I got some new information. The test files came from cybercom and all other
test files they sent to us was blocked. I think that clamd removes the virus
and reports OK back and translates the stream from PDF 1.4 to PDF 1.5. Because
if I open the two files in hexeditors their headers is not the same and the row
containing the virus is gone. Could clamd have done this?
> From: philip.andersson...@live.se
> To: clamav-users@lists.clamav.net
> Date: Wed, 25 May 2016 08:54:55 +0200
> Subject: [clamav-users] FW: Problem with setup
>
> > From: philip.andersson...@live.se
> > To: clamav-users@lists.clamav.net
> > Date: Tue, 24 May 2016 19:17:42 +0200
> > Subject: Re: [clamav-users] Problem with setup
> >
> > The Eicar virus is stopped, a colleague of mine tested it, but this pdf
> > virus is still slinking through CVE-2010-1240.
> >
> > I know that this virus is old but because of old systems on end users it is
> > still a risk. It picks it up in clamdscan though as noted before. Cant see
> > socket output right now but the regular output is dead silent. Only start
> > up things and database updates. The last row is the clamdscan output. Runs
> > the same output-file.
> >
> > Tue May 24 12:45:30 2016 -> +++ Started at Tue May 24 12:45:30 2016
> > Tue May 24 12:45:30 2016 -> Received 0 file descriptor(s) from systemd.
> > Tue May 24 12:45:30 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH:
> > x86_64, CPU: x86_64)
> > Tue May 24 12:45:30 2016 -> Log file size limited to 104857600 bytes.
> > Tue May 24 12:45:30 2016 -> Reading databases from
> > /program/clamav_new/database
> > Tue May 24 12:45:30 2016 -> Not loading PUA signatures.
> > Tue May 24 12:45:30 2016 -> Bytecode: Security mode set to "TrustSigned".
> > Tue May 24 12:45:38 2016 -> Loaded 4383889 signatures.
> > Tue May 24 12:45:39 2016 -> TCP: Bound to [0.0.0.0]:3310
> > Tue May 24 12:45:39 2016 -> TCP: Setting connection queue length to 200
> > Tue May 24 12:45:39 2016 -> LOCAL: Unix socket file /tmp/clamd.socket
> > Tue May 24 12:45:39 2016 -> LOCAL: Setting connection queue length to 200
> > Tue May 24 12:45:39 2016 -> Limits: Global size limit set to 104857600
> > bytes.
> > Tue May 24 12:45:39 2016 -> Limits: File size limit set to 41943040 bytes.
> > Tue May 24 12:45:39 2016 -> Limits: Recursion level limit set to 16.
> > Tue May 24 12:45:39 2016 -> Limits: Files limit set to 10000.
> > Tue May 24 12:45:39 2016 -> Limits: MaxEmbeddedPE limit set to 10485760
> > bytes.
> > Tue May 24 12:45:39 2016 -> Limits: MaxHTMLNormalize limit set to 10485760
> > bytes.
> > Tue May 24 12:45:39 2016 -> Limits: MaxHTMLNoTags limit set to 2097152
> > bytes.
> > Tue May 24 12:45:39 2016 -> Limits: MaxScriptNormalize limit set to 5242880
> > bytes.
> > Tue May 24 12:45:39 2016 -> Limits: MaxZipTypeRcg limit set to 1048576
> > bytes.
> > Tue May 24 12:45:39 2016 -> Limits: MaxPartitions limit set to 50.
> > Tue May 24 12:45:39 2016 -> Limits: MaxIconsPE limit set to 100.
> > Tue May 24 12:45:39 2016 -> Limits: MaxRecHWP3 limit set to 16.
> > Tue May 24 12:45:39 2016 -> Limits: PCREMatchLimit limit set to 10000.
> > Tue May 24 12:45:39 2016 -> Limits: PCRERecMatchLimit limit set to 5000.
> > Tue May 24 12:45:39 2016 -> Limits: PCREMaxFileSize limit set to 26214400.
> > Tue May 24 12:45:39 2016 -> Archive support enabled.
> > Tue May 24 12:45:39 2016 -> Algorithmic detection enabled.
> > Tue May 24 12:45:39 2016 -> Portable Executable support enabled.
> > Tue May 24 12:45:39 2016 -> ELF support enabled.
> > Tue May 24 12:45:39 2016 -> Mail files support enabled.
> > Tue May 24 12:45:39 2016 -> OLE2 support enabled.
> > Tue May 24 12:45:39 2016 -> PDF support enabled.
> > Tue May 24 12:45:39 2016 -> SWF support enabled.
> > Tue May 24 12:45:39 2016 -> HTML support enabled.
> > Tue May 24 12:45:39 2016 -> XMLDOCS support enabled.
> > Tue May 24 12:45:39 2016 -> HWP3 support enabled.
> > Tue May 24 12:45:39 2016 -> Self checking every 600 seconds.
> > Tue May 24 12:55:54 2016 -> SelfCheck: Database status OK.
> > Tue May 24 13:13:18 2016 -> SelfCheck: Database status OK.
> > Tue May 24 13:23:18 2016 -> SelfCheck: Database status OK.
> > Tue May 24 13:33:18 2016 -> SelfCheck: Database status OK.
> > Tue May 24 13:43:18 2016 -> SelfCheck: Database status OK.
> > Tue May 24 13:53:18 2016 -> SelfCheck: Database status OK.
> > Tue May 24 13:58:29 2016 -> /nfshome/66118710/clam/cybercom_pentest2.pdf:
> > Win.Trojan.MSShellcode-7(0fefca28d5c5509397979d86c4e8d1cb:95307) FOUND
> >
> > Output from clamdscan:
> > $/program/clamav_new/clamav/bin/clamdscan -c
> > /program/clamav_new/clamav/etc/clamd-A1.conf
> > /nfshome/66118710/clam/cybercom_pentest2.pdf
> > /nfshome/66118710/clam/cybercom_pentest2.pdf: Win.Trojan.MSShellcode-7 FOUND
> >
> > ----------- SCAN SUMMARY -----------
> > Infected files: 1
> > Time: 0.047 sec (0 m 0 s)
> >
> >
> > > To: clamav-users@lists.clamav.net
> > > From: cla...@cosis.dk
> > > Date: Tue, 24 May 2016 16:52:22 +0200
> > > Subject: Re: [clamav-users] Problem with setup
> > >
> > >
> > >
> > > On 05/24/2016 04:29 PM, Philip Andersson wrote:
> > > > I know that the setup have work before, but the test virus is new and
> > > > the clamav version is new. The plugins is written by me and used in
> > > > small MTS application.
> > > >
> > > > I am not reading the log-file but the output stream from clamd, its two
> > > > different things.
> > > >
> > > > I just wonder how the clamd is missing a virus that clamdscan picks up
> > > > when using the same settings and same database.
> > > > Is there a difference in the way they work?
> > > >
> > > >
> > > > _________
> > > You could have saved us all a lot of time, if only you had given us that
> > > information up-front.
> > >
> > > With the new ClamAV Version - does it detect the standard Eicar Test
> > > Virus? (Sent in an attachment as eg. Eicar.com)
> > >
> > > Could you provide the output from the ClamD when injecting the infected
> > > PDF file. (All output please - log and socket)
> > >
> > > Also the output from Clamscan processing the same file would be useful.
> > >
> > > Best regards
> > > Michael
> > >
> > >
> > >
> > > _______________________________________________
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml