[clamav-users] Odd behavior when scanning eicar test files
Haukur Valgeirsson
haukurv at 1984.is
Tue Apr 27 09:54:18 UTC 2021
Hi again.
Now I am getting really confused. I repeated the tests but now scanning
the eicar files in different directories in the same scan. I compiled
the file list into a file that I read into an array in bash and pass to
clamscan. The results differ between directories, even if the files in
them are identical (confirmed with diff).
The modified script is attached (clamcars2.sh), the file read in
(testfiles.txt) is just a list of full path to the files. The results
are in clamscan_eicar_test.txt, each part begins with the filename being
md5 sum whitelisted.
Any help very much appreciated!
Best regards,
Haukur
On 26.4.2021 15:30, Haukur Valgeirsson via clamav-users wrote:
>
> Uhm... now this is strange.
>
> When I run the script I wrote, it behaves as one would expect (md5 sum
> must match the file, md5 from eicar.com covers eicar.com.txt too, but
> not the zips and the md5 from zips only covers the zip that it was
> generated from).
>
> then I reran with the falsepos file only containing the md5 sum from
> eicarcom2.zip
>
> # cat /var/lib/clamav/maldet_ignore_sigs.fp
> e4968ef99266df7c9a1f0637d2389dab:308:eicarcom2.zip
>
> then it seems to whitelist eicar.com as well as itself???
>
> # clamscan .
> When run /usr/local/maldetect/testfolder/clamcars.sh: OK
> /usr/local/maldetect/testfolder/eicar.com.txt:
> {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
> /usr/local/maldetect/testfolder/eicar_com.zip:
> {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
> /usr/local/maldetect/testfolder/eicarcom2.zip: OK
> /usr/local/maldetect/testfolder/eicar.com: OK
> /usr/local/maldetect/testfolder/result_eicar.com: OK
> /usr/local/maldetect/testfolder/result_eicar.com.txt: OK
> /usr/local/maldetect/testfolder/result_eicar_com.zip: OK
> /usr/local/maldetect/testfolder/result_eicarcom2.zip: OK
> /usr/local/maldetect/testfolder/.clamcars.sh.swp: OK
>
> ----------- SCAN SUMMARY -----------
>
> Known viruses: 8539062
> Engine version: 0.103.2
> Scanned directories: 1
> Scanned files: 10
> Infected files: 2
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 42.336 sec (0 m 42 s)
> Start Date: 2021:04:26 10:14:50
> End Date: 2021:04:26 10:15:33
>
>
> and just to test again, I scan another folder, only containing the
> eicar files:
>
> # ll /home/haukurv/www/testfiles
> total 16
> -rw-r--r-- 1 haukurv haukurv 68 Apr 26 05:30 eicar.com
> -rw-r--r-- 1 haukurv haukurv 308 Apr 26 05:30 eicarcom2.zip
> -rw-r--r-- 1 haukurv haukurv 68 Apr 26 05:30 eicar.com.txt
> -rw-r--r-- 1 haukurv haukurv 184 Apr 26 05:30 eicar_com.zip
>
>
> # clamscan /home/haukurv/www/testfiles
> /home/haukurv/www/testfiles/eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
> /home/haukurv/www/testfiles/eicarcom2.zip: OK
> /home/haukurv/www/testfiles/eicar.com.txt: OK
> /home/haukurv/www/testfiles/eicar_com.zip: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8539062
> Engine version: 0.103.2
> Scanned directories: 1
> Scanned files: 4
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 32.812 sec (0 m 32 s)
> Start Date: 2021:04:26 10:29:16
>
> End Date: 2021:04:26 10:29:48
>
>
> I am getting a little bit confused here :-s
>
> reg. Haukur
>
>
> On 26.4.2021 15:04, Haukur Valgeirsson via clamav-users wrote:
>> Sorry, adding more details for reproducability.
>>
>> My original idea was to use maldet, which uses clamscan so
>> whitelisting and path exclusions need to happen in clamav, they don't
>> seem to be passed on to clamscan.
>>
>> Environment: 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24)
>> x86_64 GNU/Linux
>>
>> The script clamcars.sh (attached) downloads, whitelists, scans and
>> puts the results in "result_<filename>" for each of the eicar files.
>> I can repeat with debug output redirected into the file if it helps.
>>
>> I am using "clamscan" (used apt-get install clamav) not the daemon
>> (clamdscan), so I do not seem to have clamconf:
>>
>> # clamscan --version
>> ClamAV 0.103.2/26152/Mon Apr 26 06:04:28 2021
>>
>> Would it help you to look into this if I installed the daemon scanner
>> and repeated the test?
>>
>> The only config I was able to locate is below.
>>
>> Thanks.
>>
>> Haukur
>>
>>
>> ====
>>
>> # cat /etc/clamav/freshclam.conf
>> # Automatically created by the clamav-freshclam postinst
>> # Comments will get lost when you reconfigure the clamav-freshclam
>> package
>>
>> DatabaseOwner clamav
>> UpdateLogFile /var/log/clamav/freshclam.log
>> LogVerbose false
>> LogSyslog false
>> LogFacility LOG_LOCAL6
>> LogFileMaxSize 0
>> LogRotate true
>> LogTime true
>> Foreground false
>> Debug false
>> MaxAttempts 5
>> DatabaseDirectory /var/lib/clamav
>> DNSDatabaseInfo current.cvd.clamav.net
>> ConnectTimeout 30
>> ReceiveTimeout 0
>> TestDatabases yes
>> ScriptedUpdates yes
>> CompressLocalDatabase no
>> Bytecode true
>> NotifyClamd /etc/clamav/clamd.conf
>> # Check for new database 24 times a day
>> Checks 24
>> DatabaseMirror db.local.clamav.net
>> DatabaseMirror database.clamav.net
>>
>>
>> On 26.4.2021 13:42, G.W. Haywood via clamav-users wrote:
>>> Hi there,
>>>
>>> On Mon, 26 Apr 2021, Haukur Valgeirsson via clamav-users wrote:
>>>
>>>> I am setting up daily scanning and was figuring out how to
>>>> whitelist based on file signatures, and decided to use the eicar
>>>> test files to tune the settings. Used 'sigtool --md5 eicarcom2.zip
>>>> > falsepossigs.fp' to create the sig to whitelist and proceeded to
>>>> run test scans and the results were a little surprising:
>>>
>>> Given your description of what you did I'd struggle to reproduce it.
>>> Please give full details of how you are running the scans, the exact
>>> unaltered output as you see it, and the output of 'clamconf -n'.
>>>
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210427/02bee143/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clamcars2.sh
Type: application/x-shellscript
Size: 624 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210427/02bee143/attachment.bin>
-------------- next part --------------
./result_eicar.com
/home/haukurv/www/4443/index.nginx-debian.html: OK
/home/haukurv/www/4443/index.html: OK
/home/haukurv/www/4443/testfiles/eicar.com: OK
/home/haukurv/www/4443/testfiles/eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/4443/testfiles/eicar.com.txt: OK
/home/haukurv/www/4443/testfiles/eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/html/index.nginx-debian.html: OK
/home/haukurv/www/html/index.html: OK
/home/haukurv/www/http/eicar.com: OK
/home/haukurv/www/http/eicar.com.txt: OK
/home/haukurv/www/http/eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/http/eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/testfiles/eicar.com: OK
/home/haukurv/www/testfiles/eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/testfiles/eicar.com.txt: OK
/home/haukurv/www/testfiles/eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8539062
Engine version: 0.103.2
Scanned directories: 0
Scanned files: 16
Infected files: 6
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 39.017 sec (0 m 39 s)
Start Date: 2021:04:27 04:19:51
End Date: 2021:04:27 04:20:30
./result_eicar.com.txt
/home/haukurv/www/4443/index.nginx-debian.html: OK
/home/haukurv/www/4443/index.html: OK
/home/haukurv/www/4443/testfiles/eicar.com: OK
/home/haukurv/www/4443/testfiles/eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/4443/testfiles/eicar.com.txt: OK
/home/haukurv/www/4443/testfiles/eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/html/index.nginx-debian.html: OK
/home/haukurv/www/html/index.html: OK
/home/haukurv/www/http/eicar.com: OK
/home/haukurv/www/http/eicar.com.txt: OK
/home/haukurv/www/http/eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/http/eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/testfiles/eicar.com: OK
/home/haukurv/www/testfiles/eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/testfiles/eicar.com.txt: OK
/home/haukurv/www/testfiles/eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8539062
Engine version: 0.103.2
Scanned directories: 0
Scanned files: 16
Infected files: 6
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 33.673 sec (0 m 33 s)
Start Date: 2021:04:27 04:20:30
End Date: 2021:04:27 04:21:03
./result_eicar_com.zip
/home/haukurv/www/4443/index.nginx-debian.html: OK
/home/haukurv/www/4443/index.html: OK
/home/haukurv/www/4443/testfiles/eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/4443/testfiles/eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/4443/testfiles/eicar.com.txt: OK
/home/haukurv/www/4443/testfiles/eicar_com.zip: OK
/home/haukurv/www/html/index.nginx-debian.html: OK
/home/haukurv/www/html/index.html: OK
/home/haukurv/www/http/eicar.com: OK
/home/haukurv/www/http/eicar.com.txt: OK
/home/haukurv/www/http/eicar_com.zip: OK
/home/haukurv/www/http/eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/testfiles/eicar.com: OK
/home/haukurv/www/testfiles/eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/testfiles/eicar.com.txt: OK
/home/haukurv/www/testfiles/eicar_com.zip: OK
----------- SCAN SUMMARY -----------
Known viruses: 8539062
Engine version: 0.103.2
Scanned directories: 0
Scanned files: 16
Infected files: 4
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 32.591 sec (0 m 32 s)
Start Date: 2021:04:27 04:21:03
End Date: 2021:04:27 04:21:36
./result_eicarcom2.zip
/home/haukurv/www/4443/index.nginx-debian.html: OK
/home/haukurv/www/4443/index.html: OK
/home/haukurv/www/4443/testfiles/eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/4443/testfiles/eicarcom2.zip: OK
/home/haukurv/www/4443/testfiles/eicar.com.txt: OK
/home/haukurv/www/4443/testfiles/eicar_com.zip: OK
/home/haukurv/www/html/index.nginx-debian.html: OK
/home/haukurv/www/html/index.html: OK
/home/haukurv/www/http/eicar.com: OK
/home/haukurv/www/http/eicar.com.txt: OK
/home/haukurv/www/http/eicar_com.zip: OK
/home/haukurv/www/http/eicarcom2.zip: OK
/home/haukurv/www/testfiles/eicar.com: OK
/home/haukurv/www/testfiles/eicarcom2.zip: OK
/home/haukurv/www/testfiles/eicar.com.txt: OK
/home/haukurv/www/testfiles/eicar_com.zip: OK
----------- SCAN SUMMARY -----------
Known viruses: 8539062
Engine version: 0.103.2
Scanned directories: 0
Scanned files: 16
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 34.754 sec (0 m 34 s)
Start Date: 2021:04:27 04:21:36
End Date: 2021:04:27 04:22:11
More information about the clamav-users
mailing list