Hi there, Sorry, I should have spent more time looking into this.
On Fri, 4 Mar 2022, Tuomo Soini via clamav-users wrote:
That is incorrectly detecting it. They must not detect signature in the middle. That's clearly in specification. Long time ago there was big discussion about eicar detection and at that time ClamAV got fixed not to incorrectly detect eicar signature in the middle of other data.
The above is correct. Among the third-party databases used here there's one called 'RFXN'. This is part of 'Linux Malware Detect' https://github.com/rfxn/linux-malware-detect and was installed here by 'clamav-unofficial-sigs' https://github.com/extremeshok/clamav-unofficial-sigs 8<---------------------------------------------------------------------- $ ls -l /EXPORTS/clamav/databases/rfxn* -rw-r--r-- 1 clamav clamav 410441 Aug 17 2020 rfxn.yara -rw-r--r-- 1 clamav clamav 451958 Mar 31 2021 rfxn.ndb -rw-r--r-- 1 clamav clamav 866954 Feb 25 06:17 rfxn.hdb 8<---------------------------------------------------------------------- The signature which is detecting the modified EICAR string is in the file 'rfxn.ndb': {HEX}EICAR.TEST.3:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a This is a simple match of the 68-byte EICAR string. It fails to take account of the EICAR specification change made in 2003 which requires no detection by anti-virus products if anything other than a limited number of what it calls 'whitespace' characters is appended to it. In the RFXN signature there's no protection against detecting the string within a string which contains non-whitespace characters. I haven't dropped the signature here (I think this is the only time it's detected anything) but it's clearly wrong. See for example reference 7 at https://en.wikipedia.org/wiki/EICAR_test_file I've cc'd Mr. MacDonald at the address given on Github to inform him of the erroneous match. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
