You are here

ClamWin: Bug in ClamAV

5 posts / 0 new
Last post
Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 8 months ago
Joined: 2006-06-18 13:55
ClamWin: Bug in ClamAV

There is a security vulnerability in ClamAV .091.2 [the underling program for ClamWin {the underling program for ClamWinPortable}]

It is discussed here:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634

As a workaround while we await ClamWin .092 [and then ClamWinP .092] the following is suggested,

"V. WORKAROUND
Disabling the scanning of PE files will prevent exploitation. If using clamscan, this can be done by running clamscan with the '--no-pe' option. If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'. "

The question is How do you, or Can you, disable scanning of "PE files" in ClamWin [and therefore ClamWinPortable]?

I could find no information at the ClamWin site. Heck maybe it doesn't even effect the Windows version.

Ideas ?

Tim

{edit} Well, it seems that "PE"s can be included in .exe, .dll, .ocx, .sys, .scr, so that excluding them from scanning defeats the purpose of scanning Sad So I guess I wont be using CWP for a while Sad Bummer

John T. Haller
John T. Haller's picture
Offline
Last seen: 3 hours 1 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Theoretical

Keep in mind that this is theoretical at the moment. No one has even written a proof of concept on Windows. The bigger concern is folks that use ClamAV on *nix boxes to automatically scan incoming email (which is a good percentage of ISPs in the world), which is why it was announced in a coordinated way with the new release. The exploit may not even work within ClamWin at all. And, even if it did, it's unlikely that someone would take the time to create an exploit for it since its install base is negligible.

Side note... don't you use IE despite the fact that it's vulnerable to several similar exploits?

Sometimes, the impossible can become possible, if you're awesome!

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 8 months ago
Joined: 2006-06-18 13:55
Thanks for the reply

I mentioned in the OP that I was not sure it even effected CW Blum

I almost never use IE unless I absolutely must. You turned me on to FF back in the beginning when U3 wasn't considered the Spawn of Satan Wink and I've never turned back Smile

Good point about the "install base", hadn't occurred to me.

Thanks again for the reply,
Good Holidays to You,
and everybody else Smile

Tim

Things have got to get better, they can't get worse, or can they?

Ryan McCue
Ryan McCue's picture
Offline
Last seen: 15 years 2 months ago
Joined: 2006-01-06 21:27
Side note:

PE stands for Portable Executable. It's basically the filetype of .EXE, .DLL and any other executable binary code for Windows. So, it's not included in .EXE files, it is the .EXE file.

"If you're not part of the solution, you're part of the precipitate."

Tim Clark
Tim Clark's picture
Offline
Last seen: 13 years 8 months ago
Joined: 2006-06-18 13:55
Correct

Yes, this was my reading of the situation as well, I should have said something more like "this file type includes ..." but as it was an "edit" I just wanted to get it out before anyone wasted time trying to answer my post.

Thanks for the clarification though.

Tim

Things have got to get better, they can't get worse, or can they?

Log in or register to post comments