[clamav-users] INSTREAM + eicar not well detected?

[Andrew C Aitchison]

On Thu, 3 Mar 2022, Paul Kosinski via clamav-users wrote:

> On Thu, 3 Mar 2022 11:02:36 +0000 (GMT)
> "G.W. Haywood via clamav-users" <clamav-users at lists.clamav.net> wrote:
>
>> Hi there,
>>
>> On Wed, 2 Mar 2022, Jorge Elissalde via clamav-users wrote:
>>
>>> I have made another test using clamdscan.
>>> If I scan a file with just the EICAR string the detection is fine.
>>> If I modify that file adding a single character, the detection fails.
>>>
>>> clamdscan file ( file content: X5O!P%@AP
>>> [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)
>>> Infected files: 1
>>>
>>> clamdscan file ( file content:
>>> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*=
>>> )
>>> Infected files: 0
>>>
>>> (second test has a '=' added at the end)
>>
>> It seems to me that in your second test there is more than just one
>> single character appended, but when I do what you say you're doing I
>> see the results which I expect.
>>
>> There are 68 characters in the original eicar file and 69 in the file
>> which has the extra '=' character appened:
>
> A trailing '=' and changing the length from 68 to 69 is what base64
> encoding does, since it works in multiples of 3 bytes and pads with
> trailing '='s.

Which base64 implementation are you using ?

Ubuntu21.10# cat ~/viruses/eicar.com.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Ubuntu21.10# base64 ~/viruses/eicar.com.txt | base64 -d
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Ubuntu21.10# base64 ~/viruses/eicar.com.txt | base64 -d | diff - ~/viruses/eicar.com.txt | wc
 	0	0	0

Ubuntu21.10# echo $(cat ~/viruses/eicar.com.txt)"=" | base64 | base64 -d
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*=

... But as I say in another email, it is unusual for the EOF to be a 
necessary part of any malware.

-- 
Andrew C. Aitchison					Kendal, UK
 			andrew at aitchison.me.uk