[clamav-users] INSTREAM + eicar not well detected?
Jorge Elissalde
elissalde.j.e at gmail.com
Thu Mar 3 01:26:19 UTC 2022
I have made another test using clamdscan.
If I scan a file with just the EICAR string the detection is fine.
If I modify that file adding a single character, the detection fails.
clamdscan file ( file content: X5O!P%@AP
[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)
Infected files: 1
clamdscan file ( file content:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*=
)
Infected files: 0
(second test has a '=' added at the end)
I don't understand it.
Thank you in advance!
El mié, 2 mar 2022 a las 15:03, G.W. Haywood via clamav-users (<
clamav-users at lists.clamav.net>) escribió:
> Hi there,
>
> On Wed, 2 Mar 2022, Jorge Elissalde via clamav-users wrote:
>
> > I'm using clamd to make a large data scanning using INSTREAM ...
> > If I send only one INSTREAM chunk with EICAR inside it is correctly
> > detected, but if I send several chunks plus EICAR string, it is not
> > ...
> > char *eicarTest =
> > "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
> > char *junkData = "89jsdkfj";
> > ...
> > ... plus the 0 length chunk to finish..
> >
> > In that case it is not detected, clamd says: instream(local): OK
> >
> > Does it make any sense? I will appreciate any help.
>
> Well it sort of makes sense. :/
>
> I use INSTREAM all the time in my milters. If I do the same thing
> as you with my homebrew Perl library, I see the expected detection:
>
> 8<----------------------------------------------------------------------
> $ cat --show-nonprinting eicar_mod.tst
> zINSTREAM^@^@^@^D^LX5O!P%@AP
> [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*89jsdkfj^@^@^@^@^@
> $ ./tempscan.pl eicar_mod.tst
> Sent [96] bytes to clamd...
> Reply is [stream: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
> $
> 8<----------------------------------------------------------------------
>
> Maybe you aren't sending what you think you're sending? You could use
> something like tcpdump to see exactly what is 'going down the wire'.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220302/408361f4/attachment.htm>
More information about the clamav-users
mailing list