Mailing List Archive

On 3/12/2024 11:07 AM, Dr Rainer Woitok via clamav-users wrote:
> Greetings,
>
> on my system the Eicar-Signature is not recognized in some files:
>
> $ cat /HomeDir/.mail/Tests/procmailrc/Virus.rof
> /tmp/Test.0000/VIRUS
> From User
> To: Me
> Date: Today
> From: User
> Subject: Virus Test
> X-VIRUS: Eicar-Signature
>
> ...
>
> $ grep -m1 ^X5O /HomeDir/.mail/Tests/procmailrc/Virus.rof >virus
> $ cat virus
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> $ tar -cf virus.tar virus
> $ clamscan '--alert-exceeds-max=no' --archive-verbose '--cross-fs=no' --no-summary --recursive '--remove=no' --stdout /HomeDir/.mail/Tests/procmailrc/Virus.rof virus virus.tar
> /HomeDir/.mail/Tests/procmailrc/Virus.rof: OK
> /tmp/Test.0000/virus: Eicar-Signature FOUND
> /tmp/Test.0000/virus!(0): Eicar-Signature FOUND
> /tmp/Test.0000/virus.tar: Eicar-Signature FOUND
> /tmp/Test.0000/virus.tar!(1)POSIX_TAR:virus: Eicar-Signature FOUND
> $
>
> What am I missing?


Fortunately, since you sent it to the list, the EICAR test file is
very strict about what will trigger a detection.

You can read about it here for clues about why your test didn't work.
https://www.eicar.org/
https://en.wikipedia.org/wiki/EICAR_test_file



-- Noel Jones
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

fyi has anyone noticed observe.aniview.com <http://observe.aniview.com/> what it is doing when it bypasses iOS cross site scripting protections. This seems to be violating CCPA and GDPR and the privacy settings on the smartphones.

Has anyone else looked into this?

> On Mar 12, 2024, at 10:24, Noel Jones <njones@megan.vbhcs.org> wrote:
>
> On 3/12/2024 11:07 AM, Dr Rainer Woitok via clamav-users wrote:
>> Greetings,
>> on my system the Eicar-Signature is not recognized in some files:
>> $ cat /HomeDir/.mail/Tests/procmailrc/Virus.rof
>> /tmp/Test.0000/VIRUS
>> From User
>> To: Me
>> Date: Today
>> From: User
>> Subject: Virus Test
>> X-VIRUS: Eicar-Signature
>> ...
>> $ grep -m1 ^X5O /HomeDir/.mail/Tests/procmailrc/Virus.rof >virus
>> $ cat virus
>> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
>> $ tar -cf virus.tar virus
>> $ clamscan '--alert-exceeds-max=no' --archive-verbose '--cross-fs=no' --no-summary --recursive '--remove=no' --stdout /HomeDir/.mail/Tests/procmailrc/Virus.rof virus virus.tar
>> /HomeDir/.mail/Tests/procmailrc/Virus.rof: OK
>> /tmp/Test.0000/virus: Eicar-Signature FOUND
>> /tmp/Test.0000/virus!(0): Eicar-Signature FOUND
>> /tmp/Test.0000/virus.tar: Eicar-Signature FOUND
>> /tmp/Test.0000/virus.tar!(1)POSIX_TAR:virus: Eicar-Signature FOUND
>> $
>> What am I missing?
>
>
> Fortunately, since you sent it to the list, the EICAR test file is very strict about what will trigger a detection.
>
> You can read about it here for clues about why your test didn't work.
> https://www.eicar.org/
> https://en.wikipedia.org/wiki/EICAR_test_file
>
>
>
> -- Noel Jones
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

Noel,

On Tuesday, 2024-03-12 12:24:48 -0500, you wrote:

> ...
> You can read about it here for clues about why your test didn't work.
> https://www.eicar.org/
> https://en.wikipedia.org/wiki/EICAR_test_file

Thanks for these pointers :-)

So the file size is restricted to 128 characters and the file must START
with the Eicar string. Ok, this explains why my previous example didn't
work. But

$ grep -Ev '/tmp/|X-V' /HomeDir/.mail/Tests/procmailrc/Virus.rof |
tee Virus | wc -c
130
$ clamscan --no-summary --stdout Virus
/HomeDir/tmp/Virus: Eicar-Signature FOUND
$

indicates that detection works even though neither the above size re-
striction is met nor is the file STARTING with the Eicar string. So
what are the restrictions specifically used by "clamscan"? And can I
rely on them not to change?

As you can conclude from my example code, I'm using "procmail" to pipe
incoming mails including headers via "formail" into "clamdscan", which
currently produces the intended results with respect to the Eicar file.
I could slightly reduce the file size, but the Eicar string will always
FOLLOW the mail headers.

Sincerely,
Rainer

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 3/13/2024 5:05 AM, Dr Rainer Woitok wrote:
> Noel,
>
> On Tuesday, 2024-03-12 12:24:48 -0500, you wrote:
>
>> ...
>> You can read about it here for clues about why your test didn't work.
>> https://www.eicar.org/
>> https://en.wikipedia.org/wiki/EICAR_test_file
>
> Thanks for these pointers :-)
>

You're asking the wrong questions...

The proper question is if clamav is installed and working and able
to detect viruses, and your answer is yes.

To test email, include the EICAR as an attachment, and make sure
your email software is able to scan attachments. Since you already
verified that clamav is working and able to detect test viruses, any
failure scanning email is in your email scanning method or software
and not clamav.



-- Noel Jones
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Noel,

On Wednesday, 2024-03-13 11:59:16 -0500, you wrote:

> ...
> To test email, include the EICAR as an attachment, and make sure
> your email software is able to scan attachments.

Good idea, thanks :-)

I wrote another mail specific virus test script involving a "tar" ar-
chive containing one file which in turn contains the Eicar line.

This directly leads to another question: Command "clamscan" has the nice
option "--archive-verbose" which causes both, the name of the "tar" ar-
chive and the name of the infected file to be output. How does this
translate to a configuration specification in file "/etc/clamav/clamav.
conf"? Since running "clamscan" on my laptop takes 20+ seconds just to
process the virus database, I'd prefer running "clamdscan", provided it
could also be tricked into revealing this useful bit of information.

And one more question: "clamdscan" provides the option "--config-file".
Does the file specified here globally and permanently change the "clamd"
daemon configuration and does it replace or just amend file "/etc/clam-
av/clamav.conf"?

Sincerely,
Rainer
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 3/15/2024 4:49 AM, Dr Rainer Woitok wrote:
> Noel,
>
> On Wednesday, 2024-03-13 11:59:16 -0500, you wrote:
>
>> ...
>> To test email, include the EICAR as an attachment, and make sure
>> your email software is able to scan attachments.
>
> Good idea, thanks :-)
>
> I wrote another mail specific virus test script involving a "tar" ar-
> chive containing one file which in turn contains the Eicar line.
>
> This directly leads to another question: Command "clamscan" has the nice
> option "--archive-verbose" which causes both, the name of the "tar" ar-
> chive and the name of the infected file to be output. How does this
> translate to a configuration specification in file "/etc/clamav/clamav.
> conf"? Since running "clamscan" on my laptop takes 20+ seconds just to
> process the virus database, I'd prefer running "clamdscan", provided it
> could also be tricked into revealing this useful bit of information.

clamdscan and clamscan are separate programs and don't have 1-1
functionality.

If you're scanning dozens or hundreds of files, such as a directory,
the performance difference is small. If you're scanning incoming
email - lots of individual scans of one file at a time - the
performance difference is very large.

Use the tool that suits the job.

>
> And one more question: "clamdscan" provides the option "--config-file".
> Does the file specified here globally and permanently change the "clamd"
> daemon configuration and does it replace or just amend file "/etc/clam-
> av/clamav.conf"?

I believe it changes it just for that instance of clamdscan, and
does not affect the clamd daemon or other clamdscan runs.




-- Noel Jones
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat