Hello I got a problem when I try to scan EICAR files with different encoding. I am able to return VirusDetected with utf-8, iso-8859-1, us-ascii but with utf-16, utf-16BE, utf-32, utf-32BE the scan return me Clean.

I use the docker image clamav/clamav:0.104.0 and the C# client for scan request

Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
PreludeAnalyzerName = "ClamAV"
LogFile = "/var/log/clamav/clamav.log"
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
TCPSocket = "3310"
MaxConnectionQueueLength = "15"
StreamMaxLength = "209715200"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "5"
SendBufTimeout = "200"
SelfCheck = "3600"
Foreground = "yes"
User = "clamav"
BytecodeTimeout = "60000"
MaxScanSize = "104857600"
MaxFileSize = "52428800"
MaxRecursion = "16"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
*** DetectBrokenExecutables is DEPRECATED ***
*** ScanOnAccess is DEPRECATED ***

Config file: freshclam.conf
---------------------------
PidFile = "/run/lock/freshclam.pid"
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseMirror = "database.clamav.net"

Config file: clamav-milter.conf
-------------------------------
LogFile = "/var/log/clamav/milter.log"
LogTime = "yes"
PidFile = "/run/lock/clamav-milter.pid"
User = "clamav"
ClamdSocket = "unix:/run/clamav/clamd.sock", "unix:/run/clamav/clamd.sock", "unix:/run/clamav/clamd.sock", "unix:/run/clamav/clamd.sock", "unix:/run/clamav/clamd.sock"
MilterSocket = "inet:7357"

Software settings
-----------------
Version: 0.105.1
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR

Database information
--------------------
Database directory: /var/lib/clamav
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 15:21:51 2021
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
daily.cvd: version 26644, sigs: 1999707, built on Wed Aug 31 07:53:02 2022
Total number of signatures: 8647226

Platform information
--------------------
uname: Linux 5.10.16.3-microsoft-standard-WSL2 #1 SMP Fri Apr 2 22:23:49 UTC 2021 x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.12 (1.2.12), compile flags: a9
platform id: 0x0a21979708000000000b0201

Build information
-----------------
GNU C: 11.2.1 20220219 (11.2.1)
sizeof(void*) = 8
Engine flevel: 151, dconf: 151

No 3rd party signatures Try to scan a EICAR file at UTF-16 LE encoding to reproduce the bug

0

EICAR may be a text file, but it is also an executable DOS program. It is not intended to be detected when encoded as UTF-16/32/BE/LE/etc.

The rules for detecting EICAR are very specific, and ClamAV is pedantic in adhering to these rules:

The file is a legitimate DOS program, and produces sensible results when run (it prints the message „EICAR-STANDARD-ANTIVIRUS-TEST-FILE!“).

It is also short and simple – in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. To keep things simple the file uses only upper case letters, digits and punctuation marks, and does not include spaces. The only thing to watch out for when typing in the test file is that the third character is the capital letter „O“, not the digit zero.

See: https://www.eicar.org/download-anti-malware-testfile/

0
© 2022 pullanswer.com - All rights reserved.