[clamav-users] heuristic-scan-precedence is broken
David Shrimpton
d.shrimpton at its.uq.edu.au
Sun Feb 28 11:10:42 UTC 2016
Hi,
--heuristic-scan-precedence=no is broken in clamav-0.99
eg create a test encrypted zip /tmp/abcdef.zip
clamscan -z --database=/tmp/test.ndb --block-encrypted=yes /tmp/abcdef.zip
/tmp/abcdef.zip: Heuristics.Encrypted.Zip FOUND
clamscan -z --database=/tmp/test.ndb --block-encrypted=no /tmp/abcdef.zip
/tmp/abcdef.zip: testsig.1.UNOFFICIAL FOUND
/tmp/abcdef.zip: testsig.1.UNOFFICIAL FOUND
clamscan -z --database=/tmp/test.ndb --block-encrypted=yes --heuristic-scan-precedence=no /tmp/abcdef.zip
/tmp/abcdef.zip: Heuristics.Encrypted.Zip FOUND
With --heuristic-scan-precedence=no testsig.1.UNOFFICIAL should have been
returned and not Heuristics.Encrypted.Zip .
With -z --heuristic-scan-precedence=no , both testsig.1.UNOFFICIAL
and Heuristics.Encrypted.Zip should have been returned.
This is same problem as occurs with clamdscan and OLE2BlockMacros yes.
Heuristics.OLE2.ContainsMacros gets returned and not any real sigs that
also might match.
I suspect --heuristic-scan-precedence=no might not work for any heuristic
detection.
If heuristic-scan-precedence=no worked , you could parse the returned
virus name and treat files that only matched Heuristics sig eg
pdf or encrypted zip or ole2 with macros, differently to files that matched
a real sig. eg do logging only instead of discarding.
--
David Shrimpton
More information about the clamav-users
mailing list