[clamav-users] Odd behavior when scanning eicar test files

[Haukur Valgeirsson]

Hi.

I am setting up daily scanning and was figuring out how to whitelist 
based on file signatures, and decided to use the eicar test files to 
tune the settings.  Used 'sigtool --md5 eicarcom2.zip > falsepossigs.fp' 
to create the sig to whitelist and proceeded to run test scans and the 
results were a little surprising:

eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
eicarcom2.zip: OK * whitelisted
eicar.com.txt: OK * by association? but why not 'eicar.com' too then}
eicar_com.zip: OK * by association?

This got me scratching my head, whitelisting the double zipped 
'eicar.com' caused the zipped one and the 'eicar.com.txt' to be 
whitelisted by association somehow, but not the raw 'eicar.com' file 
(which is identical to 'eicar.com.txt' except for the name)??

I decided to test further and whitelisted the 'eicar.com' file itself 
and scanned again, now the results were predictable, the 'eicar.com.txt' 
also got whitelisted (as it has the same md5):

eicar.com: OK * whitelisted
eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
eicar.com.txt: OK * makes sense, same md5 sum
eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND

To round this experiment off I then whitelisted the single zipped file 
and the results were:

eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
eicar.com.txt: OK * by association? but why not 'eicar.com' too then}
eicar_com.zip: OK * whitelisted

Is this supposed to behave like this? I find it a little strange to 
whitelist files based on checksums if a whitelisted archive contains 
that file, is there maybe some config setting or flag that controls this 
behavior that I missed?

Thanks beforehand

Haukur