[clamav-users] clamscan/clamdscan with -z option

Paul paul at netpresto.co.uk
Thu Feb 14 20:31:49 UTC 2019 

Hi Micah

I can code to handle this but basing handling code  on "appears to 
behaviour"  is far from an ideal start.

The multiple matches on test/clam.mail from the clamav 101.1 sources 
with  Clamav.Test.File-6 reported twice sure looks like a bug to me.

Regards Paul

On 14/02/2019 19:46, Micah Snyder (micasnyd) wrote:
> Paul,
>
> You may be seeing cases where a signature match of the raw file also matches the file after it has been:
> * normalized (for html or other text files)
> * extracted (eg uncompressed archives or archives where compression has little effect)
> * or otherwise parsed (eg where a signature written to match on a subcomponent/buffer in the file and the signature also matches on the whole file because it is very lenient about the offset).
>
> Is there a particular problem with seeing duplicate matches on a file?
>
> -Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>   
>
> On 2/14/19, 2:09 PM, "clamav-users on behalf of Kris Deugau" <clamav-users-bounces at lists.clamav.net on behalf of kdeugau at vianet.ca> wrote:
>
>      Paul wrote:
>      > Hi
>      >
>      > I have been looking at using the -z option on either clamdscan or
>      > clamscan and stumbled onto some odd behavior.
>      >
>      > This is with version 101.1. 101.0 also behaves the same.
>      
>      
>      > Take 2 paultest-010E110713-000 is constructed from test/clam.mail with
>      > the addition of a line of text to the text/plain part of clam.mail which
>      > triggers SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND
>      >
>      > paule at larch:~# clamscan  -z /var/lib/quarantine/paultest-010E110713-000
>      > /var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND
>      > /var/lib/quarantine/paultest-010E110713-000:
>      > SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND
>      > /var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND
>      > /var/lib/quarantine/paultest-010E110713-000:
>      > SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND
>      
>      
>      > Anyway to prevent the duplicate signature hits being displayed.
>      
>              -z, --allmatch
>                     After a match, continue scanning within the file for
>      additional matches.
>      
>      .... don't use -z?  There's no way I know of to specify which signature
>      takes precedence during a single scan, so if you're continuing after
>      you've found a match, I would call it reasonable that you also want to
>      know all of the signatures that matched.  If you only want to report one
>      signature, then continuing to scan the file seems to be a waste.
>      
>      If you want to separately report hits from subsets of signatures, you'll
>      probably need to store them in different directories, and use the -d option:
>      
>              -d FILE/DIR, --database=FILE/DIR
>                     Load virus database from FILE or load all virus database
>      files from DIR.
>      
>      to run multiple, independent scans with each subset of signatures.  This
>      way you can pick which set to check in which order, and skip further
>      processing as desired based on the results.
>      
>      -kgd
>      _______________________________________________
>      clamav-users mailing list
>      clamav-users at lists.clamav.net
>      http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>      
>      
>      Help us build a comprehensive ClamAV guide:
>      https://github.com/vrtadmin/clamav-faq
>      
>      http://www.clamav.net/contact.html#ml
>      
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list