[clamav-users] Odd behavior when scanning eicar test files
Haukur Valgeirsson
haukurv at 1984.is
Mon Apr 26 15:04:55 UTC 2021
Sorry, adding more details for reproducability.
My original idea was to use maldet, which uses clamscan so whitelisting
and path exclusions need to happen in clamav, they don't seem to be
passed on to clamscan.
Environment: 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24)
x86_64 GNU/Linux
The script clamcars.sh (attached) downloads, whitelists, scans and puts
the results in "result_<filename>" for each of the eicar files. I can
repeat with debug output redirected into the file if it helps.
I am using "clamscan" (used apt-get install clamav) not the daemon
(clamdscan), so I do not seem to have clamconf:
# clamscan --version
ClamAV 0.103.2/26152/Mon Apr 26 06:04:28 2021
Would it help you to look into this if I installed the daemon scanner
and repeated the test?
The only config I was able to locate is below.
Thanks.
Haukur
====
# cat /etc/clamav/freshclam.conf
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
On 26.4.2021 13:42, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Mon, 26 Apr 2021, Haukur Valgeirsson via clamav-users wrote:
>
>> I am setting up daily scanning and was figuring out how to whitelist
>> based on file signatures, and decided to use the eicar test files to
>> tune the settings. Used 'sigtool --md5 eicarcom2.zip >
>> falsepossigs.fp' to create the sig to whitelist and proceeded to run
>> test scans and the results were a little surprising:
>
> Given your description of what you did I'd struggle to reproduce it.
> Please give full details of how you are running the scans, the exact
> unaltered output as you see it, and the output of 'clamconf -n'.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clamcars.sh
Type: application/x-shellscript
Size: 600 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210426/ff0597e2/attachment.bin>
More information about the clamav-users
mailing list