[clamav-users] Detection in windows but not Linux

Paul Kosinski clamav at iment.com
Mon Dec 14 22:13:47 UTC 2015


Just a wild thought, but could the Linux version of ClamAV somehow be
doing a "DOS to UNIX" processing on signatures as if they were ASCII,
thus converting "0d0a" to "0a"?


On Mon, 14 Dec 2015 12:00:01 -0500
clamav-users-request at lists.clamav.net wrote:

> Send clamav-users mailing list submissions to
> 	clamav-users at lists.clamav.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> or, via email, send a message with subject or body 'help' to
> 	clamav-users-request at lists.clamav.net
> 
> You can reach the person managing the list at
> 	clamav-users-owner at lists.clamav.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of clamav-users digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Detection in windows but not Linux (G.W. Haywood)
>    2. Re: Detection in windows but not Linux (Kurt Fitzner)
>    3. Re: Detection in windows but not Linux (Al Varnell)
>    4. Re: Detection in windows but not Linux (Kurt Fitzner)
>    5. Re: Detection in windows but not Linux (Al Varnell)
>    6. Re: Detection in windows but not Linux (Kurt Fitzner)
>    7. Re: Detection in windows but not Linux (Kurt Fitzner)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 13 Dec 2015 17:42:32 +0000 (GMT)
> From: "G.W. Haywood" <clamav at jubileegroup.co.uk>
> To: clamav-users at lists.clamav.net
> Subject: Re: [clamav-users] Detection in windows but not Linux
> Message-ID:
> 	<Pine.LNX.4.64.1512131740090.9868 at mail5.jubileegroup.co.uk>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
> 
> Hi there,
> 
> On Sun, 13 Dec 2015, Arnaud Jacques wrote:
> 
> > For me PHP.Shell-83 is wrong. It contains 0d0a. It means it has
> > been created with a non-normalized ascii file.
> > I guess it should be corrected.
> 
> In my current main.cld, 4636 of the approximately 2.4 million
> signatures in the file contain the string "0d0a".
> 
> Comments?
> 



More information about the clamav-users mailing list