[clamav-users] Scan of RAR problem

Wed Apr 29 16:04:44 UTC 2015

Hello,

I'm getting different results when scanning a infected email message.

On a Sparc Solaris 10 (32 bits compiled), clamdscan tels me that the 
message is infected : "Heuristics.Encrypted.RAR FOUND"

Testing it on two 64 bits linux boxes (fedora and ubuntu), both tels me 
that the message is clean.

All boxes are running the same ClamAV version (0.98.6), with the same 
set of malware databases, and the same relevant configuration options 
both in clamd.conf and freshclam.conf (sorted for easier comparison) :

AlgorithmicDetection       yes
AllowSupplementaryGroups   yes
ArchiveBlockEncrypted      yes
DetectBrokenExecutables    yes
DetectPUA                  yes
ExtendedDetectionInfo      yes
FixStaleSocket             yes
HeuristicScanPrecedence    yes
IdleTimeout                60
LogClean                   yes
LogFile                    /export/spool/log/clamd.log
LogFileMaxSize             2M
LogTime                    yes
MaxFiles                   15000
MaxFileSize                30M
MaxRecursion               16
PhishingScanURLs           yes
PhishingSignatures         yes
ScanArchive                yes
ScanELF                    yes
ScanHTML                   yes
ScanMail                   yes
ScanOLE2                   yes
ScanPDF                    yes
ScanPE                     yes
ScanPE                     yes
SelfCheck                  600
TCPAddr                    127.0.0.1
TCPSocket                  3310
User                       clamscan

Clamav on Virustotal says that it's OK :

https://www.virustotal.com/en/file/d143c2b9f8e6c26e471fd02c02ebb5c9f9528fcd55658b666e1595b3c3255e3f/analysis/1430322076/

You can find two samples of this at :

http://www.j-chkmail.org/users/oitc/5523C74B.000.0000.xfile
http://www.j-chkmail.org/users/oitc/5523C833.000.0000.xfile

This comes at a moment we're migrating our mail servers to linux... :-(

All hints are wellcome

Regards

José-Marcio