[Community-sigs] False negative with Eicar
Ivan Kwiatkowski
ivan at kwiatkowski.fr
Sat Jun 4 10:26:39 EDT 2016
Hello everyone,
I'm not sure this is the right place to report this, but I've noticed that one of the EICAR test files I'm using is not being detected correctly by ClamAV anymore.
Instead, the file is reported as "Win.Trojan.Trojan-1082". I'm putting the following string in a binary to trigger a detection[1] (sorry for the external link, but I'm afraid of how mail ClamAV filters will react if I put the signature in this e-mail).
I've looked into the daily signatures and I've noticed that there are two rules matching this base64 string, Eicar-Test-Signature-1 and Win.Trojan.Trojan-1082. For the latter, the signature excludes samples containing another string. It seems to me, however, that EICAR test files should still be recognized as such, and that the new rule needs to be either perfected or deleted. Is there a specific process I can follow to contest a ClamAV signature?
Regards,
Ivan
[1]: https://github.com/JusticeRage/Manalyze/blob/master/test/testfiles/manatest_src/manatest.cpp#L31
More information about the Community-sigs
mailing list