Jorge Elissalde via clamav-users wrote:
Thank you for your answer.
I'm using Windows clamd release 0.104.2
I have double checked with wireshark and the data sent is ok.
suppose I just send: char *eicarTest =
"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
Result is ok: instream(local):
Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND
then I send: char *eicarTest =
"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*hjyhj"
(5 more characters)
Result is not ok: instream(local): OK
Perhaps Windows Clamd release works differently than Linux release?
This got me curious, because this is the canonical test "virus" (does
this actually still run on modern Windows?) that should be detected by
any AV software in existence. I started wondering if the official stock
Eicar signatures were hash signatures instead of one of the
pattern-based types.
And so they are:
kdeugau@ele:$ sigtool --find-sigs Eicar
[daily.mdu] 45056:3ea7d00dedd30bcdf46191358c36ffa4:Eicar-Test-Signature
[daily.msb]
45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Eicar-Test-Signature
[daily.hsb]
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Eicar-Test-Signature
[daily.hsu]
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Eicar-Test-Signature
[daily.hdu] 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
[daily.msu]
45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Eicar-Test-Signature
[daily.ldb]
Win.Dropper.Eicar-9892650-0;Engine:106-255,Target:1;0&1&2;4d535642564d{2}2e444c4c::i;56423521f01f{28}0a00{16}00f0300000ffffff08000000010000000100;499257354f8ce4499f7d1f926dd38d28
[daily.hdb] 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
[daily.mdb] 45056:3ea7d00dedd30bcdf46191358c36ffa4:Eicar-Test-Signature
[daily.mdb] 15872:2cc59e79e957c0fd8068e1bac52137bc:Win.Trojan.Eicartest-1
[6327695.cbc BYTECODE]
Eicar-Signature.{};Engine:56-255,Target:0;0;0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
[main.mdb] 2560:db9db3a5cf0ba0e644ad04792e02fbcd:Win.Trojan.Eicar-1
kdeugau@ele:$ sigtool --find-sigs EICAR
[daily.ldb]
Win.Tool.EICAR-9917185-0;Engine:51-255,Target:1;0&1&2&3&4;466f72206d6f726520736563757269747920666561747572652074657374732c20706c656173652076697369743a20687474703a2f2f7777772e616d74736f2e6f72672f666561747572652d73657474696e67732d636865636b2e68746d6c20;496e206361736520796f752065786563757465642074686973206170706c69636174696f6e20776974686f75742067657474696e6720616e7920616c6572742c20646574656374696f6e206f66205055412028506f74656e7469616c6c7920556e77616e746564204170706c69636174696f6e7329206973206e6f7420656e61;497320746865726520616e7920726561736f6e2c20776879206e6f7420636c6f7365207468652077696e646f773f;492077696c6c207265616c6c7920636c6f7365207468652077696e646f77206e6f772e;446f20796f752077616e7420746f20636c6f736520746869732077696e646f773f
[main.hdb] 44d88612fea8a8f36de82e1278abb02f:68:Win.Test.EICAR_HDB-1
[main.msb]
45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Win.Test.EICAR_MSB-1
[main.mdb] 45056:3ea7d00dedd30bcdf46191358c36ffa4:Win.Test.EICAR_MDB-1
[main.hsb]
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Win.Test.EICAR_HSB-1
There are quite the proliferation of hash signatures, but by definition
those will only ever match the exact file - ie, a file or stream
consisting of the exact 68 bytes in eicar.com. The only one that would
match within a larger file or datastream is the bytecode signature
Eicar-Signature.{} (second from the bottom in the first set).
Check if you have bytecode signatures disabled in your Windows clamd
instance.
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
