[clamav-users] Eicar test string now returning Win.Trojan.Trojan-605
Jason Williams
jasonjwwilliams at gmail.com
Thu Mar 17 17:25:07 UTC 2016
Is anyone still seeing this or have they fixed it?
-J
Sent via iPhone
> On Mar 17, 2016, at 02:44, Mark Allan <markjallan at gmail.com> wrote:
>
> Just to confirm, I'm also seeing everything being flagged as Win.Trojan.Trojan-476 with the new main/daily.cvd files.
>
> Mark
>
>> On 17 Mar 2016, at 6:49 am, Al Varnell <alvarnell at mac.com> wrote:
>>
>> I just ran a scan against the ClamAV test files contained in the 0.99.1 source file and I’m getting all Win.Trojan.Trojan-476:
>>
>> File Name Infection Name Status
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64 Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.7z Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_cache_emax.tgz Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.iso Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clamjol.iso Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v2.rar Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v3.rar Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.bz2 Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bz2.zip Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_int.exeaa Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam.isoaa Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_ext.exeaa Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clamjol.isoaa Win.Trojan.Trojan-476
>>
>> -Al-
>>
>>> On Wed, Mar 16, 2016 at 10:46 PM, Jason Williams wrote:
>>>
>>> Hey Al,
>>>
>>> I submitted a FP report with one attached. Just put the EICAR string into a txt file and that'll trigger it.
>>>
>>> -J
>>>
>>> Sent via iPhone
>>>
>>>> On Mar 16, 2016, at 22:16, Al Varnell <alvarnell at mac.com> wrote:
>>>>
>>>> I don’t know why sanesecurity-porcupine.ndb is causing this, but I can now see that the signatures for Win.Test.EICAR_LDB-1 and Win.Trojan.Trojan-605 are identical, so this is an FP situation which would be reported.
>>>> <http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Test.EICAR_LDB-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display>
>>>>
>>>> However, I’m not sure where to find a copy of a Win.Test.EICAR_LDB-1 file to submit.
>>>>
>>>> -Al-
>>>>
>>>>
>>>>> On Wed, Mar 16, 2016 at 09:44 PM, Jason J. W. Williams wrote:
>>>>>
>>>>> Culprit seems to be sanesecurity-porcupine.ndb (
>>>>> http://sanesecurity.com/usage/signatures/). Moving it out causes
>>>>> Win.Test.EICAR_NDB-1
>>>>> FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 FP.
>>>>> Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is.
>>>>>
>>>>> -J
>>>>>
>>>>>> On Wed, Mar 16, 2016 at 9:38 PM, Al Varnell <alvarnell at mac.com> wrote:
>>>>>>
>>>>>> Disregard, I found it here after they got the new main.cvd:
>>>>>> <
>>>>>> http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
>>>>>>
>>>>>> I’ll see what I get once my main.cvd finishes.
>>>>>>
>>>>>> -Al-
>>>>>>
>>>>>>> On Wed, Mar 16, 2016 at 09:32 PM, Al Varnell wrote:
>>>>>>>
>>>>>>> I’m still looking, but so far I can’t find any Win.Trojan.Trojan
>>>>>> signatures in the ClamAV Official database or listed in clamav-virusdb
>>>>>> e-mail list.
>>>>>>>
>>>>>>> Nor can I confirm your results using my own EICAR.
>>>>>>>
>>>>>>> Are you using any Unofficial signatures from a different source?
>>>>>>>
>>>>>>> -Al-
>>>>>>>
>>>>>>>> On Wed, Mar 16, 2016 at 09:06 PM, Jason J. W. Williams wrote:
>>>>>>>>
>>>>>>>> Pulled down 21466 (and force restarted clamd) but it's still classifying
>>>>>>>> EICAR as Win.Trojan.Trojan:
>>>>>>>>
>>>>>>>> https://gist.github.com/williamsjj/b8104402e80f44475df5
>>>>>>>>
>>>>>>>> Databases are up to date now:
>>>>>>>> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60,
>>>>>> builder:
>>>>>>>> amishhammer)
>>>>>>>> Empty script daily-21465.cdiff, need to download entire database
>>>>>>>> Downloading daily.cvd [100%]
>>>>>>>> daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, builder:
>>>>>>>> amishhammer)
>>>>>>>> Empty script bytecode-275.cdiff, need to download entire database
>>>>>>>> Downloading bytecode.cvd [100%]
>>>>>>>> bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder:
>>>>>>>> amishhammer)
>>>>>>>> Database updated (4302724 signatures) from db.local.clamav.net (IP:
>>>>>>>> 193.1.193.64)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> On Wed, Mar 16, 2016 at 9:00 PM, Al Varnell <alvarnell at mac.com> wrote:
>>>>>>>>>
>>>>>>>>> Those are normal messages for an update of this kind. The 21465.cdiff
>>>>>> was
>>>>>>>>> purposely blank in order to force you to download the entire daily.cvd.
>>>>>>>>> Give it plenty of time as the main.cvd is 109MB.
>>>>>>>>>
>>>>>>>>> Technical details: <
>>>>>> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
>>>>>>>>>
>>>>>>>>> -Al-
>>>>>>>>>
>>>>>>>>>> On Wed, Mar 16, 2016 at 08:56 PM, Jason J. W. Williams wrote:
>>>>>>>>>>
>>>>>>>>>> Thanks. Hopefully it'll sync up soon. I'm getting weird download
>>>>>> errors
>>>>>>>>> out
>>>>>>>>>> of freshclam:
>>>>>>>>>>
>>>>>>>>>> WARNING: getfile: Error while reading database from
>>>>>> db.local.clamav.net
>>>>>>>>>> (IP: 200.236.31.1): Operation now in progress
>>>>>>>>>> WARNING: getpatch: Can't download daily-21465.cdiff from
>>>>>>>>> db.local.clamav.net
>>>>>>>>>> nonblock_recv: recv timing out (30 secs)
>>>>>>>>>> WARNING: getfile: Error while reading database from
>>>>>> db.local.clamav.net
>>>>>>>>>> (IP: 194.186.47.19): Operation now in progress
>>>>>>>>>> WARNING: getpatch: Can't download daily-21465.cdiff from
>>>>>>>>> db.local.clamav.net
>>>>>>>>>> Empty script daily-21465.cdiff, need to download entire database
>>>>>>>>>>
>>>>>>>>>> On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarnell at mac.com>
>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> The new database was just made available, so I recommend you hold off
>>>>>>>>>>> until you have the new mail.cvd v57 and daily.cvd v21466 before
>>>>>> getting
>>>>>>>>> too
>>>>>>>>>>> excited about this.
>>>>>>>>>>>
>>>>>>>>>>> -Al-
>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> As of the latest daily update, running ClamAV against the EICAR test
>>>>>>>>>>> string
>>>>>>>>>>>> reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
>>>>>>>>>>>>
>>>>>>>>>>>> -J
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>
>>>>>> http://www.clamav.net/contact.html#ml
>>>>> _______________________________________________
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>>>
>>>> -Al-
>>>> --
>>>> Al Varnell
>>>> Mountain View, CA
>>> _______________________________________________
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>
>> -Al-
>> --
>> Al Varnell
>> Mountain View, CA
>>
>>
>>
>>
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list