[clamav-users] VIRUS ({HEX}EICAR.TEST.10.UNOFFICIAL) in mail FROM [198.148.79.53]
Matthew Molyett
mmolyett at sourcefire.com
Tue Oct 3 14:49:47 UTC 2017
A slight tangent, which I bring up since I have seen it discussed on
Twitter: Clam AV will erroneously trigger on some specific EICAR false
positives due to file normalization. The example that was being discussed
at that time was a whitespace prepended file. Since the EICAR string is all
printable text, it can be the output of a File Type 7 scan.
As such clamscan will detect on some corner case files that it should not,
but not on cases like the email being discussed here.
The industry was discussing the poor EICAR triggering because solutions
that falsely flag such emails might also destroy important files such as
web logs if the string is injected there.
On Tue, Oct 3, 2017 at 10:40 AM, Anssi Johansson <clamav at miuku.net> wrote:
> Ralph Seichter kirjoitti 3.10.2017 klo 17.33:
>
>> A virus was found: {HEX}EICAR.TEST.10.UNOFFICIAL
>>>
>>> First upstream SMTP client IP address: [198.148.79.53]:24855
>>> lists.clamav.net
>>> Received from: 198.148.79.53 < 127.0.0.1 < 204.29.186.62 < 172.26.252.15
>>> <
>>> 10.76.1.211 < 149.32.192.35
>>>
>>> Return-Path: <clamav-users-bounces at lists.clamav.net>
>>> From: Nymblewyke <nymblewyke at compuserve.com>
>>> Sender: "clamav-users" <clamav-users-bounces at lists.clamav.net>
>>> Message-ID: <15ee2954485-c0d-126e at webjas-vac032.srv.aolmail.net>
>>> Subject: Re: [clamav-users] EICAR file problems
>>>
>>
>> Sending virus samples (including EICAR) to public mailing lists is
>> problematic. The lists are not testing grounds, and it can quickly
>> earn you a blacklisting with various recipient organisations.
>>
>
> I agree, I understood this a few seconds after I sent my message. My
> apologies.
>
> On the other hand, if your virus scanner detected EICAR from my message, I
> dare to say that it is broken. http://www.eicar.org/86-0-Intended-use.html
> says ".. should detect it in any file providing that the file starts with
> the following 68 characters, and is exactly 68 bytes long". The message did
> not start with the EICAR string, and the message certainly wasn't 68 bytes
> long.
>
> For reference, clamscan does not detect EICAR in these messages, and
> rightly so.
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
--
Matthew Molyett
Malware Researcher
mmolyett at cisco.com
Phone: (410) 309-4834
Mobile: (410) 674-2049
Cisco.com - http://www.cisco.com
This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender by
reply email and delete all copies of this message.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
More information about the clamav-users
mailing list