[Community-sigs] False positive and negative with Eicar
Ivan Kwiatkowski
ivan at kwiatkowski.fr
Thu Jun 9 13:34:21 EDT 2016
Hello everyone,
I'm not sure this is the right place to report this, but
I've noticed that one of the EICAR test files I'm using is not being detected
correctly by ClamAV anymore.
Instead, the file is reported as
"Win.Trojan.Trojan-1082". I'm putting the following string in a
binary to trigger a detection[1] (sorry for the external link, but I'm afraid
of how mail ClamAV filters will react if I put the signature in this e-mail).
I've looked into the daily signatures and I've noticed
that there are two rules matching this base64 string, Eicar-Test-Signature-1
and Win.Trojan.Trojan-1082. For the latter, the signature excludes samples
containing another string. It seems to me, however, that EICAR test files
should still be recognized as such, and that the new rule needs to be either
perfected or deleted. Is there a specific process I can follow to contest a
ClamAV signature?
Regards,
Ivan
[1]: https://github.com/JusticeRage/Manalyze/blob/master/test/testfiles/manatest_src/manatest.cpp#L31
More information about the Community-sigs
mailing list