Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] Failing eicarcom2.zip test after recent DB update
clamav-users at lists
Feb 7, 2020, 10:44 PM
Post #1 of 5 (473 views)
Permalink
The eicarcom2.zip was always identified with:
LibClamAV debug: FP SIGNATURE:
44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
but for some reason after the last DB update:
main.cvd is up to date (version: 59, sigs: 4564902, f-level: 60, builder:
sigmgr)
daily.cvd is up to date (version: 25717, sigs: 2177826, f-level: 63,
builder: raynman)
bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder:
anvilleg)
it is recognizded as:
LibClamAV debug: FP SIGNATURE:
44d88612fea8a8f36de82e1278abb02f:68:Clamav.Test.File-7
and it causes some failure in my code tests
What am I missing?
Re: [clamav-users] Failing eicarcom2.zip test after recent DB update [ In reply to ]
clamav-users at lists
Feb 7, 2020, 10:56 PM
Post #2 of 5 (473 views)
Permalink
A bit of a guess on my part, but I since the hash values for both signatures are identical, normally only the first one encountered would be reported.

Looks like daily-25717 added one signature to the ignore list, which is where my guess that it was “Eicar-Test-Signature” comes in. That would cause the second signature to be the one now reported.

Maybe the signature staff can comment on if and why Eicar is now ignored and if it is allowed to continue perhaps you’ll need to modify your code tests somehow.

Sent from my iPad

-Al-

> On Feb 7, 2020, at 22:44, WagdeZ via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?
> The eicarcom2.zip was always identified with:
> LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
> but for some reason after the last DB update:
> main.cvd is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
> daily.cvd is up to date (version: 25717, sigs: 2177826, f-level: 63, builder: raynman)
> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
> it is recognizded as:
> LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Clamav.Test.File-7
> and it causes some failure in my code tests
> What am I missing?
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Failing eicarcom2.zip test after recent DB update [ In reply to ]
draynor at sourcefire
Feb 10, 2020, 11:01 AM
Post #3 of 5 (464 views)
Permalink
So the "testfile" is Sample ID 33522083, which is
44d88612fea8a8f36de82e1278abb02f and 68 bytes. Researching.

Dave R.

On Sat, Feb 8, 2020 at 1:57 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

> A bit of a guess on my part, but I since the hash values for both
> signatures are identical, normally only the first one encountered would be
> reported.
>
> Looks like daily-25717 added one signature to the ignore list, which is
> where my guess that it was “Eicar-Test-Signature” comes in. That would
> cause the second signature to be the one now reported.
>
> Maybe the signature staff can comment on if and why Eicar is now ignored
> and if it is allowed to continue perhaps you’ll need to modify your code
> tests somehow.
>
> Sent from my iPad
>
> -Al-
>
> > On Feb 7, 2020, at 22:44, WagdeZ via clamav-users <
> clamav-users@lists.clamav.net> wrote:
> >
> > ?
> > The eicarcom2.zip was always identified with:
> > LibClamAV debug: FP SIGNATURE:
> 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
> > but for some reason after the last DB update:
> > main.cvd is up to date (version: 59, sigs: 4564902, f-level: 60,
> builder: sigmgr)
> > daily.cvd is up to date (version: 25717, sigs: 2177826, f-level: 63,
> builder: raynman)
> > bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63,
> builder: anvilleg)
> > it is recognizded as:
> > LibClamAV debug: FP SIGNATURE:
> 44d88612fea8a8f36de82e1278abb02f:68:Clamav.Test.File-7
> > and it causes some failure in my code tests
> > What am I missing?
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--
---
Dave Raynor
Talos Security Intelligence and Research Group
draynor@sourcefire.com
Re: [clamav-users] Failing eicarcom2.zip test after recent DB update [ In reply to ]
clamav-users at lists
Feb 10, 2020, 8:58 PM
Post #4 of 5 (464 views)
Permalink
Yes, I think we all knew most of that from the OP. Is "Sample ID 33522083" an internal reference number of some sort and exactly what is being researched?

I think the only question remaining is why is the "Eicar-Test-Signature" now being ignored?

-Al-

On Mon, Feb 10, 2020 at 11:01 AM, David Raynor wrote:
> So the "testfile" is Sample ID 33522083, which is 44d88612fea8a8f36de82e1278abb02f and 68 bytes. Researching.
>
> Dave R.
>
> On Sat, Feb 8, 2020 at 1:57 AM Al Varnell via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
> A bit of a guess on my part, but I since the hash values for both signatures are identical, normally only the first one encountered would be reported.
>
> Looks like daily-25717 added one signature to the ignore list, which is where my guess that it was “Eicar-Test-Signature” comes in. That would cause the second signature to be the one now reported.
>
> Maybe the signature staff can comment on if and why Eicar is now ignored and if it is allowed to continue perhaps you’ll need to modify your code tests somehow.
>
> Sent from my iPad
>
> -Al-
>
> > On Feb 7, 2020, at 22:44, WagdeZ via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
> >
> > ?
> > The eicarcom2.zip was always identified with:
> > LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
> > but for some reason after the last DB update:
> > main.cvd is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
> > daily.cvd is up to date (version: 25717, sigs: 2177826, f-level: 63, builder: raynman)
> > bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
> > it is recognizded as:
> > LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Clamav.Test.File-7
> > and it causes some failure in my code tests
> > What am I missing?
Re: [clamav-users] Failing eicarcom2.zip test after recent DB update [ In reply to ]
clamav-users at lists
Feb 12, 2020, 2:38 AM
Post #5 of 5 (461 views)
Permalink
Today's daily-2572 update drops the Osx.Malware.Agent-1714718 signature. That would seem to mean that ClamAV will no longer detect an eicar test file.

-Al-
ClamXAV User

On Mon, Feb 10, 2020 at 08:58 PM, Al Varnell wrote:
> Yes, I think we all knew most of that from the OP. Is "Sample ID 33522083" an internal reference number of some sort and exactly what is being researched?
>
> I think the only question remaining is why is the "Eicar-Test-Signature" now being ignored?
>
> -Al-
>
> On Mon, Feb 10, 2020 at 11:01 AM, David Raynor wrote:
>> So the "testfile" is Sample ID 33522083, which is 44d88612fea8a8f36de82e1278abb02f and 68 bytes. Researching.
>>
>> Dave R.
>>
>> On Sat, Feb 8, 2020 at 1:57 AM Al Varnell via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>> A bit of a guess on my part, but I since the hash values for both signatures are identical, normally only the first one encountered would be reported.
>>
>> Looks like daily-25717 added one signature to the ignore list, which is where my guess that it was “Eicar-Test-Signature” comes in. That would cause the second signature to be the one now reported.
>>
>> Maybe the signature staff can comment on if and why Eicar is now ignored and if it is allowed to continue perhaps you’ll need to modify your code tests somehow.
>>
>> Sent from my iPad
>>
>> -Al-
>>
>> > On Feb 7, 2020, at 22:44, WagdeZ via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>> >
>> > ?
>> > The eicarcom2.zip was always identified with:
>> > LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
>> > but for some reason after the last DB update:
>> > main.cvd is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
>> > daily.cvd is up to date (version: 25717, sigs: 2177826, f-level: 63, builder: raynman)
>> > bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
>> > it is recognizded as:
>> > LibClamAV debug: FP SIGNATURE: 44d88612fea8a8f36de82e1278abb02f:68:Clamav.Test.File-7
>> > and it causes some failure in my code tests
>> > What am I missing?

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal