[clamav-users] Odd behavior when scanning eicar test files

Haukur Valgeirsson haukurv at 1984.is
Wed Apr 28 09:27:59 UTC 2021 

Thanks for the reply :-)

I will poke at this a little more and try to be as detailed as I can 
then file a bugreport.

Will add a few inline replies here too.

On 27.4.2021 16:09, G.W. Haywood via clamav-users wrote:
>
> This seems to be saying you have a clamd.conf, otherwise freshclam
> wouldn't be able to find it and I'd expect it to give an error. If
> you do have a clamd.conf but don't have a clamd running I'd expect
> freshclam to throw an error when it tried to contact clamd to tell
> it to update its databases.
I am not using clamd, I installed clamav using apt and it did not 
install clamdscan, but clamscan and freshclam, so I dod not find any 
clamd.conf.
> Mostly I'm responding to let you know that I'm still here, 

Thanks for that :-)

> What I mean by expected behaviour is that if you whitelist something
> by means of the digest of its uncompressed form, then the scanner sees
> it in compressed form, the scanner will uncompress it automatically -
> and then find that it's whitelisted.
Yes, usually... not always, which is what I found confusing. I can think 
of reasons of why you might not want this to be the case though (packing 
malicious code so you can send it for analysis for example). If you pack 
a malicious file on its own (i.e. nothing else in the archive) this 
makes sense, but I have not checked what happens if you pack a malicious 
file with clean files, might do that to get more data :-)
> But you seem to be saying that things change when you move files
> around in the filesystem, and other things (for example things like
> directory/filesystem/size/scan/whatever restrictions) being equal, I
> don't see why there should be any difference in behaviour when the
> scan target is moved so I'd like to look into that when I have time.
Yes I did see that behavior but only when using the eicar test files, 
not when using php injected malware as sample, then everything worked 
exactly as I expected (including uncompressed file also whitelising zip 
and vice versa).
> Should I file a bugreport on this?
>
> I'd think that's quite reasonable. :)

On it! :-)

Haukur

More information about the clamav-users mailing list