We've worked on cleaning up the Eicar signatures in its various forms (HDB,
HSB, LDB, NDB, etc.) in order to replace it with the Eicar-Signature
bytecode signature. The bytecode signature is able to follow the Eicar
standard and not lead to confusion with the Eicar string being found in
places not following the standard.
According to the standard from
https://www.eicar.org/?page_id=3950: - ... the file starts with the following 68 characters, and is exactly 68
bytes long: X5O!P%@AP
[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
- It may be optionally appended by any combination of whitespace characters
with the total file length not exceeding 128 characters. The only
whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z.
Please note, the standard does not allow the Eicar 68 byte text to be
placed anywhere in a file, embedded in files larger than 128, or contain
any other whitespace characters besides those specified.
Unfortunately, NDB and LDB signatures cannot enforce file length and
require a higher flvl to support a PCRE to match on the valid possible
characters of whitespace. However, a bytecode signatures can enforce all
those requirements and ensure we are following the standards described by
eicar.
Thanks,
demonduck
On Thu, Feb 20, 2020 at 5:15 PM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> There was a previous discussion on this the day that the EICAR signature
> was apparently moved to the ignore list which caused the
> Clamav.Test.File-7 signature to begin identifying such files. After a few
> days the testfile signature was dropped, but nobody from the ClamAV
> signature staff ever commented to the discussion.
>
> See <
> https://www.mail-archive.com/clamav-users@lists.clamav.net/msg48483.html>
>
> Sent from my iPad
>
> -Al-
>
> On Feb 20, 2020, at 11:58, Chapman, John via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> ?
>
> Hello,
>
>
>
> With recent virus definition updates, we have noticed that the standard
> EICAR text files are intermittently not being flagged as having a virus.
> There is an existing bug report for this here:
> https://bugzilla.clamav.net/show_bug.cgi?id=12490. Has anyone else been
> experiencing this issue?
>
>
>
> Thanks,
>
>
>
> *John Chapman*
>
> Sr. SDE @ Amazon
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>