[clamav-users] Odd behavior when scanning eicar test files
Haukur Valgeirsson
haukurv at 1984.is
Tue Apr 27 11:37:29 UTC 2021
Now the plot thickens.
Sorry for the "spam", but I am just trying to convey useful information.
I tested a bunch of quarantined php injections. Whitelisting each of
these worked exactly as expected, only the whitelisted file was "clean"
(md5 checksum whitelisting). Then I used one of these files, made a
renamed copy as well as a zipped version and a double zipped version in
which case whitelisting any of these whitelisted all the others too.
So this hard-to-predict behavior seems to only apply in some cases (ex:
eicar).
Should I file a bugreport on this?
Best regards,
Haukur
On 27.4.2021 09:54, Haukur Valgeirsson via clamav-users wrote:
>
> Hi again.
>
> Now I am getting really confused. I repeated the tests but now
> scanning the eicar files in different directories in the same scan. I
> compiled the file list into a file that I read into an array in bash
> and pass to clamscan. The results differ between directories, even if
> the files in them are identical (confirmed with diff).
>
> The modified script is attached (clamcars2.sh), the file read in
> (testfiles.txt) is just a list of full path to the files. The results
> are in clamscan_eicar_test.txt, each part begins with the filename
> being md5 sum whitelisted.
>
> Any help very much appreciated!
>
> Best regards,
>
> Haukur
>
> On 26.4.2021 15:30, Haukur Valgeirsson via clamav-users wrote:
>>
>> Uhm... now this is strange.
>>
>> When I run the script I wrote, it behaves as one would expect (md5
>> sum must match the file, md5 from eicar.com covers eicar.com.txt too,
>> but not the zips and the md5 from zips only covers the zip that it
>> was generated from).
>>
>> then I reran with the falsepos file only containing the md5 sum from
>> eicarcom2.zip
>>
>> # cat /var/lib/clamav/maldet_ignore_sigs.fp
>> e4968ef99266df7c9a1f0637d2389dab:308:eicarcom2.zip
>>
>> then it seems to whitelist eicar.com as well as itself???
>>
>> # clamscan .
>> When run /usr/local/maldetect/testfolder/clamcars.sh: OK
>> /usr/local/maldetect/testfolder/eicar.com.txt:
>> {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
>> /usr/local/maldetect/testfolder/eicar_com.zip:
>> {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
>> /usr/local/maldetect/testfolder/eicarcom2.zip: OK
>> /usr/local/maldetect/testfolder/eicar.com: OK
>> /usr/local/maldetect/testfolder/result_eicar.com: OK
>> /usr/local/maldetect/testfolder/result_eicar.com.txt: OK
>> /usr/local/maldetect/testfolder/result_eicar_com.zip: OK
>> /usr/local/maldetect/testfolder/result_eicarcom2.zip: OK
>> /usr/local/maldetect/testfolder/.clamcars.sh.swp: OK
>>
>> ----------- SCAN SUMMARY -----------
>>
>> Known viruses: 8539062
>> Engine version: 0.103.2
>> Scanned directories: 1
>> Scanned files: 10
>> Infected files: 2
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 42.336 sec (0 m 42 s)
>> Start Date: 2021:04:26 10:14:50
>> End Date: 2021:04:26 10:15:33
>>
>>
>> and just to test again, I scan another folder, only containing the
>> eicar files:
>>
>> # ll /home/haukurv/www/testfiles
>> total 16
>> -rw-r--r-- 1 haukurv haukurv 68 Apr 26 05:30 eicar.com
>> -rw-r--r-- 1 haukurv haukurv 308 Apr 26 05:30 eicarcom2.zip
>> -rw-r--r-- 1 haukurv haukurv 68 Apr 26 05:30 eicar.com.txt
>> -rw-r--r-- 1 haukurv haukurv 184 Apr 26 05:30 eicar_com.zip
>>
>>
>> # clamscan /home/haukurv/www/testfiles
>> /home/haukurv/www/testfiles/eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
>> /home/haukurv/www/testfiles/eicarcom2.zip: OK
>> /home/haukurv/www/testfiles/eicar.com.txt: OK
>> /home/haukurv/www/testfiles/eicar_com.zip: OK
>>
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 8539062
>> Engine version: 0.103.2
>> Scanned directories: 1
>> Scanned files: 4
>> Infected files: 1
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 32.812 sec (0 m 32 s)
>> Start Date: 2021:04:26 10:29:16
>>
>> End Date: 2021:04:26 10:29:48
>>
>>
>> I am getting a little bit confused here :-s
>>
>> reg. Haukur
>>
>>
>> On 26.4.2021 15:04, Haukur Valgeirsson via clamav-users wrote:
>>> Sorry, adding more details for reproducability.
>>>
>>> My original idea was to use maldet, which uses clamscan so
>>> whitelisting and path exclusions need to happen in clamav, they
>>> don't seem to be passed on to clamscan.
>>>
>>> Environment: 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24)
>>> x86_64 GNU/Linux
>>>
>>> The script clamcars.sh (attached) downloads, whitelists, scans and
>>> puts the results in "result_<filename>" for each of the eicar files.
>>> I can repeat with debug output redirected into the file if it helps.
>>>
>>> I am using "clamscan" (used apt-get install clamav) not the daemon
>>> (clamdscan), so I do not seem to have clamconf:
>>>
>>> # clamscan --version
>>> ClamAV 0.103.2/26152/Mon Apr 26 06:04:28 2021
>>>
>>> Would it help you to look into this if I installed the daemon
>>> scanner and repeated the test?
>>>
>>> The only config I was able to locate is below.
>>>
>>> Thanks.
>>>
>>> Haukur
>>>
>>>
>>> ====
>>>
>>> # cat /etc/clamav/freshclam.conf
>>> # Automatically created by the clamav-freshclam postinst
>>> # Comments will get lost when you reconfigure the clamav-freshclam
>>> package
>>>
>>> DatabaseOwner clamav
>>> UpdateLogFile /var/log/clamav/freshclam.log
>>> LogVerbose false
>>> LogSyslog false
>>> LogFacility LOG_LOCAL6
>>> LogFileMaxSize 0
>>> LogRotate true
>>> LogTime true
>>> Foreground false
>>> Debug false
>>> MaxAttempts 5
>>> DatabaseDirectory /var/lib/clamav
>>> DNSDatabaseInfo current.cvd.clamav.net
>>> ConnectTimeout 30
>>> ReceiveTimeout 0
>>> TestDatabases yes
>>> ScriptedUpdates yes
>>> CompressLocalDatabase no
>>> Bytecode true
>>> NotifyClamd /etc/clamav/clamd.conf
>>> # Check for new database 24 times a day
>>> Checks 24
>>> DatabaseMirror db.local.clamav.net
>>> DatabaseMirror database.clamav.net
>>>
>>>
>>> On 26.4.2021 13:42, G.W. Haywood via clamav-users wrote:
>>>> Hi there,
>>>>
>>>> On Mon, 26 Apr 2021, Haukur Valgeirsson via clamav-users wrote:
>>>>
>>>>> I am setting up daily scanning and was figuring out how to
>>>>> whitelist based on file signatures, and decided to use the eicar
>>>>> test files to tune the settings. Used 'sigtool --md5
>>>>> eicarcom2.zip > falsepossigs.fp' to create the sig to whitelist
>>>>> and proceeded to run test scans and the results were a little
>>>>> surprising:
>>>>
>>>> Given your description of what you did I'd struggle to reproduce it.
>>>> Please give full details of how you are running the scans, the exact
>>>> unaltered output as you see it, and the output of 'clamconf -n'.
>>>>
>>>
>>>
>>> _______________________________________________
>>>
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210427/2b182ee0/attachment.htm>
More information about the clamav-users
mailing list