Video Screencast Help

Commandline Scan (ssecls) does not find all suspicious Files in Container

Created: 02 Aug 2012 | 3 comments

Hi all

We prepared a Container-Testfile (ZIP-Archive) containing a set of hazard-free Testfiles, about 10 Files. Each Testfile represents a certain Szenario the ScanEngine will detect like:
- too many ZIP-IN-ZIP cascade
- encrypted File or Container
- malformed files
- EICAR Test virus
- ...

Then we executed two scan calls:
1. Scan all the Testfiles within a single Container File
ssecls -server sse -mode scan
Result: Not all Testfiles are listed in the output. It seams scanEngine aborts the scan after appearance of some candidates, will not do a full scan of all contained Files.

2. Scan all the Testfiles placed in a directory, unarchived
ssecls -server sse -mode scan -recurse ManyProblemsDirectory\
Result: All Candidates where exposed an listed completely in the output.

This behavior is questionable and first of all surprisingly. In dependance of the scan-order of the files within the Container you will receive different responses. You can receive an "uncritical" too-many-ZIP-IN-ZIP Message while the Devil will be to pay. I'm not sure if this is a kind of "Works as Designed".

Actually and in good faith, we will deliver an fatal infected Container File to our customers after doing a manual check of that ZIP-IN-ZIP File, never met the devil.

Comments 3 CommentsJump to latest comment

benjamin_lurie's picture

What version of Scan Engine are you running?

Can you provide a sample ZIP file and I can take a look and see if this is a defect?

Bernhard Rohrer's picture

we're already working on it. ATM it looks like works as designed.

ingo.siegel's picture

We are running ScanEngine v5.2.13.4.

Testfile: contains 9 Files: -> 0Byte
FS.part00 -> partial Container -> Password protected

Malformed Container:

We can not provide Testfile without causing a virus alert

AttachmentSize 7.38 MB