[clamav-users] INSTREAM + eicar not well detected?
Tuomo Soini
tis at foobar.fi
Thu Mar 3 15:26:24 UTC 2022
On Wed, 2 Mar 2022 12:35:40 -0300
Jorge Elissalde via clamav-users <clamav-users at lists.clamav.net> wrote:
> Hi,
>
> I'm using clamd to make a large data scanning using INSTREAM (data it
> is not available as files I could send to clamd). If I send only one
> INSTREAM chunk with EICAR inside it is correctly detected, but if I
> send several chunks plus EICAR string, it is not detected.
> Does it make any sense? I will appreciate any help.
You miss the most important point. Eicar test file is very strictly
defined at https://www.eicar.org/?page_id=3950 - it very clearly
defines which extra characters are allowed after 68 characters string.
"The first 68 characters is the known string. It may be optionally
appended by any combination of whitespace characters with the total
file length not exceeding 128 characters. The only whitespace
characters allowed are the space character, tab, LF, CR, CTRL-Z. To
keep things simple the file uses only upper case letters, digits and
punctuation marks, and does not include spaces. The only thing to watch
out for when typing in the test file is that the third character is the
capital letter „O“, not the digit zero."
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the clamav-users
mailing list