[clamav-users] Detection in windows but not Linux
Paul Kosinski
clamav at iment.com
Mon Dec 14 22:13:47 UTC 2015
Just a wild thought, but could the Linux version of ClamAV somehow be
doing a "DOS to UNIX" processing on signatures as if they were ASCII,
thus converting "0d0a" to "0a"?
On Mon, 14 Dec 2015 12:00:01 -0500
clamav-users-request at lists.clamav.net wrote:
> Send clamav-users mailing list submissions to
> clamav-users at lists.clamav.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> or, via email, send a message with subject or body 'help' to
> clamav-users-request at lists.clamav.net
>
> You can reach the person managing the list at
> clamav-users-owner at lists.clamav.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of clamav-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Detection in windows but not Linux (G.W. Haywood)
> 2. Re: Detection in windows but not Linux (Kurt Fitzner)
> 3. Re: Detection in windows but not Linux (Al Varnell)
> 4. Re: Detection in windows but not Linux (Kurt Fitzner)
> 5. Re: Detection in windows but not Linux (Al Varnell)
> 6. Re: Detection in windows but not Linux (Kurt Fitzner)
> 7. Re: Detection in windows but not Linux (Kurt Fitzner)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 13 Dec 2015 17:42:32 +0000 (GMT)
> From: "G.W. Haywood" <clamav at jubileegroup.co.uk>
> To: clamav-users at lists.clamav.net
> Subject: Re: [clamav-users] Detection in windows but not Linux
> Message-ID:
> <Pine.LNX.4.64.1512131740090.9868 at mail5.jubileegroup.co.uk>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
> Hi there,
>
> On Sun, 13 Dec 2015, Arnaud Jacques wrote:
>
> > For me PHP.Shell-83 is wrong. It contains 0d0a. It means it has
> > been created with a non-normalized ascii file.
> > I guess it should be corrected.
>
> In my current main.cld, 4636 of the approximately 2.4 million
> signatures in the file contain the string "0d0a".
>
> Comments?
>
More information about the clamav-users
mailing list