Hi there,

On Wed, 2 Mar 2022, Jorge Elissalde via clamav-users wrote:

> I'm using clamd to make a large data scanning using INSTREAM ...
> If I send only one INSTREAM chunk with EICAR inside it is correctly
> detected, but if I send several chunks plus EICAR string, it is not
> ...
> char *eicarTest =
> "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
> char *junkData = "89jsdkfj";
> ...
> ... plus the 0 length chunk to finish..
>
> In that case it is not detected, clamd says: instream(local): OK
>
> Does it make any sense? I will appreciate any help.

Well it sort of makes sense. :/

I use INSTREAM all the time in my milters.  If I do the same thing
as you with my homebrew Perl library, I see the expected detection:

8<----------------------------------------------------------------------
$ cat --show-nonprinting eicar_mod.tst
zINSTREAM^@^@^@^D^LX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*89jsdkfj^@^@^@^@^@
$ ./tempscan.pl eicar_mod.tst
Sent [96] bytes to clamd...
Reply is [stream: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
$
8<----------------------------------------------------------------------

Maybe you aren't sending what you think you're sending?  You could use
something like tcpdump to see exactly what is 'going down the wire'.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml