[clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

David Raynor draynor at sourcefire.com
Tue May 17 17:02:25 EDT 2016


If you run clamscan with "--debug" it will tell you which files it is
loading, even the files inside a cvd or cld file. It will also remark about
which signatures is skips when loading.

You should see these lines within your debug output:

...
LibClamAV debug: daily.ign2 loaded
...
LibClamAV debug: /var/lib/clamav/daily.cld loaded
...
LibClamAV debug: Ignoring signature Win.Trojan.Trojan-605
...
LibClamAV debug: main.ndb loaded
...

Which of these rows you see is going to be affected by the contents of your
database, but this is what I see with an up-to-date daily and main.cvd. The
signature is in the latest main. The ignore is set in the latest daily
(21562) and has been for weeks. Once you get to a fresh enough daily it
will have the ignore set. If there is something else going on that is
preventing clamscan from loading that daily.cld (e.g. file permissions,
path difference) that would be the culprit.

Hope this helps,

Dave R.


On Tue, May 17, 2016 at 4:33 PM, Jason J. W. Williams <
jasonjwwilliams at gmail.com> wrote:

> Yessir:
>
> # sigtool -u /var/lib/clamav/daily.cld
>
> # grep -i 'Win.Trojan.Trojan-605' daily.ign
> main:42:Win.Trojan.Trojan-605
>
> On Tue, May 17, 2016 at 1:25 PM, Alain Zidouemba <
> azidouemba at sourcefire.com>
> wrote:
>
> > $ sigtool -u /usr/local/share/clamav/daily.cld
> >
> > $ grep -i 'Win.Trojan.Trojan-605' daily.ign
> > main:42:Win.Trojan.Trojan-605
> >
> >
> > Same on your end?
> >
> > - Alain
> >
> > On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams <
> > jasonjwwilliams at gmail.com> wrote:
> >
> > > We do.
> > >
> > > -J
> > >
> > > On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
> > > azidouemba at sourcefire.com>
> > > wrote:
> > >
> > > > Jason:
> > > >
> > > > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605
> was
> > > > dropped several weeks ago, but would only be reflected in your
> > > installation
> > > > if you have both main.cvd and daily.cvd. Please confirm.
> > > >
> > > > Thanks,
> > > >
> > > > - Alain
> > > >
> > > >
> > > >
> > > > On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
> > > > jasonjwwilliams at gmail.com> wrote:
> > > >
> > > > > No ClamAV 0.98.7.
> > > > >
> > > > > -J
> > > > >
> > > > > On Mon, May 16, 2016 at 11:25 PM, Al Varnell <alvarnell at mac.com>
> > > wrote:
> > > > >
> > > > > > I’m unable to replicate your findings:
> > > > > >
> > > > > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
> > > > > >
> > > > > > Taking a look at the current daily.cld I see entries in both
> ignore
> > > > > > sections:
> > > > > >
> > > > > > daily.ign
> > > > > >                                                  1374
> > > > > > 002516
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > fake:1:Dont_remove_this_line
> > > > > > ...
> > > > > > main:42:Win.Trojan.Trojan-605
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >                                   daily.ign2
> > > > > >
> > > > > >       1072                    002573
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >               fake_dont_remove_this_line
> > > > > > ...
> > > > > > Win.Trojan.Trojan-605
> > > > > >
> > > > > > I wonder if it’s engine specific?  Are you using 0.99.x
> > > > > >
> > > > > > -Al-
> > > > > >
> > > > > > On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote:
> > > > > > >
> > > > > > > Looks like EICAR is getting classified as Win.Trojan.Trojan-605
> > > again
> > > > > > > (daily 21557).
> > > > > > >
> > > > > > > https://gist.github.com/williamsjj/b8104402e80f44475df5
> > > > > > >
> > > > > > > -J
> > > > > > >
> > > > > > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarnell at mac.com
> >
> > > > wrote:
> > > > > > >
> > > > > > >> The new database was just made available, so I recommend you
> > hold
> > > > off
> > > > > > >> until you have the new mail.cvd v57 and daily.cvd v21466
> before
> > > > > getting
> > > > > > too
> > > > > > >> excited about this.
> > > > > > >>
> > > > > > >> -Al-
> > > > > > >>
> > > > > > >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> > > > > > >>>
> > > > > > >>> As of the latest daily update, running ClamAV against the
> EICAR
> > > > test
> > > > > > >>> string
> > > > > > >>> reports  Win.Trojan.Trojan-605 instead of
> Eicar-Test-Signature.
> > > > > > >>>
> > > > > > >>> -J
> > > > > >
> > > > > > _______________________________________________
> > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > https://github.com/vrtadmin/clamav-faq
> > > > > >
> > > > > > http://www.clamav.net/contact.html#ml
> > > > > >
> > > > > _______________________________________________
> > > > > Help us build a comprehensive ClamAV guide:
> > > > > https://github.com/vrtadmin/clamav-faq
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > > >
> > > > _______________________________________________
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > _______________________________________________
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



-- 
---
Dave Raynor
Talos Security Intelligence and Research Group
draynor at sourcefire.com



More information about the clamav-users mailing list