PortableApps.com Platform and Suite 1.6 have been released.

Home » Forums » Support Forums » ClamWin Portable

Bug in ClamAV

Tim Clark's picture
Submitted by Tim Clark on December 20, 2007 - 5:49pm

There is a security vulnerability in ClamAV .091.2 [the underling program for ClamWin {the underling program for ClamWinPortable}]

It is discussed here:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634

As a workaround while we await ClamWin .092 [and then ClamWinP .092] the following is suggested,

"V. WORKAROUND
Disabling the scanning of PE files will prevent exploitation. If using clamscan, this can be done by running clamscan with the '--no-pe' option. If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'. "

The question is How do you, or Can you, disable scanning of "PE files" in ClamWin [and therefore ClamWinPortable]?

I could find no information at the ClamWin site. Heck maybe it doesn't even effect the Windows version.

Ideas ?

Tim

{edit} Well, it seems that "PE"s can be included in .exe, .dll, .ocx, .sys, .scr, so that excluding them from scanning defeats the purpose of scanning Sad So I guess I wont be using CWP for a while Sad Bummer

‹ Automatic update widget updated ERROR: Unable to open file or directory ›

»
( categories: )

Theoretical

John T. Haller's picture
John T. Haller (Homepage) - December 20, 2007 - 8:04pm

Keep in mind that this is theoretical at the moment. No one has even written a proof of concept on Windows. The bigger concern is folks that use ClamAV on *nix boxes to automatically scan incoming email (which is a good percentage of ISPs in the world), which is why it was announced in a coordinated way with the new release. The exploit may not even work within ClamWin at all. And, even if it did, it's unlikely that someone would take the time to create an exploit for it since its install base is negligible.

Side note... don't you use IE despite the fact that it's vulnerable to several similar exploits?

Sometimes, the impossible can become possible, if you're awesome!

Thanks for the reply

Tim Clark's picture
Tim Clark - December 21, 2007 - 1:17am

I mentioned in the OP that I was not sure it even effected CW Sticking out tongue

I almost never use IE unless I absolutely must. You turned me on to FF back in the beginning when U3 wasn't considered the Spawn of Satan Eye-wink and I've never turned back Smiling

Good point about the "install base", hadn't occurred to me.

Thanks again for the reply,
Good Holidays to You,
and everybody else Smiling

Tim

Things have got to get better, they can't get worse, or can they?

Side note:

Ryan McCue's picture
Ryan McCue (Homepage) - December 21, 2007 - 3:18am

PE stands for Portable Executable. It's basically the filetype of .EXE, .DLL and any other executable binary code for Windows. So, it's not included in .EXE files, it is the .EXE file.

"If you're not part of the solution, you're part of the precipitate."

Correct

Tim Clark's picture
Tim Clark - December 21, 2007 - 4:12am

Yes, this was my reading of the situation as well, I should have said something more like "this file type includes ..." but as it was an "edit" I just wanted to get it out before anyone wasted time trying to answer my post.

Thanks for the clarification though.

Tim

Things have got to get better, they can't get worse, or can they?

RSS FeedFirefox 3.5©2005-2010  |  Privacy Policy  |  Developed by Rare Ideas, LLC
Designed by [THIRDSHIFT] and Rare Ideas, LLC  |  Powered by Drupal