[clamav-users] INSTREAM + eicar not well detected?

Kris Deugau kdeugau at vianet.ca
Thu Mar 3 15:24:15 UTC 2022 

Jorge Elissalde via clamav-users wrote:
> Thank you for your answer.
> I'm using Windows clamd release 0.104.2
> I have double checked with wireshark and the data sent is ok.
> 
> suppose I just send: char *eicarTest = 
> "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
> Result is ok: instream(local): 
> Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND
> 
> then I send: char *eicarTest = 
> "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*hjyhj"
> (5 more characters)
> Result is not ok: instream(local): OK
> 
> Perhaps Windows Clamd release works differently than Linux release?

This got me curious, because this is the canonical test "virus" (does 
this actually still run on modern Windows?) that should be detected by 
any AV software in existence.  I started wondering if the official stock 
Eicar signatures were hash signatures instead of one of the 
pattern-based types.

And so they are:

kdeugau at ele:$ sigtool --find-sigs Eicar
[daily.mdu] 45056:3ea7d00dedd30bcdf46191358c36ffa4:Eicar-Test-Signature
[daily.msb] 
45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Eicar-Test-Signature
[daily.hsb] 
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Eicar-Test-Signature
[daily.hsu] 
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Eicar-Test-Signature
[daily.hdu] 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
[daily.msu] 
45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Eicar-Test-Signature
[daily.ldb] 
Win.Dropper.Eicar-9892650-0;Engine:106-255,Target:1;0&1&2;4d535642564d{2}2e444c4c::i;56423521f01f{28}0a00{16}00f0300000ffffff08000000010000000100;499257354f8ce4499f7d1f926dd38d28
[daily.hdb] 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
[daily.mdb] 45056:3ea7d00dedd30bcdf46191358c36ffa4:Eicar-Test-Signature
[daily.mdb] 15872:2cc59e79e957c0fd8068e1bac52137bc:Win.Trojan.Eicartest-1
[6327695.cbc BYTECODE] 
Eicar-Signature.{};Engine:56-255,Target:0;0;0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
[main.mdb] 2560:db9db3a5cf0ba0e644ad04792e02fbcd:Win.Trojan.Eicar-1

kdeugau at ele:$ sigtool --find-sigs EICAR
[daily.ldb] 
Win.Tool.EICAR-9917185-0;Engine:51-255,Target:1;0&1&2&3&4;466f72206d6f726520736563757269747920666561747572652074657374732c20706c656173652076697369743a20687474703a2f2f7777772e616d74736f2e6f72672f666561747572652d73657474696e67732d636865636b2e68746d6c20;496e206361736520796f752065786563757465642074686973206170706c69636174696f6e20776974686f75742067657474696e6720616e7920616c6572742c20646574656374696f6e206f66205055412028506f74656e7469616c6c7920556e77616e746564204170706c69636174696f6e7329206973206e6f7420656e61;497320746865726520616e7920726561736f6e2c20776879206e6f7420636c6f7365207468652077696e646f773f;492077696c6c207265616c6c7920636c6f7365207468652077696e646f77206e6f772e;446f20796f752077616e7420746f20636c6f736520746869732077696e646f773f
[main.hdb] 44d88612fea8a8f36de82e1278abb02f:68:Win.Test.EICAR_HDB-1
[main.msb] 
45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Win.Test.EICAR_MSB-1
[main.mdb] 45056:3ea7d00dedd30bcdf46191358c36ffa4:Win.Test.EICAR_MDB-1
[main.hsb] 
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Win.Test.EICAR_HSB-1


There are quite the proliferation of hash signatures, but by definition 
those will only ever match the exact file - ie, a file or stream 
consisting of the exact 68 bytes in eicar.com.  The only one that would 
match within a larger file or datastream is the bytecode signature 
Eicar-Signature.{} (second from the bottom in the first set).

Check if you have bytecode signatures disabled in your Windows clamd 
instance.

-kgd

More information about the clamav-users mailing list