[clamav-users] clamscan/clamdscan with -z option

Micah Snyder (micasnyd) micasnyd at cisco.com
Thu Feb 14 19:46:30 UTC 2019 

Paul,

You may be seeing cases where a signature match of the raw file also matches the file after it has been:
* normalized (for html or other text files)
* extracted (eg uncompressed archives or archives where compression has little effect)
* or otherwise parsed (eg where a signature written to match on a subcomponent/buffer in the file and the signature also matches on the whole file because it is very lenient about the offset).

Is there a particular problem with seeing duplicate matches on a file?

-Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
 

On 2/14/19, 2:09 PM, "clamav-users on behalf of Kris Deugau" <clamav-users-bounces at lists.clamav.net on behalf of kdeugau at vianet.ca> wrote:

    Paul wrote:
    > Hi
    > 
    > I have been looking at using the -z option on either clamdscan or 
    > clamscan and stumbled onto some odd behavior.
    > 
    > This is with version 101.1. 101.0 also behaves the same.
    
    
    > Take 2 paultest-010E110713-000 is constructed from test/clam.mail with 
    > the addition of a line of text to the text/plain part of clam.mail which 
    > triggers SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND
    > 
    > paule at larch:~# clamscan  -z /var/lib/quarantine/paultest-010E110713-000
    > /var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND
    > /var/lib/quarantine/paultest-010E110713-000: 
    > SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND
    > /var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND
    > /var/lib/quarantine/paultest-010E110713-000: 
    > SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND
    
    
    > Anyway to prevent the duplicate signature hits being displayed.
    
            -z, --allmatch
                   After a match, continue scanning within the file for 
    additional matches.
    
    .... don't use -z?  There's no way I know of to specify which signature 
    takes precedence during a single scan, so if you're continuing after 
    you've found a match, I would call it reasonable that you also want to 
    know all of the signatures that matched.  If you only want to report one 
    signature, then continuing to scan the file seems to be a waste.
    
    If you want to separately report hits from subsets of signatures, you'll 
    probably need to store them in different directories, and use the -d option:
    
            -d FILE/DIR, --database=FILE/DIR
                   Load virus database from FILE or load all virus database 
    files from DIR.
    
    to run multiple, independent scans with each subset of signatures.  This 
    way you can pick which set to check in which order, and skip further 
    processing as desired based on the results.
    
    -kgd
    _______________________________________________
    clamav-users mailing list
    clamav-users at lists.clamav.net
    http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
    
    
    Help us build a comprehensive ClamAV guide:
    https://github.com/vrtadmin/clamav-faq
    
    http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list