[clamav-users] INSTREAM + eicar not well detected?
Andrew C Aitchison
clamav at aitchison.me.uk
Fri Mar 4 12:38:01 UTC 2022
On Fri, 4 Mar 2022, Tuomo Soini via clamav-users wrote:
> On Thu, 3 Mar 2022 22:50:04 -0300
> Jorge Elissalde via clamav-users <clamav-users at lists.clamav.net> wrote:
>
>> Hi,
>>
>> The weird part is that Avira and other Antivirus correctly are able to
>> detect EICAR in any case, having other characters before and/or after
>> the EICAR string.
>
> That is incorrectly detecting it. They must not detect signature in the
> middle. That's clearly in specification. Long time ago there was big
> discussion about eicar detection and at that time ClamAV got fixed not
> to incorrectly detect eicar signature in the middle of other data.
If that particular string of characters appears in the middle of a stream
it may not be "The EICAR virus" but it should be detected as, say
"potentially malicious".
Yes, malware which is defeated when it is not terminated by EOF might
exist (if it exploits a bug in the EOF-handling code, for example).
However something which is executed is likely to have done its damage
before the EOF is processed.
Clamd should detect signatures whether or not they are at the end of the
"file". False positives are undesireble but still better than false
negatives.
--
Andrew C. Aitchison Kendal, UK
andrew at aitchison.me.uk
More information about the clamav-users
mailing list