[clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

Jason J. W. Williams jasonjwwilliams at gmail.com
Tue May 17 17:37:28 EDT 2016


Hi Dave,

Thanks. I don't see any issues with it loading the daily.cld. I'm going to
wipe it out and let Freshclam reload it and the ign.

-J

On Tue, May 17, 2016 at 2:02 PM, David Raynor <draynor at sourcefire.com>
wrote:

> If you run clamscan with "--debug" it will tell you which files it is
> loading, even the files inside a cvd or cld file. It will also remark about
> which signatures is skips when loading.
>
> You should see these lines within your debug output:
>
> ...
> LibClamAV debug: daily.ign2 loaded
> ...
> LibClamAV debug: /var/lib/clamav/daily.cld loaded
> ...
> LibClamAV debug: Ignoring signature Win.Trojan.Trojan-605
> ...
> LibClamAV debug: main.ndb loaded
> ...
>
> Which of these rows you see is going to be affected by the contents of your
> database, but this is what I see with an up-to-date daily and main.cvd. The
> signature is in the latest main. The ignore is set in the latest daily
> (21562) and has been for weeks. Once you get to a fresh enough daily it
> will have the ignore set. If there is something else going on that is
> preventing clamscan from loading that daily.cld (e.g. file permissions,
> path difference) that would be the culprit.
>
> Hope this helps,
>
> Dave R.
>
>
> On Tue, May 17, 2016 at 4:33 PM, Jason J. W. Williams <
> jasonjwwilliams at gmail.com> wrote:
>
> > Yessir:
> >
> > # sigtool -u /var/lib/clamav/daily.cld
> >
> > # grep -i 'Win.Trojan.Trojan-605' daily.ign
> > main:42:Win.Trojan.Trojan-605
> >
> > On Tue, May 17, 2016 at 1:25 PM, Alain Zidouemba <
> > azidouemba at sourcefire.com>
> > wrote:
> >
> > > $ sigtool -u /usr/local/share/clamav/daily.cld
> > >
> > > $ grep -i 'Win.Trojan.Trojan-605' daily.ign
> > > main:42:Win.Trojan.Trojan-605
> > >
> > >
> > > Same on your end?
> > >
> > > - Alain
> > >
> > > On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams <
> > > jasonjwwilliams at gmail.com> wrote:
> > >
> > > > We do.
> > > >
> > > > -J
> > > >
> > > > On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
> > > > azidouemba at sourcefire.com>
> > > > wrote:
> > > >
> > > > > Jason:
> > > > >
> > > > > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605
> > was
> > > > > dropped several weeks ago, but would only be reflected in your
> > > > installation
> > > > > if you have both main.cvd and daily.cvd. Please confirm.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > - Alain
> > > > >
> > > > >
> > > > >
> > > > > On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
> > > > > jasonjwwilliams at gmail.com> wrote:
> > > > >
> > > > > > No ClamAV 0.98.7.
> > > > > >
> > > > > > -J
> > > > > >
> > > > > > On Mon, May 16, 2016 at 11:25 PM, Al Varnell <alvarnell at mac.com>
> > > > wrote:
> > > > > >
> > > > > > > I’m unable to replicate your findings:
> > > > > > >
> > > > > > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
> > > > > > >
> > > > > > > Taking a look at the current daily.cld I see entries in both
> > ignore
> > > > > > > sections:
> > > > > > >
> > > > > > > daily.ign
> > > > > > >                                                  1374
> > > > > > > 002516
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > fake:1:Dont_remove_this_line
> > > > > > > ...
> > > > > > > main:42:Win.Trojan.Trojan-605
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >                                   daily.ign2
> > > > > > >
> > > > > > >       1072                    002573
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >               fake_dont_remove_this_line
> > > > > > > ...
> > > > > > > Win.Trojan.Trojan-605
> > > > > > >
> > > > > > > I wonder if it’s engine specific?  Are you using 0.99.x
> > > > > > >
> > > > > > > -Al-
> > > > > > >
> > > > > > > On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote:
> > > > > > > >
> > > > > > > > Looks like EICAR is getting classified as
> Win.Trojan.Trojan-605
> > > > again
> > > > > > > > (daily 21557).
> > > > > > > >
> > > > > > > > https://gist.github.com/williamsjj/b8104402e80f44475df5
> > > > > > > >
> > > > > > > > -J
> > > > > > > >
> > > > > > > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <
> alvarnell at mac.com
> > >
> > > > > wrote:
> > > > > > > >
> > > > > > > >> The new database was just made available, so I recommend you
> > > hold
> > > > > off
> > > > > > > >> until you have the new mail.cvd v57 and daily.cvd v21466
> > before
> > > > > > getting
> > > > > > > too
> > > > > > > >> excited about this.
> > > > > > > >>
> > > > > > > >> -Al-
> > > > > > > >>
> > > > > > > >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams
> wrote:
> > > > > > > >>>
> > > > > > > >>> As of the latest daily update, running ClamAV against the
> > EICAR
> > > > > test
> > > > > > > >>> string
> > > > > > > >>> reports  Win.Trojan.Trojan-605 instead of
> > Eicar-Test-Signature.
> > > > > > > >>>
> > > > > > > >>> -J
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > > https://github.com/vrtadmin/clamav-faq
> > > > > > >
> > > > > > > http://www.clamav.net/contact.html#ml
> > > > > > >
> > > > > > _______________________________________________
> > > > > > Help us build a comprehensive ClamAV guide:
> > > > > > https://github.com/vrtadmin/clamav-faq
> > > > > >
> > > > > > http://www.clamav.net/contact.html#ml
> > > > > >
> > > > > _______________________________________________
> > > > > Help us build a comprehensive ClamAV guide:
> > > > > https://github.com/vrtadmin/clamav-faq
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > > >
> > > > _______________________________________________
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > _______________________________________________
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
>
>
>
> --
> ---
> Dave Raynor
> Talos Security Intelligence and Research Group
> draynor at sourcefire.com
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-users mailing list