Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Commandline Scan (ssecls) does not find all suspicious Files in Container

Created: 02 Aug 2012 | 3 comments

Hi all

We prepared a Container-Testfile (ZIP-Archive) containing a set of hazard-free Testfiles, about 10 Files. Each Testfile represents a certain Szenario the ScanEngine will detect like:
- too many ZIP-IN-ZIP cascade
- encrypted File or Container
- malformed files
- EICAR Test virus
- ...

Then we executed two scan calls:
1. Scan all the Testfiles within a single Container File
ssecls -server sse -mode scan ManyProblemFiles.zip
Result: Not all Testfiles are listed in the output. It seams scanEngine aborts the scan after appearance of some candidates, will not do a full scan of all contained Files.

2. Scan all the Testfiles placed in a directory, unarchived
ssecls -server sse -mode scan -recurse ManyProblemsDirectory\
Result: All Candidates where exposed an listed completely in the output.

This behavior is questionable and first of all surprisingly. In dependance of the scan-order of the files within the Container you will receive different responses. You can receive an "uncritical" too-many-ZIP-IN-ZIP Message while the Devil will be to pay. I'm not sure if this is a kind of "Works as Designed".

Actually and in good faith, we will deliver an fatal infected Container File to our customers after doing a manual check of that ZIP-IN-ZIP File, never met the devil.

Comments 3 CommentsJump to latest comment

benjamin_lurie's picture

What version of Scan Engine are you running?

Can you provide a sample ZIP file and I can take a look and see if this is a defect?

Bernhard Rohrer's picture

we're already working on it. ATM it looks like works as designed.

ingo.siegel's picture

We are running ScanEngine v5.2.13.4.

 

Testfile: ManyProblemFiles-2.zip contains 9 Files:

TestFile-0B.data -> 0Byte
FS.part00 -> partial Container
passwort-ist-abc.zip -> Password protected
 

Malformed Container:
PDF_com.lowagie.text_2.1.7.v201004222200.jar
PDF_iText-2.1.0.jar
PDF_org.apache.batik.pdf_1.6.0.v200806031500.jar
PDF_pjx-1.4.0.jar
PdfVersionImp.class
PdfVersionImp.zip
 

EICAR Test:
We can not provide Testfile without causing a virus alert
 

AttachmentSize
ManyProblemFiles-2.zip 7.38 MB