We have a set of zip files that we are scanning using the Linux Command Line Virus Scanner. If we scan one file the result is the total files is always one more than the number of files scanned (i.e. unzip it and you see one less file scanned than the number of files in the zip file).
I've turned on all of the logging I can find documented and everything comes back with "is OK" at the end.
There is some reason to believe that these zip files may have password protected files buried in them but we have no way of knowing where they are as the only indication we get is that one file is not scanned.
Has anyone encounted anything like this?
Moved from home products to Business > MAC & Linux Products for better support.
Sounds normal tbh.
Assuming use of the --unzip parameter, if you turn on verbose logging (--verbose) you should see that for a zip file containing, say three files you get:
1. Scan of the overall zip at the top-level (not opened)
Scan then opens the zip and…
2. Scan of file#1 in the zip
3. Scan of file#2 in the zip
4. Scan of file#3 in the zip
So total files scanned=4, the zip itself and the three files within.
If the zip cannot be opened for some reason (unrecognised file type/corrupt/encrypted) then you only get the scan of the overall zip at the top-level and not the content.
This is my problem.
I run --unzip --verbose --summary
Everything comes up "OK", except it reports that it processed one file and did not scan it. But there is no indication whatsoever what the problem is
It is only if I unzip it and scan the problem file within the zip file directly that I can generate an error telling me it could scan not it, but it does not tell me why.
It could be any number of reasons.
1. Archive applications are not as strict at what defines a 'valid' archive and can often reconstruct corruption in either the zip header or directory allowing the file to be extracted.
The AV-Engine+dat is much stricter on what constitutes a valid archive (as you might expect). inconsistencies may = something bad, so the product errs on the side of caution.
2. The archive format may be zip, but a compression type is used that is not recognised.
Either way you will not get detail why, even after extraction & scanning as we don't go into that level of detail.
The only way to know for sure why a file may have issues being scanned is to submit it to McAfee Labs for evaluation.
You should submit the zip and the extracted file in the zip explaining what your scan report shows.
Under no circumstances post the file to the forum. Suspicious files need to be handled appropriately.