Yes, I think we all knew most of that from the OP. Is "Sample ID 33522083" an internal reference number of some sort and exactly what is being researched?
I think the only question remaining is why is the "Eicar-Test-Signature" now being ignored?
-Al-
On Mon, Feb 10, 2020 at 11:01 AM, David Raynor wrote:
So the "testfile" is Sample ID 33522083, which is 44d88612fea8a8f36de82e1278abb02f and 68 bytes. Researching.
Dave R.
A bit of a guess on my part, but I since the hash values for both signatures are identical, normally only the first one encountered would be reported.
Looks like daily-25717 added one signature to the ignore list, which is where my guess that it was “Eicar-Test-Signature” comes in. That would cause the second signature to be the one now reported.
Maybe the signature staff can comment on if and why Eicar is now ignored and if it is allowed to continue perhaps you’ll need to modify your code tests somehow.
Sent from my iPad
-Al-
> On Feb 7, 2020, at 22:44, WagdeZ via clamav-users <clamav-users@lists.clamav.net> wrote:
>
>
> The eicarcom2.zip was always identified with:
> LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
> but for some reason after the last DB update:
> main.cvd is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
> daily.cvd is up to date (version: 25717, sigs: 2177826, f-level: 63, builder: raynman)
> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
> it is recognizded as:
> LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Clamav.Test.File-7
> and it causes some failure in my code tests
> What am I missing?