[clamav-users] INSTREAM + eicar not well detected?
G.W. Haywood
clamav at jubileegroup.co.uk
Fri Mar 4 12:49:00 UTC 2022
Hi there,
Sorry, I should have spent more time looking into this.
On Fri, 4 Mar 2022, Tuomo Soini via clamav-users wrote:
> That is incorrectly detecting it. They must not detect signature in the
> middle. That's clearly in specification. Long time ago there was big
> discussion about eicar detection and at that time ClamAV got fixed not
> to incorrectly detect eicar signature in the middle of other data.
The above is correct.
Among the third-party databases used here there's one called 'RFXN'.
This is part of 'Linux Malware Detect'
https://github.com/rfxn/linux-malware-detect
and was installed here by 'clamav-unofficial-sigs'
https://github.com/extremeshok/clamav-unofficial-sigs
8<----------------------------------------------------------------------
$ ls -l /EXPORTS/clamav/databases/rfxn*
-rw-r--r-- 1 clamav clamav 410441 Aug 17 2020 rfxn.yara
-rw-r--r-- 1 clamav clamav 451958 Mar 31 2021 rfxn.ndb
-rw-r--r-- 1 clamav clamav 866954 Feb 25 06:17 rfxn.hdb
8<----------------------------------------------------------------------
The signature which is detecting the modified EICAR string is in the
file 'rfxn.ndb':
{HEX}EICAR.TEST.3:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
This is a simple match of the 68-byte EICAR string. It fails to take
account of the EICAR specification change made in 2003 which requires
no detection by anti-virus products if anything other than a limited
number of what it calls 'whitespace' characters is appended to it.
In the RFXN signature there's no protection against detecting the
string within a string which contains non-whitespace characters.
I haven't dropped the signature here (I think this is the only time
it's detected anything) but it's clearly wrong. See for example
reference 7 at
https://en.wikipedia.org/wiki/EICAR_test_file
I've cc'd Mr. MacDonald at the address given on Github to inform him
of the erroneous match.
--
73,
Ged.
More information about the clamav-users
mailing list