search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.43k stars 706 forks source link

ClamAV does not detect the EICAR test file if we put the EICAR string in the middle or end of a file. #1277

Closed clamavissue closed 5 months ago

clamavissue commented 5 months ago

Describe the bug

We tried with creating text file with putting malicious string which is in eicar file at start,in middle and in end of file.

We are using clamav latest version which is 1.3.1.

When we put string in start it detects it as infected but when string is in middle or end it dont detect it as infected.

Is there any reson for this?

How to reproduce the problem

Replace this text with specific steps needed to reproduce the issue.

Replace this text with the output from the ClamAV command: clamconf -n

Attachments

If applicable, add screenshots to help explain your problem.

If the issue is reproducible only when scanning a specific file, attach it to the ticket.

micahsnyder commented 5 months ago

The EICAR test file is not intended to be used that way. ClamAV is very strict in how it detects EICAR.

The rules are as follows:

THE ANTI-MALWARE TESTFILE It is also short and simple – in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. To keep things simple the file uses only upper case letters, digits and punctuation marks, and does not include spaces. The only thing to watch out for when typing in the test file is that the third character is the capital letter “O”, not the digit zero.

This test file has been provided to EICAR for distribution as the “EICAR Standard Anti-Virus Test File”, and it satisfies all the criteria listed above. It is safe to pass around, because it is not a virus, and does not include any fragments of viral code. Most products react to it as if it were a virus (though they typically report it with an obvious name, such as “EICAR-AV-Test”).

The file is a legitimate DOS program, and produces sensible results when run

(IT PRINTS THE MESSAGE “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!”).

Reference: https://www.eicar.org/download-anti-malware-testfile/

EICAR is to be treated as a file and will be detected by ClamAV when found in archives or attached (as a file) to emails, or documents.

EICAR should NOT be detected when it is pasted into the middle of a text file, or otherwise embedded or appended in other files without structure. This includes things like pasting it (as text) in the cell of a spreadsheet. (Conversely, if you attach EICAR as a file to a spreadsheet then ClamAV should detect it.)

clamavissue commented 5 months ago

Hello,

Thanks for reply. Can you please let us know how to create infected file of size 1GB? Do you have steps to create any such test file.

Thanks Dipti

micahsnyder commented 5 months ago

I do not. Perhaps you could modify an existing large archive to add in the EICAR test file. For example, mount large ISO disk image and then add a file.