Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 25121 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Linux Sweep do not see eicar in a zip of a zip and in a iso file.

fsouyri

Hello,

 

I have a zip of a zip with the eicar program but sweep do not say there is a virus... this is a problem or is there a limitation in the recursive scan of an archive ?

 

I have also an iso file of windows with the eicar file and sweep do not say there is a virus, how can I scan iso files without mounting, etc...

 

Best regards.

 

Francis



This thread was automatically locked due to age.
Parents
  • 0

    Hello Francis,

    you didn't tell the switches you used with sweep - by default it does not scan archives. If you have run it with the -ns switch it will list the .zip as being scanned but it will only assess whether it's indeed an archive or something deliberately misnamed (e.g. a binary which it would then scan).  Just tested it using the -zip switch and it detected the double-zipped EICAR. For a complete list of switches and the defaults use savscan -h (sweep is an alias).

    Christian

Reply
  • 0

    Hello Francis,

    you didn't tell the switches you used with sweep - by default it does not scan archives. If you have run it with the -ns switch it will list the .zip as being scanned but it will only assess whether it's indeed an archive or something deliberately misnamed (e.g. a binary which it would then scan).  Just tested it using the -zip switch and it detected the double-zipped EICAR. For a complete list of switches and the defaults use savscan -h (sweep is an alias).

    Christian

Children
  • 0 in reply to QC

    Thx Christian,

     

    I used this command line "savscan -sc -ss -archive <file>" for the iso and the zip.

     

    I have no problem with a zip of eicar, my problem is with a zip of a zip of eicar, and with an iso with eicar (archive ?).

     

    Best regards.

     

    Francis

     

    PS: sorry for the english...

  • 0 in reply to fsouyri

    Hello Francis,

    no problems with your English.

    -sc is default, I'd suggest to use -ns instead of -ss which will show whether the .zip is unpacked. What's the name of the EICAR file?

    With the -vv switch you'll get the list of extensions scanned and also the types of archives supported (.iso isn't among them).

    Christian

  • 0 in reply to QC

    Hello Cristian,

     

    I used -ss because I do not need verbose I test  the sweep return code.

    With the -ns switch I have this (in french).

    # sweep -ns eicar*

    Contr�le rapide

            eicar.com
    >>> Virus 'EICAR-AV-Test' trouv� dans fichier eicar.com
            eicarcom2.zip                                                                                                              < This is a zip of eicar_com.zip
            eicar_com.zip
            eicar_com.zip/eicar.com
    >>> Virus 'EICAR-AV-Test' trouv� dans fichier eicar_com.zip/eicar.com

    3 fichiers contr�l�s en 7 secondes.
    2 virus ont �t� d�couverts.
    2 fichiers sur 3 ont �t� infect�s.
    Retrouvez plus de conseils concernant les d�tections en vous rendant
    dans notre Centre de mise � niveau sur : www.sophos.com/.../threat-center.aspx
    Fin de Scan.

     

    I checked the -vv no iso support :(

     

    Best regards.

     

    Francis

  • 0 in reply to fsouyri

    Hello Francis,

    same result with the -zip (or -archive) switch? It should dig deeper then.

    As for scanning isos - can't say why it's not an option. might or might not be in he position to tell.

    Christian

  • 0 in reply to QC

    Hello Christian,

     

    No problem with the -zip or -archive switch.... thank you.

     

    # sweep -ns -f -archive eicar*

    ...

    Contr�le int�gral

            eicar.com
    >>> Virus 'EICAR-AV-Test' trouv� dans fichier eicar.com
            eicarcom2.zip
            eicarcom2.zip/eicar_com.zip
            eicarcom2.zip/eicar_com.zip/eicar.com
    >>> Virus 'EICAR-AV-Test' trouv� dans fichier eicarcom2.zip/eicar_com.zip/eicar.com
            eicar_com.zip
            eicar_com.zip/eicar.com
    >>> Virus 'EICAR-AV-Test' trouv� dans fichier eicar_com.zip/eicar.com

    3 fichiers contr�l�s en 8 secondes.
    3 virus ont �t� d�couverts.
    3 fichiers sur 3 ont �t� infect�s.
    Retrouvez plus de conseils concernant les d�tections en vous rendant
    dans notre Centre de mise � niveau sur : www.sophos.com/.../threat-center.aspx
    Fin de Scan.

     

    Best regards.

     

    Francis

Unfiltered HTML