[clamav-users] INSTREAM + eicar not well detected?

G.W. Haywood clamav at jubileegroup.co.uk
Thu Mar 3 11:02:36 UTC 2022 

Hi there,

On Wed, 2 Mar 2022, Jorge Elissalde via clamav-users wrote:

> I have made another test using clamdscan.
> If I scan a file with just the EICAR string the detection is fine.
> If I modify that file adding a single character, the detection fails.
>
> clamdscan file ( file content: X5O!P%@AP
> [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)
> Infected files: 1
>
> clamdscan file ( file content:
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*=
> )
> Infected files: 0
>
> (second test has a '=' added at the end)

It seems to me that in your second test there is more than just one
single character appended, but when I do what you say you're doing I
see the results which I expect.

There are 68 characters in the original eicar file and 69 in the file
which has the extra '=' character appened:

8<----------------------------------------------------------------------
ged at pi4b530214:~ $ diff eicar.orig eicar.single_character_appended 
1c1
< X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
\ No newline at end of file
---
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*=
\ No newline at end of file
ged at pi4b530214:~ $ 
8<----------------------------------------------------------------------

The harness tells me that it has sent 68 characters from the file to
clamd when I send the original eicar file, and 69 characters when it
sends the modified file.  This gives me confidence that it's sent what
I think it's sent.

Here is the output that I see from my little harness for the original:

8<----------------------------------------------------------------------
ged at pi4b530214:~ $ ./tempscan.pl eicar.orig 
filename=[eicar.orig]
Sent [68] bytes to clamd...
REPLY IS [stream: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
8<----------------------------------------------------------------------

Here it is for the modified file:

8<----------------------------------------------------------------------
ged at pi4b530214:~ $ ./tempscan.pl eicar.single_character_appended 
filename=[eicar.single_character_appended]
Sent [69] bytes to clamd...
REPLY IS [stream: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
8<----------------------------------------------------------------------

I don't think the difference in behaviour would be explained by the
fact that you're using Windows - but I was wrong before, once. :)

Perhaps you can post the output of 'clamconf -n' and the source of the
program that you're using to send the file if it's reasonably compact.
The executable wouldn't be much use to me, although I could spin up a
VM if absolutely necessary.

If you have Perl on your computer you might want to try this script; I
hope your mail client doesn't mangle the lines too much, there are 47
lines in the script.

8<----------------------------------------------------------------------
File name: tempscan.pl
8<----------------------------------------------------------------------
#!/usr/bin/perl
# Send a file to clamd.
# usage: tempscan.pl <filename>
use strict;
use IO::Socket;
use File::Slurp;
# Make sure the IP address and port number suit your clamd setup!
my $peer_addr = '127.0.0.1';
my $peer_port = '3310';
my $filename = $ARGV[0];
printf( "filename=[$filename]\n" );
my $clam1;
if( ! ($clam1 = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$peer_addr,PeerPort=>$peer_port)))
{
     printf( 'Failed to connect to ClamAV daemon on [%s:%s]', $peer_addr, $peer_port );
     exit;
}
my $remaining = read_file( $filename );
my $part_length = length($remaining);
print $clam1 "nINSTREAM\n";
while( $remaining )               # Send in chunks, maximum 65535 bytes per chunk.
{
     my $chunk = substr( $remaining, 0, 65_535, '' ) ;
     my $chunk_length = pack( 'N', length( $chunk ) );
     print( $clam1 $chunk_length . $chunk );
     printf( "Sent [%d] bytes to clamd...\n", length($chunk) );
}
my $terminator = pack( 'N', 0 );
print $clam1 $terminator,"\n";    # The terminating null for the data.
my $reply_timeout = 10_000;
my $reply = '';
while( !$reply && $reply_timeout )
{
     if( ! ($reply = <$clam1>) )
     {
         usleep( 1_000_000 );
         $reply_timeout--;
         if( ! $reply_timeout )
         {
             print( "TIMEOUT waiting for response from clamd\n" );
             $reply = 'TIMEOUT';
         }
     }
}
close $clam1;
chomp $reply;
printf( "REPLY IS [%s]\n", $reply );
8<----------------------------------------------------------------------

HTH

-- 

73,
Ged.

More information about the clamav-users mailing list