAV debug:    * Submodule        MEW:     On
LibClamAV debug:    * Submodule      UPACK:     On
LibClamAV debug:    * Submodule     ASPACK:     On
LibClamAV debug:    * Submodule    CATALOG:     On
LibClamAV debug:    * Submodule      CERTS:     On
LibClamAV debug:    * Submodule  MATCHICON:     On
LibClamAV debug:    * Submodule     IMPTBL:     On
LibClamAV debug: Module ELF: On
LibClamAV debug: Module MACHO: On
LibClamAV debug: Module ARCHIVE: On
LibClamAV debug:    * Submodule        RAR:     On
LibClamAV debug:    * Submodule        ZIP:     On
LibClamAV debug:    * Submodule       GZIP:     On
LibClamAV debug:    * Submodule       BZIP:     On
LibClamAV debug:    * Submodule        ARJ:     On
LibClamAV debug:    * Submodule       SZDD:     On
LibClamAV debug:    * Submodule        CAB:     On
LibClamAV debug:    * Submodule        CHM:     On
LibClamAV debug:    * Submodule       OLE2:     On
LibClamAV debug:    * Submodule        TAR:     On
LibClamAV debug:    * Submodule       CPIO:     On
LibClamAV debug:    * Submodule     BINHEX:     On
LibClamAV debug:    * Submodule        SIS:     On
LibClamAV debug:    * Submodule       NSIS:     On
LibClamAV debug:    * Submodule     AUTOIT:     On
LibClamAV debug:    * Submodule    ISHIELD:     On
LibClamAV debug:    * Submodule       7zip:     On
LibClamAV debug:    * Submodule    ISO9660:     On
LibClamAV debug:    * Submodule        DMG:     On
LibClamAV debug:    * Submodule        XAR:     On
LibClamAV debug:    * Submodule    HFSPLUS:     On
LibClamAV debug:    * Submodule         XZ:     On
LibClamAV debug:    * Submodule     PASSWD:     On
LibClamAV debug:    * Submodule        MBR:     On
LibClamAV debug:    * Submodule        GPT:     On
LibClamAV debug:    * Submodule        APM:     On
LibClamAV debug:    * Submodule        EGG:     On
LibClamAV debug: Module DOCUMENT: On
LibClamAV debug:    * Submodule       HTML:     On
LibClamAV debug:    * Submodule        RTF:     On
LibClamAV debug:    * Submodule        PDF:     On
LibClamAV debug:    * Submodule     SCRIPT:     On
LibClamAV debug:    * Submodule HTMLSKIPRAW:    On
LibClamAV debug:    * Submodule     JSNORM:     On
LibClamAV debug:    * Submodule        SWF:     On
LibClamAV debug:    * Submodule      OOXML:     On
LibClamAV debug:    * Submodule      MSPML:     On
LibClamAV debug:    * Submodule        HWP:     On
LibClamAV debug: Module MAIL: On
LibClamAV debug:    * Submodule       MBOX:     On
LibClamAV debug:    * Submodule       TNEF:     On
LibClamAV debug: Module OTHER: On
LibClamAV debug:    * Submodule  UUENCODED:     On
LibClamAV debug:    * Submodule     SCRENC:     On
LibClamAV debug:    * Submodule       RIFF:     On
LibClamAV debug:    * Submodule       JPEG:     On
LibClamAV debug:    * Submodule    CRYPTFF:     On
LibClamAV debug:    * Submodule        DLP:     On
LibClamAV debug:    * Submodule  MYDOOMLOG:     On
LibClamAV debug:    * Submodule PREFILTERING:   On
LibClamAV debug:    * Submodule PDFNAMEOBJ:     On
LibClamAV debug:    * Submodule  PRTNINTXN:     On
LibClamAV debug:    * Submodule        LZW:     On
LibClamAV debug: Module PHISHING On
LibClamAV debug:    * Submodule     ENGINE:     On
LibClamAV debug:    * Submodule    ENTCONV:     On
LibClamAV debug: Module BYTECODE On
LibClamAV debug:    * Submodule INTERPRETER:    On
LibClamAV debug:    * Submodule    JIT X86:     On
LibClamAV debug:    * Submodule    JIT PPC:     On
LibClamAV debug:    * Submodule    JIT ARM:     ** Off **
LibClamAV debug: Module STATS Off
LibClamAV debug: Module PCRE On
LibClamAV debug:    * Submodule    SUPPORT:     On
LibClamAV debug:    * Submodule    OPTIONS:     On
LibClamAV debug:    * Submodule     GLOBAL:     On
LibClamAV debug: pool memory used: 5.929 MB
LibClamAV debug: No bytecodes loaded, not running builtin test
LibClamAV debug: Checking realpath of just.rar
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized RAR file
LibClamAV debug: cache_check: 2c04496b1308e6349e3726f91e156235 is negative
LibClamAV debug: in scanrar()
unrar_open: Comments are not present in this archive.
unrar_open: Volume attribute (archive volume):              no
unrar_open: Archive comment present:                        no
unrar_open: Archive lock attribute:                         no
unrar_open: Solid attribute (solid archive):                no
unrar_open: New volume naming scheme ('volname.partN.rar'): yes
unrar_open: Authenticity information present (obsolete):    no
unrar_open: Recovery record present:                        no
unrar_open: Block headers are encrypted:                    no
unrar_open: First volume (set only by RAR 3.0 and later):   no
unrar_open: Opened archive: /home/iulian/viruses/1/just.rar
unrar_peek_file_header:   Name:          CONSILIERE PLAT
unrar_peek_file_header:   Directory?:    0
unrar_peek_file_header:   Target Dir:    0
unrar_peek_file_header:   RAR Version:   50
unrar_peek_file_header:   Packed Size:   5
unrar_peek_file_header:   Unpacked Size: 5
LibClamAV debug: RAR: CONSILIERE PLAT, crc32: 0x3bb935c6, encrypted: 0, compressed: 5, normal: 5, method: 48, ratio: 1
LibClamAV debug: CDBNAME:CL_TYPE_RAR:5:CONSILIERE PLAT:5:5:0:1:1001993670:(nil)
LibClamAV debug: RAR: Extracting file: CONSILIERE PLAT to /tmp/just.rar.6e638/clamav-d98e67e0f32b84181b5511553eb8891f.tmp
unrar_extract_file: Extracted file to: /tmp/just.rar.6e638/clamav-d98e67e0f32b84181b5511553eb8891f.tmp
LibClamAV debug: RAR: Extraction complete.  Scanning now...
LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16)
LibClamAV debug: Small data (5 bytes)
LibClamAV debug: cli_magic_scandesc: returning 0  at line 4057 (no post, no cache)
unrar_retcode: No more files in archive.
LibClamAV debug: RAR: No more files in archive.
LibClamAV debug: RAR: Exit code: 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: cli_magic_scandesc: returning 0  at line 3202
LibClamAV debug: cache_add: 2c04496b1308e6349e3726f91e156235 (level 0)
/home/iulian/viruses/1/just.rar: OK
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

----------- SCAN SUMMARY -----------
Known viruses: 18
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.015 sec (0 m 0 s)


Where it was replicated:

Gentoo: (install via emerge clamav)

 clamscan -V
ClamAV 0.102.4/25947/Sun Oct  4 16:55:07 2020

Ubuntu: (installed via apt-get install clamav libclamunrar9)
Ubuntu 18.04.1 LTS
clamscan -V
ClamAV 0.102.4/25947/Sun Oct  4 13:55:07 2020


Where is not visible:
Windows 10 portable win64 version (here somehow  Ă becomes A and file is not truncated)

clamscan.exe --debug -d my_exe_in_archive.cdb "C:\Users\Iulian\Desktop\just.rar"
LibClamAV debug: searching for unrar, user-searchpath:
LibClamAV debug: searching for unrar: libclamunrar_iface.dll.9.0.4 not found
LibClamAV debug: searching for unrar: libclamunrar_iface.dll.9 not found
LibClamAV debug: unrar support loaded from libclamunrar_iface unrar
LibClamAV debug: Initialized 0.102.4 engine
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
LibClamAV debug: Bytecode initialized in JIT mode
LibClamAV debug: my_exe_in_archive.cdb loaded
LibClamAV debug: Initializing engine->root[0]
LibClamAV debug: Initializing AC pattern matcher of root[0]
LibClamAV debug: cli_initroots: Initializing BM tables of root[0]
LibClamAV debug: Initializing engine->root[1]
LibClamAV debug: Initializing AC pattern matcher of root[1]
LibClamAV debug: cli_initroots: Initializing BM tables of root[1]
LibClamAV debug: Initializing engine->root[2]
LibClamAV debug: Initializing AC pattern matcher of root[2]
LibClamAV debug: Initializing engine->root[3]
LibClamAV debug: Initializing AC pattern matcher of root[3]
LibClamAV debug: Initializing engine->root[4]
LibClamAV debug: Initializing AC pattern matcher of root[4]
LibClamAV debug: Initializing engine->root[5]
LibClamAV debug: Initializing AC pattern matcher of root[5]
LibClamAV debug: Initializing engine->root[6]
LibClamAV debug: Initializing AC pattern matcher of root[6]
LibClamAV debug: Initializing engine->root[7]
LibClamAV debug: Initializing AC pattern matcher of root[7]
LibClamAV debug: Initializing engine->root[8]
LibClamAV debug: Initializing AC pattern matcher of root[8]
LibClamAV debug: Initializing engine->root[9]
LibClamAV debug: Initializing AC pattern matcher of root[9]
LibClamAV debug: Initializing engine->root[10]
LibClamAV debug: Initializing AC pattern matcher of root[10]
LibClamAV debug: Initializing engine->root[11]
LibClamAV debug: Initializing AC pattern matcher of root[11]
LibClamAV debug: Initializing engine->root[12]
LibClamAV debug: Initializing AC pattern matcher of root[12]
LibClamAV debug: Initializing engine->root[13]
LibClamAV debug: Initializing AC pattern matcher of root[13]
LibClamAV debug: Initializing engine->root[14]
LibClamAV debug: Initializing AC pattern matcher of root[14]
LibClamAV debug: Loaded 155 filetype definitions
LibClamAV debug: Using filter for trie 0
LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 82 (reloff: 1, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 32
LibClamAV debug: Using filter for trie 1
LibClamAV debug: Matcher[1]: PE: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0
LibClamAV debug: Matcher[2]: OLE2: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[3]: HTML: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Using filter for trie 4
LibClamAV debug: Matcher[4]: MAIL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[6]: ELF: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Using filter for trie 7
LibClamAV debug: Matcher[7]: ASCII: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[10]: PDF: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[11]: FLASH: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[12]: JAVA: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[13]: INTERNAL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[14]: OTHER: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Dynamic engine configuration settings:
LibClamAV debug: --------------------------------------
LibClamAV debug: Module PE: On
LibClamAV debug:    * Submodule     PARITE:     On
LibClamAV debug:    * Submodule       KRIZ:     On
LibClamAV debug:    * Submodule    MAGISTR:     On
LibClamAV debug:    * Submodule    POLIPOS:     On
LibClamAV debug:    * Submodule    MD5SECT:     On
LibClamAV debug:    * Submodule        UPX:     On
LibClamAV debug:    * Submodule        FSG:     On
LibClamAV debug:    * Submodule    SWIZZOR:     ** Off **
LibClamAV debug:    * Submodule     PETITE:     On
LibClamAV debug:    * Submodule     PESPIN:     On
LibClamAV debug:    * Submodule         YC:     On
LibClamAV debug:    * Submodule     WWPACK:     On
LibClamAV debug:    * Submodule     NSPACK:     On
LibClamAV debug:    * Submodule        MEW:     On
LibClamAV debug:    * Submodule      UPACK:     On
LibClamAV debug:    * Submodule     ASPACK:     On
LibClamAV debug:    * Submodule    CATALOG:     On
LibClamAV debug:    * Submodule      CERTS:     On
LibClamAV debug:    * Submodule  MATCHICON:     On
LibClamAV debug:    * Submodule     IMPTBL:     On
LibClamAV debug: Module ELF: On
LibClamAV debug: Module MACHO: On
LibClamAV debug: Module ARCHIVE: On
LibClamAV debug:    * Submodule        RAR:     On
LibClamAV debug:    * Submodule        ZIP:     On
LibClamAV debug:    * Submodule       GZIP:     On
LibClamAV debug:    * Submodule       BZIP:     On
LibClamAV debug:    * Submodule        ARJ:     On
LibClamAV debug:    * Submodule       SZDD:     On
LibClamAV debug:    * Submodule        CAB:     On
LibClamAV debug:    * Submodule        CHM:     On
LibClamAV debug:    * Submodule       OLE2:     On
LibClamAV debug:    * Submodule        TAR:     On
LibClamAV debug:    * Submodule       CPIO:     On
LibClamAV debug:    * Submodule     BINHEX:     On
LibClamAV debug:    * Submodule        SIS:     On
LibClamAV debug:    * Submodule       NSIS:     On
LibClamAV debug:    * Submodule     AUTOIT:     On
LibClamAV debug:    * Submodule    ISHIELD:     On
LibClamAV debug:    * Submodule       7zip:     On
LibClamAV debug:    * Submodule    ISO9660:     On
LibClamAV debug:    * Submodule        DMG:     On
LibClamAV debug:    * Submodule        XAR:     On
LibClamAV debug:    * Submodule    HFSPLUS:     On
LibClamAV debug:    * Submodule         XZ:     On
LibClamAV debug:    * Submodule     PASSWD:     On
LibClamAV debug:    * Submodule        MBR:     On
LibClamAV debug:    * Submodule        GPT:     On
LibClamAV debug:    * Submodule        APM:     On
LibClamAV debug:    * Submodule        EGG:     On
LibClamAV debug: Module DOCUMENT: On
LibClamAV debug:    * Submodule       HTML:     On
LibClamAV debug:    * Submodule        RTF:     On
LibClamAV debug:    * Submodule        PDF:     On
LibClamAV debug:    * Submodule     SCRIPT:     On
LibClamAV debug:    * Submodule HTMLSKIPRAW:    On
LibClamAV debug:    * Submodule     JSNORM:     On
LibClamAV debug:    * Submodule        SWF:     On
LibClamAV debug:    * Submodule      OOXML:     On
LibClamAV debug:    * Submodule      MSPML:     On
LibClamAV debug:    * Submodule        HWP:     On
LibClamAV debug: Module MAIL: On
LibClamAV debug:    * Submodule       MBOX:     On
LibClamAV debug:    * Submodule       TNEF:     On
LibClamAV debug: Module OTHER: On
LibClamAV debug:    * Submodule  UUENCODED:     On
LibClamAV debug:    * Submodule     SCRENC:     On
LibClamAV debug:    * Submodule       RIFF:     On
LibClamAV debug:    * Submodule       JPEG:     On
LibClamAV debug:    * Submodule    CRYPTFF:     On
LibClamAV debug:    * Submodule        DLP:     On
LibClamAV debug:    * Submodule  MYDOOMLOG:     On
LibClamAV debug:    * Submodule PREFILTERING:   On
LibClamAV debug:    * Submodule PDFNAMEOBJ:     On
LibClamAV debug:    * Submodule  PRTNINTXN:     On
LibClamAV debug:    * Submodule        LZW:     On
LibClamAV debug: Module PHISHING On
LibClamAV debug:    * Submodule     ENGINE:     On
LibClamAV debug:    * Submodule    ENTCONV:     On
LibClamAV debug: Module BYTECODE On
LibClamAV debug:    * Submodule INTERPRETER:    On
LibClamAV debug:    * Submodule    JIT X86:     On
LibClamAV debug:    * Submodule    JIT PPC:     On
LibClamAV debug:    * Submodule    JIT ARM:     ** Off **
LibClamAV debug: Module STATS Off
LibClamAV debug: Module PCRE On
LibClamAV debug:    * Submodule    SUPPORT:     On
LibClamAV debug:    * Submodule    OPTIONS:     On
LibClamAV debug:    * Submodule     GLOBAL:     On
LibClamAV debug: pool memory used: 5.913 MB
LibClamAV debug: No bytecodes loaded, not running builtin test
LibClamAV debug: Checking realpath of C:\Users\Iulian\Desktop\just.rar
LibClamAV debug: cli_get_filepath_from_filedesc: File path for fd [3] is: (null)
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized RAR file
LibClamAV debug: cache_check: 2c04496b1308e6349e3726f91e156235 is negative
LibClamAV debug: in scanrar()
unrar_open: Comments are not present in this archive.
unrar_open: Volume attribute (archive volume):              no
unrar_open: Archive comment present:                        no
unrar_open: Archive lock attribute:                         no
unrar_open: Solid attribute (solid archive):                no
unrar_open: New volume naming scheme ('volname.partN.rar'): yes
unrar_open: Authenticity information present (obsolete):    no
unrar_open: Recovery record present:                        no
unrar_open: Block headers are encrypted:                    no
unrar_open: First volume (set only by RAR 3.0 and later):   no
unrar_open: Opened archive: C:\Users\Iulian\Desktop\just.rar
unrar_peek_file_header:   Name:          CONSILIERE PLATA_Pdf.exe
unrar_peek_file_header:   Directory?:    0
unrar_peek_file_header:   Target Dir:    0
unrar_peek_file_header:   RAR Version:   50
unrar_peek_file_header:   Packed Size:   5
unrar_peek_file_header:   Unpacked Size: 5
LibClamAV debug: RAR: CONSILIERE PLATA_Pdf.exe, crc32: 0x3bb935c6, encrypted: 0, compressed: 5, normal: 5, method: 48, ratio: 1
LibClamAV debug: CDBNAME:CL_TYPE_RAR:5:CONSILIERE PLATA_Pdf.exe:5:5:0:1:1001993670:0000000000000000
LibClamAV debug: FP SIGNATURE: 2c04496b1308e6349e3726f91e156235:96:Archived_EXE.UNOFFICIAL
C:\Users\Iulian\Desktop\just.rar: Archived_EXE.UNOFFICIAL FOUND
LibClamAV debug: RAR: Exit code: 1
LibClamAV debug: cli_magic_scandesc: returning 1  at line 3202
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

----------- SCAN SUMMARY -----------
Known viruses: 18
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.506 sec (0 m 0 s)

Comment 1 Iulian 2020-10-05 04:42:58 EDT

sorry, forgot to add what is inside my_exe_in_archive.cdb

Archived_APK:*:*:(?i)\.apk$:*:*:*:*:*:*
Archived_BAT:*:*:(?i)\.bat$:*:*:*:*:*:*
Archived_COM:*:*:(?i)\.com$:*:*:*:*:*:*
Archived_CMD:*:*:(?i)\.cmd$:*:*:*:*:*:*
Archived_CPL:*:*:(?i)\.cpl$:*:*:*:*:*:*
Archived_DMG:*:*:(?i)\.dmg$:*:*:*:*:*:*
Archived_EXE:*:*:(?i)\.exe$:*:*:*:*:*:*
Archived_HTA:*:*:(?i)\.hta$:*:*:*:*:*:*
Archived_ISO:*:*:(?i)\.iso$:*:*:*:*:*:*
Archived_JAR:*:*:(?i)\.jar$:*:*:*:*:*:*
Archived_LNK:*:*:(?i)\.lnk$:*:*:*:*:*:*
Archived_MSI:*:*:(?i)\.msi$:*:*:*:*:*:*
Archived_PIF:*:*:(?i)\.pif$:*:*:*:*:*:*
Archived_SCR:*:*:(?i)\.scr$:*:*:*:*:*:*
Archived_VB:*:*:(?i)\.vb$:*:*:*:*:*:*
Archived_VBE:*:*:(?i)\.vbe$:*:*:*:*:*:*
Archived_VBS:*:*:(?i)\.vbs$:*:*:*:*:*:*
Archived_WSH:*:*:(?i)\.wsh$:*:*:*:*:*:*

Comment 2 Micah Snyder 2020-10-06 19:54:06 EDT

Hi Iulian,

Per our conversation in the mailing list this issue was fixed in 0.103.0, here: https://github.com/Cisco-Talos/clamav-devel/commit/2f62d6bf1170e8a8660e09895c73c7ff3e8fcacb

Best regards,
Micah

Comment 3 Micah Snyder 2020-10-06 19:56:05 EDT

*** Bug 12373 has been marked as a duplicate of this bug. ***