[clamav-users] INSTREAM + eicar not well detected?
Paul Kosinski
clamav-users at iment.com
Thu Mar 3 17:12:31 UTC 2022
On Thu, 3 Mar 2022 11:02:36 +0000 (GMT)
"G.W. Haywood via clamav-users" <clamav-users at lists.clamav.net> wrote:
> Hi there,
>
> On Wed, 2 Mar 2022, Jorge Elissalde via clamav-users wrote:
>
> > I have made another test using clamdscan.
> > If I scan a file with just the EICAR string the detection is fine.
> > If I modify that file adding a single character, the detection fails.
> >
> > clamdscan file ( file content: X5O!P%@AP
> > [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)
> > Infected files: 1
> >
> > clamdscan file ( file content:
> > X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*=
> > )
> > Infected files: 0
> >
> > (second test has a '=' added at the end)
>
> It seems to me that in your second test there is more than just one
> single character appended, but when I do what you say you're doing I
> see the results which I expect.
>
> There are 68 characters in the original eicar file and 69 in the file
> which has the extra '=' character appened:
A trailing '=' and changing the length from 68 to 69 is what base64 encoding does, since it works in multiples of 3 bytes and pads with trailing '='s.
More information about the clamav-users
mailing list