I have the same result using Linux clamd release 0.104.2

#/usr/local/sbin# ./clamd --ver
ClamAV 0.104.2/26470/Thu Mar 3 06:49:16 2022

The code just adds a simple '=' character at the end of the chunk and detection fails.

#!/usr/bin/perl

use strict;
use IO::Socket;

my $peer = 'localhost'; #172.20.0.165';
my $port = '3310';
my $clamScan;

if (!($clamScan = IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$peer,PeerPort=>$port)))
{ printf ("Cannot connect to ClamAV");
exit;
}
print $clamScan "nINSTREAM\n";

my $chunk = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'=;

my $chlen = pack('N', length($chunk));
print $clamScan $chlen . $chunk;

$chlen = pack('N',0);
print $clamScan $chlen;

my $reply_timeout = 10_000;
my $reply = "";
while (!$reply && $reply_timeout)
{
if (!($reply = <$clamScan>))
{ usleep(1_000_0000);
$reply_timeout--;
if (!$reply_timeout)
{ print ("TIMEOUT\n");
$reply = 'TIMEOUT';
}
}
}

printf $reply;

close $clamScan;
---------------------------------

It doesn't work for me.

Thank you!

El jue, 3 mar 2022 a las 8:03, G.W. Haywood via clamav-users (<clamav-users@lists.clamav.net>) escribió:

Hi there,

On Wed, 2 Mar 2022, Jorge Elissalde via clamav-users wrote:

> I have made another test using clamdscan.
> If I scan a file with just the EICAR string the detection is fine.
> If I modify that file adding a single character, the detection fails.
>
> clamdscan file ( file content: X5O!P%@AP
> [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)
> Infected files: 1
>
> clamdscan file ( file content:
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*=
> )
> Infected files: 0
>
> (second test has a '=' added at the end)

It seems to me that in your second test there is more than just one
single character appended, but when I do what you say you're doing I
see the results which I expect.

There are 68 characters in the original eicar file and 69 in the file
which has the extra '=' character appened:

8<----------------------------------------------------------------------
ged@pi4b530214:~ $ diff eicar.orig eicar.single_character_appended
1c1
< X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
\ No newline at end of file
---
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*=
\ No newline at end of file
ged@pi4b530214:~ $
8<----------------------------------------------------------------------

The harness tells me that it has sent 68 characters from the file to
clamd when I send the original eicar file, and 69 characters when it
sends the modified file. This gives me confidence that it's sent what
I think it's sent.

Here is the output that I see from my little harness for the original:

8<----------------------------------------------------------------------
ged@pi4b530214:~ $ ./tempscan.pl eicar.orig
filename=[eicar.orig]
Sent [68] bytes to clamd...
REPLY IS [stream: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
8<----------------------------------------------------------------------

Here it is for the modified file:

8<----------------------------------------------------------------------
ged@pi4b530214:~ $ ./tempscan.pl eicar.single_character_appended
filename=[eicar.single_character_appended]
Sent [69] bytes to clamd...
REPLY IS [stream: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
8<----------------------------------------------------------------------

I don't think the difference in behaviour would be explained by the
fact that you're using Windows - but I was wrong before, once. :)

Perhaps you can post the output of 'clamconf -n' and the source of the
program that you're using to send the file if it's reasonably compact.
The executable wouldn't be much use to me, although I could spin up a
VM if absolutely necessary.

If you have Perl on your computer you might want to try this script; I
hope your mail client doesn't mangle the lines too much, there are 47
lines in the script.

8<----------------------------------------------------------------------
File name: tempscan.pl
8<----------------------------------------------------------------------
#!/usr/bin/perl
# Send a file to clamd.
# usage: tempscan.pl <filename>
use strict;
use IO::Socket;
use File::Slurp;
# Make sure the IP address and port number suit your clamd setup!
my $peer_addr = '127.0.0.1';
my $peer_port = '3310';
my $filename = $ARGV[0];
printf( "filename=[$filename]\n" );
my $clam1;
if( ! ($clam1 = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$peer_addr,PeerPort=>$peer_port)))
{
printf( 'Failed to connect to ClamAV daemon on [%s:%s]', $peer_addr, $peer_port );
exit;
}
my $remaining = read_file( $filename );
my $part_length = length($remaining);
print $clam1 "nINSTREAM\n";
while( $remaining ) # Send in chunks, maximum 65535 bytes per chunk.
{
my $chunk = substr( $remaining, 0, 65_535, '' ) ;
my $chunk_length = pack( 'N', length( $chunk ) );
print( $clam1 $chunk_length . $chunk );
printf( "Sent [%d] bytes to clamd...\n", length($chunk) );
}
my $terminator = pack( 'N', 0 );
print $clam1 $terminator,"\n"; # The terminating null for the data.
my $reply_timeout = 10_000;
my $reply = '';
while( !$reply && $reply_timeout )
{
if( ! ($reply = <$clam1>) )
{
usleep( 1_000_000 );
$reply_timeout--;
if( ! $reply_timeout )
{
print( "TIMEOUT waiting for response from clamd\n" );
$reply = 'TIMEOUT';
}
}
}
close $clam1;
chomp $reply;
printf( "REPLY IS [%s]\n", $reply );
8<----------------------------------------------------------------------

HTH

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml