On Fri, 4 Mar 2022, Tuomo Soini via clamav-users wrote:
On Thu, 3 Mar 2022 22:50:04 -0300
Jorge Elissalde via clamav-users <clamav-users@lists.clamav.net> wrote:
Hi,
The weird part is that Avira and other Antivirus correctly are able to
detect EICAR in any case, having other characters before and/or after
the EICAR string.
That is incorrectly detecting it. They must not detect signature in the
middle. That's clearly in specification. Long time ago there was big
discussion about eicar detection and at that time ClamAV got fixed not
to incorrectly detect eicar signature in the middle of other data.
If that particular string of characters appears in the middle of a stream
it may not be "The EICAR virus" but it should be detected as, say
"potentially malicious".
Yes, malware which is defeated when it is not terminated by EOF might
exist (if it exploits a bug in the EOF-handling code, for example).
However something which is executed is likely to have done its damage
before the EOF is processed.
Clamd should detect signatures whether or not they are at the end of the
"file". False positives are undesireble but still better than false
negatives.
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
