[clamav-users] clamdscan versus clamscan detection

Matus UHLAR - fantomas uhlar at fantomas.sk
Thu Mar 31 10:18:14 UTC 2022 

On 31.03.22 11:02, Petr Jurášek via clamav-users wrote:
>https://www.mail-archive.com/clamav-users@lists.clamav.net/msg51769.html
>
>It's the same situation. Vir is detected, but file is "clean", you can 
>see it in summary.

looks like that. I completely missed it.

% clamscan intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
/home/uhlar/intamldeosreitlu.xls: OK

Infected files: 0

% clamscan -z intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND

Infected files: 1

funny that -z option causes clamdscan to find the file in subsqeuent scana:

% clamdscan intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: OK

Infected files: 0

% clamdscan -z intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND

Infected files: 1

% clamdscan intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND

Infected files: 2



>Dne 31. 03. 22 v 10:55 Matus UHLAR - fantomas napsal(a):
>>I have received a file that is not detected by clamdscan, but is by 
>>clamscan:
>>
>>% clamdscan /home/uhlar/intamldeosreitlu.xls
>>/home/uhlar/intamldeosreitlu.xls: OK
>>
>>% clamscan /home/uhlar/intamldeosreitlu.xls
>>/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 
>>FOUND
>>/home/uhlar/intamldeosreitlu.xls: OK
>>
>>file permissions seem not to be the problem (file is publicly readable)
>>
>>This is debian 11 installation, I have regenerated clamd.conf via 
>>"dpkg-reconfigure clamav-daemon" and I can't find out which options 
>>to change to make clamdscan detect the file.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete

More information about the clamav-users mailing list