alientrap-forum-archives

[Jonny_T]

Hi,

I've just downloaded the upgrade patch from Sourceforge from this link:

http://switch.dl.sourceforge.net/source ... 21-223.zip

and ClamXav finds a virus in the download (Oversized.Zip) using the 0.88.7 clamscan engine with all the latest virus definitions downloaded. (If you don't know, ClamAV is the open source anti-virus programme and ClamXav is the Mac native version of it for OS X).

If the developers want the download to check, please PM me.

[divVerent]

"Oversized.Zip" is not a virus, but a warning "I don't want to scan that file, it may be something like 42.zip and take up lots of resources to scan". Still, this warning means that the contents of the archive did not get scanned, so there COULD be a virus inside that ClamAV WOULD detect if the contents were extracted.

From the ClamAV FAQ:

I get many false positives of Oversized.zip

* Whenever a file exceeds ArchiveMaxCompressionRatio (see clamd.conf man page), it’s considered a logic bomb and marked as Oversized.zip . Try increasing your ArchiveMaxCompressionRatio setting.

So that report is nothing serious.

Still, I doubt our patch is so well compressed that it triggers that warning... does it trigger that warning for the zip or the pk3? I'm now downloading ClamAV and looking into this. However, I don't really feel like using less compression ratio or adding bogus files to keep the compression ratio above the threshold, as that would make the game larger with no added value.

[divVerent]

Now did test it in ClamAV and ran clamscan with --debug and -v:

LibClamAV debug: Zip: gfx/sbar_overlay.tga, crc32: 0x617743f, offset: 613997, encrypted: 0, compressed: 174, normal: 122924, method: 8, ratio: 706 (max: 250)
LibClamAV debug: Zip: Infected with Oversized.Zip
nexuizpatch-21-223.zip: Oversized.Zip FOUND

So well compressible TGA files in our PK3 trigger the ClamAV warning. There is nothing we can do about it other than say that this is NOT a virus.

The following files in the full game may also trigger this message:

Code: Select all

Archive:  data20070123.pk3
Length   Method    Size  Ratio   Date   Time   CRC-32    Name
--------  ------  ------- -----   ----   ----   ------    ----
  122924  Defl:N      187 100%  12-05-06 21:33  0617743f  gfx/sbar_overlay.tga
   49170  Defl:N       79 100%  11-07-05 21:22  3968484f  models/domination/dom_axe.tga
  196626  Defl:N      263 100%  11-07-05 21:22  99c0909d  models/domination/dom_bolt.tga
  196626  Defl:N      258 100%  11-07-05 21:22  7b15f018  models/domination/dom_neutral.tga
  196626  Defl:N      263 100%  11-07-05 21:22  62ed1d4c  models/domination/dom_symbol.tga
   49170  Defl:N       79 100%  11-07-05 21:22  3968484f  models/domination/dom_symbol2.tga
  196626  Defl:N      262 100%  11-07-05 21:22  fe9464c5  models/domination/dom_target.tga
   98348  Defl:N      155 100%  11-07-05 21:22  76d50c41  textures/dsi/cmp1_logo.tga
  786476  Defl:N      960 100%  05-06-06 15:10  b2a424fc  textures/fbgreen_pants.tga
  786476  Defl:N      960 100%  05-06-06 15:10  b2a424fc  textures/fbgreen_shirt.tga
  786476  Defl:N      960 100%  05-06-06 15:10  b2a424fc  textures/fborange_pants.tga
  786476  Defl:N      960 100%  05-06-06 15:10  b2a424fc  textures/fborange_shirt.tga
  786476  Defl:N      960 100%  05-06-06 15:10  b2a424fc  textures/fbred_pants.tga
  786476  Defl:N      960 100%  05-06-06 15:10  b2a424fc  textures/fbred_shirt.tga
  786476  Defl:N     3303 100%  11-11-05 04:46  17da130e  textures/glaunch_glow.tga
  786476  Defl:N     1178 100%  11-23-05 18:14  ba6ac4cd  textures/shock_glow.tga
  786476  Defl:N     3175 100%  11-05-06 18:26  1c9e87e4  textures/shotgun_pants.tga
  786476  Defl:N     1748 100%  11-05-06 18:26  a5b93d66  textures/shotgun_shirt.tga
  786476  Defl:N     2202 100%  11-23-05 18:14  d17dbd6b  textures/skadi_glow.tga


[Jonny_T]

Thanks for the info. I guess the clamav people should be notified about this false positive.

Cheers.

Perhaps worth putting a note on the download page to say that this can occur?

[divVerent]

The ClamAV guys can't really fix that issue apart from removing those heuristics... I am now going to try to save these image files in a way that does not trigger ClamAV's heuristics (I have now RLE compressed the listed images and these that show up as 99% compression ratio too). No idea if it silences ClamAV or if it still does not suffice. A note on the download page would be good, but I can't put one there.

BTW, to actually scan the Nexuiz archive to be sure without getting hit by Oversized.Zip trigger happiness, do this:

Code: Select all

$ clamscan --max-ratio 9999 nexuizpatch-21-223.zip


Then it won't find anything. The default value of --max-ratio is 250, which gets exceeded by some of our TGAs.

Addition: the now compressed TGAs don't trigger the ClamAV check any more. The next version won't be complained at by ClamAV any more.