[Clamav-devel] Is this how clamAV is intended to work?

Vijay vijay_m_90 at yahoo.com
Thu Mar 5 14:55:04 EST 2015


Hello sir ,
                  Mine question was for clamdscan not for clamsscan.I made typing mistake in mine previous mail.sir clamdscan is not showing line  by Line scan of folders in c drives .It prints output only when it founds some signature else it keeps on scanning without any output on screen and finally gives summary having total errors.I want to see output on screen as ok after each folder gets scanned if it's not endeared.how to do this in its code to achieve that .

Sent from my iPhone

> On Mar 6, 2015, at 12:22 AM, Tyler Manson <tyler at hack.ink> wrote:
> 
> Hi,
> 
> Okay, that sounds like the right approach. I thought it surely was
> something simple like that. I'm glad to hear that everything's ok :)
> 
> 
>> On 03/05/15, Andy Singer wrote:
>> Hi,
>> It depends on how the signature was written. In the case of eicar, it is
>> Eicar-Test-Signature:0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
>> 
>> so it will only be detected only if the eicar pattern is at position 0 of
>> the file. If you change the signature to
>> 
>> Eicar-Test-Signature:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
>> 
>> the file will be detected regardless of where the pattern appears. In the
>> case of WIN.Trojan.DarkKomet, the signature is,
>> 
>> WIN.Trojan.DarkKomet:1:*:657473746174202d61202d6e202d6f00000000ffffffff0d00000044444f5348545450464c4f4f44000000ffffffff0c00000044444f5353594e464c4f4f4400000000ffffffff0c00000044444f53554450464c4f4f4400000000ffffffff0a0000005b436861
>> 
>> This can be present anywhere in a file, but only if it's a PE file. If you
>> prepend random data to the file, it will no longer have an MZ header, and
>> ClamAV will not recognize it as a PE file, so the signature will be
>> ignored. In the signature, change the target (1= PE) to (0= any) and you
>> can prepend random data.
>> 
>> ClamAV was designed for scanning files, not shellcode. If a file doesn't
>> have an MZ header, Windows won't execute it, so there's no need for ClamAV
>> to continue checking for PE signatures.
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> 
> http://www.clamav.net/contact.html#ml



More information about the clamav-devel mailing list