Hi,
I'm using clamd to make a large data scanning using INSTREAM (data it is
not available as files I could send to clamd). If I send only one INSTREAM
chunk with EICAR inside it is correctly detected, but if I send several
chunks plus EICAR string, it is not detected.
Example:
char *eicarTest =
"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
data_len = strlen(eicarTest);
network_len = _byteswap_ulong(data_len);
sendClamdRawdata(&network_len, sizeof(uint32_t));
sendClamdRawdata((void *)eicarTest, data_len);
... plus the 0 length chunk to finish..
In that case it is detected, clamd says: instream(local):
Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND
But, if I send any chunk before or after that, it is not detected. Example:
char *eicarTest =
"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
char *junkData = "89jsdkfj";
data_len = strlen(eicarTest);
network_len = _byteswap_ulong(data_len);
sendClamdRawdata(&network_len, sizeof(uint32_t));
sendClamdRawdata((void *)eicarTest, data_len);
data_len = strlen(junkData);
network_len = _byteswap_ulong(data_len);
sendClamdRawdata(&network_len, sizeof(uint32_t));
sendClamdRawdata((void *)junkData, data_len);
... plus the 0 length chunk to finish..
In that case it is not detected, clamd says: instream(local): OK
Does it make any sense? I will appreciate any help.
Thank you very much!
I'm using clamd to make a large data scanning using INSTREAM (data it is
not available as files I could send to clamd). If I send only one INSTREAM
chunk with EICAR inside it is correctly detected, but if I send several
chunks plus EICAR string, it is not detected.
Example:
char *eicarTest =
"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
data_len = strlen(eicarTest);
network_len = _byteswap_ulong(data_len);
sendClamdRawdata(&network_len, sizeof(uint32_t));
sendClamdRawdata((void *)eicarTest, data_len);
... plus the 0 length chunk to finish..
In that case it is detected, clamd says: instream(local):
Win.Test.EICAR_HDB-1(44d88612fea8a8f36de82e1278abb02f:68) FOUND
But, if I send any chunk before or after that, it is not detected. Example:
char *eicarTest =
"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
char *junkData = "89jsdkfj";
data_len = strlen(eicarTest);
network_len = _byteswap_ulong(data_len);
sendClamdRawdata(&network_len, sizeof(uint32_t));
sendClamdRawdata((void *)eicarTest, data_len);
data_len = strlen(junkData);
network_len = _byteswap_ulong(data_len);
sendClamdRawdata(&network_len, sizeof(uint32_t));
sendClamdRawdata((void *)junkData, data_len);
... plus the 0 length chunk to finish..
In that case it is not detected, clamd says: instream(local): OK
Does it make any sense? I will appreciate any help.
Thank you very much!