[clamav-users] INSTREAM + eicar not well detected?

Jorge Elissalde elissalde.j.e at gmail.com
Thu Mar 3 13:53:24 UTC 2022 

Hi,

Thank you for your answer.
I think the issue is in the Windows clamd release.
I made a tiny perl code based on your, running over Linux and connecting to
Clamd running on Windows.
Code is as follows:

#!/usr/bin/perl

use strict;
use IO::Socket;

my $peer = '172.20.0.165';
my $port = '3310';
my $clamScan;

if (!($clamScan =
IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$peer,PeerPort=>$port)))
{ printf ("Cannot connect to ClamAV");
exit;
}
print $clamScan "nINSTREAM\n";

my $chunk = 'X5O!P%@AP
[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*';

my $chlen = pack('N', length($chunk));
print $clamScan $chlen . $chunk;

$chlen = pack('N',0);
print $clamScan $chlen;

close $clamScan;

------

That code correctly reports EICAR:
instream(172.20.0.170 at 41836):
Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND

If I modify the $chunk var, adding several chars, detection fails:

my $chunk = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*kkkkkk';


instream(172.20.0.170 at 41838): OK


I'm going to install Clamd Linux version and test it again, but everything
here means that Windows clamd is not well working.
Thank you very much!





El jue, 3 mar 2022 a las 8:03, G.W. Haywood via clamav-users (<
clamav-users at lists.clamav.net>) escribió:

> Hi there,
>
> On Wed, 2 Mar 2022, Jorge Elissalde via clamav-users wrote:
>
> > I have made another test using clamdscan.
> > If I scan a file with just the EICAR string the detection is fine.
> > If I modify that file adding a single character, the detection fails.
> >
> > clamdscan file ( file content: X5O!P%@AP
> > [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)
> > Infected files: 1
> >
> > clamdscan file ( file content:
> > X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*=
> > )
> > Infected files: 0
> >
> > (second test has a '=' added at the end)
>
> It seems to me that in your second test there is more than just one
> single character appended, but when I do what you say you're doing I
> see the results which I expect.
>
> There are 68 characters in the original eicar file and 69 in the file
> which has the extra '=' character appened:
>
> 8<----------------------------------------------------------------------
> ged at pi4b530214:~ $ diff eicar.orig eicar.single_character_appended
> 1c1
> < X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> \ No newline at end of file
> ---
> > X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*=
> \ No newline at end of file
> ged at pi4b530214:~ $
> 8<----------------------------------------------------------------------
>
> The harness tells me that it has sent 68 characters from the file to
> clamd when I send the original eicar file, and 69 characters when it
> sends the modified file.  This gives me confidence that it's sent what
> I think it's sent.
>
> Here is the output that I see from my little harness for the original:
>
> 8<----------------------------------------------------------------------
> ged at pi4b530214:~ $ ./tempscan.pl eicar.orig
> filename=[eicar.orig]
> Sent [68] bytes to clamd...
> REPLY IS [stream: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
> 8<----------------------------------------------------------------------
>
> Here it is for the modified file:
>
> 8<----------------------------------------------------------------------
> ged at pi4b530214:~ $ ./tempscan.pl eicar.single_character_appended
> filename=[eicar.single_character_appended]
> Sent [69] bytes to clamd...
> REPLY IS [stream: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
> 8<----------------------------------------------------------------------
>
> I don't think the difference in behaviour would be explained by the
> fact that you're using Windows - but I was wrong before, once. :)
>
> Perhaps you can post the output of 'clamconf -n' and the source of the
> program that you're using to send the file if it's reasonably compact.
> The executable wouldn't be much use to me, although I could spin up a
> VM if absolutely necessary.
>
> If you have Perl on your computer you might want to try this script; I
> hope your mail client doesn't mangle the lines too much, there are 47
> lines in the script.
>
> 8<----------------------------------------------------------------------
> File name: tempscan.pl
> 8<----------------------------------------------------------------------
> #!/usr/bin/perl
> # Send a file to clamd.
> # usage: tempscan.pl <filename>
> use strict;
> use IO::Socket;
> use File::Slurp;
> # Make sure the IP address and port number suit your clamd setup!
> my $peer_addr = '127.0.0.1';
> my $peer_port = '3310';
> my $filename = $ARGV[0];
> printf( "filename=[$filename]\n" );
> my $clam1;
> if( ! ($clam1 =
> IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$peer_addr,PeerPort=>$peer_port)))
> {
>      printf( 'Failed to connect to ClamAV daemon on [%s:%s]', $peer_addr,
> $peer_port );
>      exit;
> }
> my $remaining = read_file( $filename );
> my $part_length = length($remaining);
> print $clam1 "nINSTREAM\n";
> while( $remaining )               # Send in chunks, maximum 65535 bytes
> per chunk.
> {
>      my $chunk = substr( $remaining, 0, 65_535, '' ) ;
>      my $chunk_length = pack( 'N', length( $chunk ) );
>      print( $clam1 $chunk_length . $chunk );
>      printf( "Sent [%d] bytes to clamd...\n", length($chunk) );
> }
> my $terminator = pack( 'N', 0 );
> print $clam1 $terminator,"\n";    # The terminating null for the data.
> my $reply_timeout = 10_000;
> my $reply = '';
> while( !$reply && $reply_timeout )
> {
>      if( ! ($reply = <$clam1>) )
>      {
>          usleep( 1_000_000 );
>          $reply_timeout--;
>          if( ! $reply_timeout )
>          {
>              print( "TIMEOUT waiting for response from clamd\n" );
>              $reply = 'TIMEOUT';
>          }
>      }
> }
> close $clam1;
> chomp $reply;
> printf( "REPLY IS [%s]\n", $reply );
> 8<----------------------------------------------------------------------
>
> HTH
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20220303/994bc995/attachment.htm>

More information about the clamav-users mailing list