Commandline Scan (ssecls) does not find all suspicious Files in Container
We prepared a Container-Testfile (ZIP-Archive) containing a set of hazard-free Testfiles, about 10 Files. Each Testfile represents a certain Szenario the ScanEngine will detect like:
- too many ZIP-IN-ZIP cascade
- encrypted File or Container
- malformed files
- EICAR Test virus
Then we executed two scan calls:
1. Scan all the Testfiles within a single Container File
ssecls -server sse -mode scan ManyProblemFiles.zip
Result: Not all Testfiles are listed in the output. It seams scanEngine aborts the scan after appearance of some candidates, will not do a full scan of all contained Files.
2. Scan all the Testfiles placed in a directory, unarchived
ssecls -server sse -mode scan -recurse ManyProblemsDirectory\
Result: All Candidates where exposed an listed completely in the output.
This behavior is questionable and first of all surprisingly. In dependance of the scan-order of the files within the Container you will receive different responses. You can receive an "uncritical" too-many-ZIP-IN-ZIP Message while the Devil will be to pay. I'm not sure if this is a kind of "Works as Designed".
Actually and in good faith, we will deliver an fatal infected Container File to our customers after doing a manual check of that ZIP-IN-ZIP File, never met the devil.