Hi,

Thank you for your answer.

I think the issue is in the Windows clamd release.

I made a tiny perl code based on your, running over Linux and connecting to Clamd running on Windows.

Code is as follows:

#!/usr/bin/perl

use strict;
use IO::Socket;

my $peer = '172.20.0.165';
my $port = '3310';
my $clamScan;

if (!($clamScan = IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$peer,PeerPort=>$port)))
{ printf ("Cannot connect to ClamAV");
exit;
}
print $clamScan "nINSTREAM\n";

my $chunk = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*';

my $chlen = pack('N', length($chunk));
print $clamScan $chlen . $chunk;

$chlen = pack('N',0);
print $clamScan $chlen;

close $clamScan;

------

That code correctly reports EICAR:

instream(172.20.0.170@41836): Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND

If I modify the $chunk var, adding several chars, detection fails:

my $chunk = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*kkkkkk';

instream(172.20.0.170@41838): OK

I'm going to install Clamd Linux version and test it again, but everything here means that Windows clamd is not well working.

Thank you very much!

El jue, 3 mar 2022 a las 8:03, G.W. Haywood via clamav-users (<clamav-users@lists.clamav.net>) escribió:

Hi there,

On Wed, 2 Mar 2022, Jorge Elissalde via clamav-users wrote:

> I have made another test using clamdscan.
> If I scan a file with just the EICAR string the detection is fine.
> If I modify that file adding a single character, the detection fails.
>
> clamdscan file ( file content: X5O!P%@AP
> [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)
> Infected files: 1
>
> clamdscan file ( file content:
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*=
> )
> Infected files: 0
>
> (second test has a '=' added at the end)

It seems to me that in your second test there is more than just one
single character appended, but when I do what you say you're doing I
see the results which I expect.

There are 68 characters in the original eicar file and 69 in the file
which has the extra '=' character appened:

8<----------------------------------------------------------------------
ged@pi4b530214:~ $ diff eicar.orig eicar.single_character_appended
1c1
< X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
\ No newline at end of file
---
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*=
\ No newline at end of file
ged@pi4b530214:~ $
8<----------------------------------------------------------------------

The harness tells me that it has sent 68 characters from the file to
clamd when I send the original eicar file, and 69 characters when it
sends the modified file. This gives me confidence that it's sent what
I think it's sent.

Here is the output that I see from my little harness for the original:

8<----------------------------------------------------------------------
ged@pi4b530214:~ $ ./tempscan.pl eicar.orig
filename=[eicar.orig]
Sent [68] bytes to clamd...
REPLY IS [stream: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
8<----------------------------------------------------------------------

Here it is for the modified file:

8<----------------------------------------------------------------------
ged@pi4b530214:~ $ ./tempscan.pl eicar.single_character_appended
filename=[eicar.single_character_appended]
Sent [69] bytes to clamd...
REPLY IS [stream: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND]
8<----------------------------------------------------------------------

I don't think the difference in behaviour would be explained by the
fact that you're using Windows - but I was wrong before, once. :)

Perhaps you can post the output of 'clamconf -n' and the source of the
program that you're using to send the file if it's reasonably compact.
The executable wouldn't be much use to me, although I could spin up a
VM if absolutely necessary.

If you have Perl on your computer you might want to try this script; I
hope your mail client doesn't mangle the lines too much, there are 47
lines in the script.

8<----------------------------------------------------------------------
File name: tempscan.pl
8<----------------------------------------------------------------------
#!/usr/bin/perl
# Send a file to clamd.
# usage: tempscan.pl <filename>
use strict;
use IO::Socket;
use File::Slurp;
# Make sure the IP address and port number suit your clamd setup!
my $peer_addr = '127.0.0.1';
my $peer_port = '3310';
my $filename = $ARGV[0];
printf( "filename=[$filename]\n" );
my $clam1;
if( ! ($clam1 = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$peer_addr,PeerPort=>$peer_port)))
{
printf( 'Failed to connect to ClamAV daemon on [%s:%s]', $peer_addr, $peer_port );
exit;
}
my $remaining = read_file( $filename );
my $part_length = length($remaining);
print $clam1 "nINSTREAM\n";
while( $remaining ) # Send in chunks, maximum 65535 bytes per chunk.
{
my $chunk = substr( $remaining, 0, 65_535, '' ) ;
my $chunk_length = pack( 'N', length( $chunk ) );
print( $clam1 $chunk_length . $chunk );
printf( "Sent [%d] bytes to clamd...\n", length($chunk) );
}
my $terminator = pack( 'N', 0 );
print $clam1 $terminator,"\n"; # The terminating null for the data.
my $reply_timeout = 10_000;
my $reply = '';
while( !$reply && $reply_timeout )
{
if( ! ($reply = <$clam1>) )
{
usleep( 1_000_000 );
$reply_timeout--;
if( ! $reply_timeout )
{
print( "TIMEOUT waiting for response from clamd\n" );
$reply = 'TIMEOUT';
}
}
}
close $clam1;
chomp $reply;
printf( "REPLY IS [%s]\n", $reply );
8<----------------------------------------------------------------------

HTH

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml