[clamav-users] Failing eicarcom2.zip test after recent DB update
Al Varnell
alvarnell at mac.com
Wed Feb 12 10:38:00 UTC 2020
Today's daily-2572 update drops the Osx.Malware.Agent-1714718 signature. That would seem to mean that ClamAV will no longer detect an eicar test file.
-Al-
ClamXAV User
On Mon, Feb 10, 2020 at 08:58 PM, Al Varnell wrote:
> Yes, I think we all knew most of that from the OP. Is "Sample ID 33522083" an internal reference number of some sort and exactly what is being researched?
>
> I think the only question remaining is why is the "Eicar-Test-Signature" now being ignored?
>
> -Al-
>
> On Mon, Feb 10, 2020 at 11:01 AM, David Raynor wrote:
>> So the "testfile" is Sample ID 33522083, which is 44d88612fea8a8f36de82e1278abb02f and 68 bytes. Researching.
>>
>> Dave R.
>>
>> On Sat, Feb 8, 2020 at 1:57 AM Al Varnell via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
>> A bit of a guess on my part, but I since the hash values for both signatures are identical, normally only the first one encountered would be reported.
>>
>> Looks like daily-25717 added one signature to the ignore list, which is where my guess that it was “Eicar-Test-Signature” comes in. That would cause the second signature to be the one now reported.
>>
>> Maybe the signature staff can comment on if and why Eicar is now ignored and if it is allowed to continue perhaps you’ll need to modify your code tests somehow.
>>
>> Sent from my iPad
>>
>> -Al-
>>
>> > On Feb 7, 2020, at 22:44, WagdeZ via clamav-users <clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>> wrote:
>> >
>> >
>> > The eicarcom2.zip was always identified with:
>> > LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
>> > but for some reason after the last DB update:
>> > main.cvd is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
>> > daily.cvd is up to date (version: 25717, sigs: 2177826, f-level: 63, builder: raynman)
>> > bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
>> > it is recognizded as:
>> > LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Clamav.Test.File-7
>> > and it causes some failure in my code tests
>> > What am I missing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200212/b328be05/attachment.htm>
More information about the clamav-users
mailing list