Bugzilla – Bug 12490
The latest cvd update (currently 25721) does not identify the eicar signature consistently.
Last modified: 2021-01-28 14:43:16 EST
Created attachment 7635 [details] file described in description I tried to scan two different files - one is a text file with only the eicar test signature and another is 5MB file with the eicar test signature in the beginning. While the first was identified as container the eicar signature file, the second was reported as OK. I tried this versions 0.99.4, 0.102.1 and 0.102.2. This issue was faced with version 25721. For the version 102.2 - The output of clamconf -n Checking configuration files in /usr/local/etc/clamav Config file: clamd.conf ----------------------- Config file: freshclam.conf --------------------------- DatabaseMirror = "database.clamav.net" clamav-milter.conf not found Software settings ----------------- Version: 0.102.2 Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE ICONV JSON RAR Database information -------------------- Database directory: /usr/local/Cellar/clamav/0.102.2/share/clamav daily.cvd: version 25721, sigs: 2183330, built on Wed Feb 12 10:54:38 2020 main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 19:26:15 2019 bytecode.cvd: version 331, sigs: 94, built on Thu Sep 19 21:42:33 2019 Total number of signatures: 6748326 Platform information -------------------- uname: Darwin 19.0.0 Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root x86_64 OS: darwin19.3.0, ARCH: x86_64, CPU: x86_64 zlib version: 1.2.11 (1.2.11), compile flags: a9 platform id: 0x042371710800000000040201 Build information ----------------- Clang: 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.17) (4.2.1) CPPFLAGS: -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk/usr/include -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk/usr/include CFLAGS: -g -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 CXXFLAGS: -g -O2 LDFLAGS: -L/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk/usr/lib Configure: '--disable-dependency-tracking' '--disable-silent-rules' '--prefix=/usr/local/Cellar/clamav/0.102.2' '--libdir=/usr/local/Cellar/clamav/0.102.2/lib' '--sysconfdir=/usr/local/etc/clamav' '--disable-zlib-vcheck' '--enable-llvm=no' '--with-libjson=/usr/local/opt/json-c' '--with-openssl=/usr/local/opt/openssl@1.1' '--with-pcre=/usr/local/opt/pcre' '--with-zlib=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk/usr' 'CXX=clang++' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/openssl@1.1/lib/pkgconfig:/usr/local/opt/pcre/lib/pkgconfig:/usr/local/opt/jansson/lib/pkgconfig:/usr/local/opt/yara/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/10.15' 'OBJC=clang' --enable-ltdl-convenience sizeof(void*) = 8 Engine flevel: 113, dconf: 113 The output of uname -mrsp Darwin 19.0.0 x86_64 i386 I get a command not found error while trying to get libc and zlib versions - -bash: libc: command not found -bash: zlib: command not found I have attached two files in the attached encrypted zip file. The password for the same is "password" eicar.com.txt is the file with only the eicar signature and it is identified. infected-file-trial1 is the 5MB file with the eicar signature in the beginning and is not identified as a virus file after the latest update. I believe we faced a similar issue with version 25713 as well. A normal clamscan filename command was used to scan the files. My contact is apoddar573@gmail.com Thanks
We are also seeing this issue. We have integration tests that use the standard EICAR file from Eicar.org. These tests are intermittently seeing the file not flagged with the EICAR virus signature.
It is being detected by a hash-based signature: $ clamscan eicar.com.txt eicar.com.txt: Win.Test.EICAR_HDB-1 FOUND $ time sigtool -fWin.Test.EICAR_HDB-1 [main.hdb] 44d88612fea8a8f36de82e1278abb02f:68:Win.Test.EICAR_HDB-1 Thus, it will only match for files whose md5 is exactly 44d88612fea8a8f36de82e1278abb02f There are four EICAR signatures: $ sigtool -fEICAR [main.msb] 45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Win.Test.EICAR_MSB-1 [main.mdb] 45056:3ea7d00dedd30bcdf46191358c36ffa4:Win.Test.EICAR_MDB-1 [main.hsb] 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Win.Test.EICAR_HSB-1 [main.hdb] 44d88612fea8a8f36de82e1278abb02f:68:Win.Test.EICAR_HDB-1 The last two are based on the hash of the full file (md5 and sha256). Not sure what the other two are expected to catch. They seem to be hash signatures for a PE section of size 45056. However, the EICAR test file is barely 68 bytes. These signatures have been like this for years, see https://lists.gt.net/clamav/users/65717 Also, I'm not convinced your infected-file-trial1 file should be detected as a virus. Per http://2016.eicar.org/86-0-Intended-use.html "The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters." I can append whitespace and it is still detected by ClamAV. However, you are appending other binary data. Thus it is normal that it is no longer detected as EICAR.
In my use-case, we simply download https://secure.eicar.org/eicar.com.txt and scan it. We’ve had this test for ~4 years now and with the definitions from January 2020, we are getting inconsistent results.
Hi, thanks for your clarification. Also, do you know of a way where we can generate eicar-like files of size greater than 5 MB for anti-virus testing?
The whole Eicar signature identification has been screwy for the past couple months. Prior to about 1/8/20 it was identified as 'Eicar-Test-Signature'. Then it changed to Clamav.Test.File-7 for a little while before it again changed on or before 2/12/20 to 'Eicar-Signature'. Additionally, the eicar.com file, if it doesn't have a LF character at the end of the signature, detects as 'Win.Test.EICAR_HDB-1', but with the LF at the end is 'Eicar-Signature'. Also, there apparently used to be a signature that detected the following file contents but no longer does: $CEliacmaTrESTuScikgsn$FREE-TEST-SIGNATURE$EEEEE$ All of this was noticed because I was attempting to rebuild the File::Scan::ClamAV module for perl and several tests have failed - first because that second test signature is no longer found, and second because the expected virus name 'Eicar-Test-Signature' no longer matches the outputted 'Eicar-Signature'. Given that the eicar.com test signature has been around longer than ClamAV, I would think it would be a good idea if the signature name remained consistent with what it always has been so that systems that rely on the name to match testing results don't keep breaking. I'm less concerned about the secondary test signature, especially since I don't know its source. All of this was done under clamav 0.101.5 with daily 25734 on RHEL 7 using the RPMs provided by the EPEL repository.
I can attest to the first point. The change in the signature really broke a number of things. We had to change the signature first and then revert to the previous version the very next day.
Is there any update on this?
Hi, we are also experiencing this. I've followed this thread for few months now, is there any update or possible fix?
Running clamAv on my own macbook on the same set of files, yields the same behaviour: ----------- SCAN SUMMARY ----------- Known viruses: 8908043 Engine version: 0.103.0 Scanned directories: 0 Scanned files: 24 Infected files: 16 the following output: >> clamav:found (16): >>> eicar-standard-antivirus-test-file-microsoft-word-macro-powershell-echo.docm >>> eicar-standard-antivirus-test-file-microsoft-excel-macro-msgbox.xlsm >>> eicar-standard-antivirus-test-file-microsoft-word-macro-cmd-echo.docm >>> eicar-standard-antivirus-test-file-microsoft-word-macro-write-file.doc >>> eicar-standard-antivirus-test-file-microsoft-word-macro-msgbox.docm >>> eicar-standard-antivirus-test-file-microsoft-excel-macro-cmd-echo.xls >>> eicar-standard-antivirus-test-file-microsoft-word-macro-cmd-echo.doc >>> eicar-standard-antivirus-test-file-adobe-acrobat-attachment.pdf >>> eicar-standard-antivirus-test-file-microsoft-excel-macro-write-file.xls >>> eicar-standard-antivirus-test-file-adobe-acrobat-javascript-alert.pdf >>> eicar-standard-antivirus-test-file-microsoft-excel-macro-msgbox.xls >>> eicar-standard-antivirus-test-file-microsoft-word-macro-write-file.docm >>> eicar-standard-antivirus-test-file-microsoft-excel-macro-cmd-echo.xlsm >>> eicar-standard-antivirus-test-file-microsoft-excel-macro-write-file.xlsm >>> eicar-standard-antivirus-test-file-microsoft-word-macro-powershell-echo.doc >>> eicar-standard-antivirus-test-file-microsoft-excel-macro-powershell-echo.xls >> clamav:ok (8): >>> eicar-standard-antivirus-test-file-microsoft-powerpoint-action-macro-msgbox.pptm >>> eicar-standard-antivirus-test-file-microsoft-excel-dde-cmd-powershell-echo.xls >>> eicar-standard-antivirus-test-file-microsoft-excel-dde-cmd-powershell-echo.xlsx >>> eicar-standard-antivirus-test-file-microsoft-powerpoint-action-macro-msgbox.ppt >>> eicar-standard-antivirus-test-file-microsoft-powerpoint-action-powershell-echo.ppt >>> eicar-standard-antivirus-test-file-microsoft-word-macro-msgbox.doc >>> eicar-standard-antivirus-test-file-microsoft-excel-macro-powershell-echo.xlsm >>> eicar-standard-antivirus-test-file-microsoft-powerpoint-action-powershell-echo.pptx