[clamav-users] signature exists, but not detecting

[G.W. Haywood]

Hi there,

On Tue, 23 Feb 2021, Al Varnell via clamav-users wrote:

> On Tue, Feb 23, 2021 at 19:12 PM, Ron Seguin via clamav-users wrote:
> 
>> Yes, my apologies.  It was VirusTotal.  Here's the link.  Thanks.
>>
> I noted that the scan was from six months ago, so I reanalyzed the
> file and see that ClamAV no longer detects it as infected, although
> 31/62 scanners did. The signature itself was added to the ClamAV db
> almost two years ago, on May 27, 2019, so does seem strange that it
> detected six months ago, but not now. Only thing that changed in
> that time period was the ClamAV scan engine.

It does start to sound like a regression.  If one of you can let me
have a copy of the file I'll be glad to build a few old versions of
ClamAV and find out which versions detect it and which versions fail.

But maybe Talos has older versions set up ready to roll - you'd think
running a body of known bad files past the latest version to exercise
at least a representative fraction of all the signatures before its
release ought to be part of the release testing procedures.  Micah?

-- 

73,
Ged.