[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ClamaV et les PDFs

Re,

On Thu, Dec 30, 2010 at 07:52:57PM +0100, Jean-Yves F. Barbier wrote:

> > pdftk job_7660-ActiveReports_Document.pdf attach_files eicar.com output
> > out.pdf
> 
> Que fait *réellement* cette Cde? (dans le détail)

Elle est censée attacher un fichier au PDF, au niveau du document
lui-même (pas d'une page, quoi).

Et, de fait, en regardant les fichiers joints dans Adobe Reader,
Eicar.com apparaît dans la liste, de même que les tailles sont
compatibles avec l'inclusion de l'un dans l'autre.


De man pdftk :

attach_files <attachment filenames  |  PROMPT>  [to_page  <page  number  |
PROMPT>]
      Packs  arbitrary  files into a PDF using PDF's file attachment fea‐
      tures. More than one attachment may be listed  after  attach_files.
      Attachments  are  added  at  the document level unless the optional
      to_page option is given, in which case the files  are  attached  to
      the given page number (the first page is 1, the final page is end).
      For example:

      pdftk in.pdf attach_files table1.html table2.html to_page 6  output
      out.pdf


Naturellement, j'ai joins le vrai Eicar.com sans toucher à la
signature.

Quand au pdf, c'est un fichier d'une page contenant une impression de
virement bancaire (sans intérêt à mon avis).

Enfin, la commande 'unpack_files' du même pdftk permet bien de
dissocier les deux fichiers : on retrouve le pdf de départ et le
supposé vilain Eicar.



> Histoire de vérifier si ça ne serait pas clamav qui a un PB, tu peux installer
> clamav-testfiles, puis faire un:
> clamscan -v /usr/share/clamav-testfiles/clam.pdf
> qui doit renvoyer un positif.

Yep, déjà fait, et il a bon :

testclamav:~# clamscan /usr/share/clamav-testfiles/*
/usr/share/clamav-testfiles/clam.7z: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.arj: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam-aspack.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.bin-be.cpio: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.bin-le.cpio: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.bz2.zip: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.cab: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam_cache_emax.tgz: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.chm: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.d64.zip: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.ea05.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.ea06.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.exe.binhex: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.exe.bz2: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.exe.html: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.exe.mbox.base64: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.exe.mbox.uu: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.exe.rtf: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.exe.szdd: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam-fsg.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.impl.zip: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam_IScab_ext.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam_IScab_int.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam_ISmsi_ext.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam_ISmsi_int.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.mail: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam-mew.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.newc.cpio: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam-nsis.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.odc.cpio: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.ole.doc: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.pdf: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam-pespin.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam-petite.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.ppt: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.sis: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.tar.gz: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.tnef: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam-upack.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam-upx.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam-v2.rar: OK
/usr/share/clamav-testfiles/clam-v3.rar: OK
/usr/share/clamav-testfiles/clam-wwpack.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam-yc.exe: ClamAV-Test-File FOUND
/usr/share/clamav-testfiles/clam.zip: ClamAV-Test-File FOUND

----------- SCAN SUMMARY -----------
Known viruses: 858216
Engine version: 0.96.5
Scanned directories: 0
Scanned files: 46
Infected files: 44
Data scanned: 12.47 MB
Data read: 6.21 MB (ratio 2.01:1)
Time: 7.298 sec (0 m 7 s)


À moins que les 2 fichiers dit non infectés ne le soient en réalité ?
(Comment savoir ?)


> > L'histoire se passe sous Lenny, dernière version de ClamAV et base
> > à jour, même si pour Eicar on pourrait trouver ça secondaire...
> 
> benan: EICAR est justement fait pour tester les antivirus.

Oui, donc être tip top à jour pour trouver une séquence de test qui
devrait dedans de base n'est pas de première importance, si ?

 
> > Strange, non ?
> 
> Ptêt H1N1, appelle Roselyne, elle a du rab:)

Super cool, j'adore les plans Roselyne, mais pour ClamAV, on fait
quoi ? :-)

Une bonne âme saurait essayer de reproduire le problème chez elle pour
voir ?

Merci d'avance,


-- 

JFS.
Reply to: