ClamAV Fails to Detect EICAR Test File When Base32 or Base64 Encoded

[sudoingmyway]

I encountered an issue where ClamAV does not detect the EICAR test file if it is encoded using either Base32 or Base64. This could represent a potential security risk, as malware could potentially bypass detection using these common encoding schemes.

• Eicar: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

• Base32: LA2U6IKQEVAECUC3GROFAWSYGU2CQUC6FE3UGQZJG56SIRKJINAVELKTKRAU4RCBKJCC2QKOKREVMSKSKVJS2VCFKNKC2RSJJRCSCJCIFNECU===

• Base64: WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=

Expected Behavior

ClamAV should detect and flag the Base32 and Base64 encoded files as containing the EICAR test virus.

Observed Behavior

ClamAV does not detect the EICAR test virus in either the Base32 or Base64 encoded files. The scan completes without any alerts or detections.

Environment

• ClamAV Version: 1.3.1

• Test System: Windows 11 Pro

Additional Information

It's worth noting that Windows Virus and Threat Protection immediately identified and quarantined the Base64 encoded EICAR string, highlighting a potential gap in ClamAV's detection capabilities.

Please advise if more information is needed, or if there is any ongoing work to address this issue.

[micahsnyder]

It's an interesting idea. I'm surprised any AV would do automatic base64 detection and decoding. It's not like you can run a base64 encoded EXE, or open a base64 encoded PDF. Some other program would have to decode it, first.

If you were scanning HTTP GET/POST payloads, then base64 detection and decoding would enable a lot more file transfer scans. But ClamAV is not made for scanning network traffic, and you're better off using something like Snort - or else scanning files after the receiving application has written them to disk.

I'll send this issue/proposal over to our threat research team to discuss. I'm curious if they'd have anything else to say about it.

If someone wants to make this, we could do some testing with our extensive malware collection to if it detects anything new. 🤷

[Pierre-Gronau-ndaal]

This is also the case on Linux filesystem

[HydraDragonAntivirus]

No one uploaded to Virustotal this versions of EICAR. 21 engines detected this base64 coded text: https://www.virustotal.com/gui/file/29774cdf9bc10fada55d4578a4bf43162106c945214fc1cd3eed632b511063d5 it's so normal to antiviruses detect base64 text but when it comes to base32 it's novelty https://www.virustotal.com/gui/file/7f8c4e35374b28427d77c032f6eec0be6f0459fb8751ec11281888d175162786 This should be generic idea I can work on it and ClamAV can add my code to ClamAV with options but not at default. Even if I didn't added base32 detection only base64 but so basic, Edit: I coded this thing right now.

[Pierre-Gronau-ndaal]

I detected that some other coded text will be not detected as well - are you interested?

• ascii85/Base85
• Base45
• Base58
• Base62
• bcrypt
• big5hkscs
• binhex
• punycode
• xxencode

[Pierre-Gronau-ndaal]

No one uploaded to Virustotal this versions of EICAR. 21 engines detected this base64 coded text: https://www.virustotal.com/gui/file/29774cdf9bc10fada55d4578a4bf43162106c945214fc1cd3eed632b511063d5 it's so normal to antiviruses detect base64 text but when it comes to base32 it's novelty https://www.virustotal.com/gui/file/7f8c4e35374b28427d77c032f6eec0be6f0459fb8751ec11281888d175162786 This should be generic idea I can work on it and ClamAV can add my code to ClamAV with options but not at default. Even if I didn't added base32 detection only base64 but so basic, Edit: I coded this thing right now.

I hope it will be rust based

[HydraDragonAntivirus]

No one uploaded to Virustotal this versions of EICAR. 21 engines detected this base64 coded text: https://www.virustotal.com/gui/file/29774cdf9bc10fada55d4578a4bf43162106c945214fc1cd3eed632b511063d5 it's so normal to antiviruses detect base64 text but when it comes to base32 it's novelty https://www.virustotal.com/gui/file/7f8c4e35374b28427d77c032f6eec0be6f0459fb8751ec11281888d175162786 This should be generic idea I can work on it and ClamAV can add my code to ClamAV with options but not at default. Even if I didn't added base32 detection only base64 but so basic, Edit: I coded this thing right now.

I hope it will be rust based No but if you want, I can create Rust code too now it's python code because my python code also contains too many features like base64/base32 decoder for hex, commandline and messages (from Windows applications) but creating for Rust for hex and normal code should not be hard. It's currently available from my project but my goal right now add this to ClamAV. Also I didn't test python code yet.

[Pierre-Gronau-ndaal]

it will be great if this will be a part of ClamAV - see my new issue #1354 as well