search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.47k stars 707 forks source link

Clamav not able to detect EICAR content when prepended with a new line #1389

Closed himanshusati closed 1 month ago

himanshusati commented 1 month ago

Hi Team,

As we know, EICAR files are detected by all antivirus software and are useful for determining whether an attempt to upload arbitrary malicious content is possible.

We tested the following scenario with an EICAR file:

  1. The EICAR file was flagged as infected by the ClamAV scan, as expected.
  2. However, when a new line was prepended to the EICAR file, ClamAV did not flag it as infected.file.zip

Shouldn't ClamAV have identified this as an EICAR file, even with the extra line, and flagged it as infected? Could you please investigate this issue and provide feedback?

EICAR file content

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

EICAR file content with newline prepended

add a new line X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Config file: clamd.conf

LogTime = "yes" LogVerbose = "yes" ExtendedDetectionInfo = "yes" TemporaryDirectory = "/var/tmp/clamav" DatabaseDirectory = "/var/lib/clamav" LocalSocket = "/var/run/clamav/clamd.socket" LocalSocketGroup = "clamav" LocalSocketMode = "660" MaxConnectionQueueLength = "30" StreamMaxLength = "524288000" StreamMaxPort = "3320" MaxThreads = "20" ReadTimeout = "300" CommandReadTimeout = "5" ExcludePath = "^/proc/", "^/sys/", "^/dev/", "^/var/log/clamav/" MaxDirectoryRecursion = "25" ExitOnOOM = "yes" Foreground = "yes" User = "clamav" HeuristicScanPrecedence = "yes" MaxScanTime = "40000" MaxScanSize = "524288000" MaxFileSize = "524288000" MaxRecursion = "4" MaxEmbeddedPE = "10485760" MaxHTMLNormalize = "10485760" MaxHTMLNoTags = "2097152" MaxScriptNormalize = "5242880" PCREMatchLimit = "10000" PCREMaxFileSize = "26214400"

Config file: freshclam.conf

LogFileMaxSize = "2097152" PidFile = "/var/run/clamav/freshclam.pid" DatabaseDirectory = "/var/lib/clamav" Foreground = "yes" DNSDatabaseInfo = "currentfreshclam.adobesc.com" DatabaseMirror = "http://freshclam-ue1.adobesc.com", "http://freshclam-ew1.adobesc.com", "http://freshclam-ew1.adobesc.com", "http://freshclam-ue1.adobesc.com" MaxAttempts = "1" OnErrorExecute = "exit 0" ReceiveTimeout = "120" AllowSupplementaryGroups is DEPRECATED

clamav-milter.conf not found

Software settings

Version: 1.3.0 Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR JIT

Database information

Database directory: /var/lib/clamav daily.cld: version 27426, sigs: 2067214, built on Sun Oct 13 08:30:02 2024 main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021 bytecode.cvd: version 335, sigs: 86, built on Tue Feb 27 15:37:24 2024 Total number of signatures: 8714727

Platform information

uname: Linux 6.1.96-flatcar #1 SMP PREEMPT Mon Jul 1 23:26:07 -00 2024 aarch64 OS: Linux, ARCH: aarch64, CPU: aarch64 zlib version: 1.2.11 (1.2.11), compile flags: a9 Triple: aarch64-unknown-linux-gnu CPU: neoverse-n1, Little-endian platform id: 0x0a01c8c8080b0400030b0400

Build information

GNU C: 11.4.0 (11.4.0) GNU C++: 11.4.0 (11.4.0) sizeof(void*) = 8 Engine flevel: 200, dconf: 200

micahsnyder commented 1 month ago

Pre-pending with a /n is not a valid way to modify EICAR and still have detection.

Please see my explanation here: https://github.com/Cisco-Talos/clamav/issues/1277#issuecomment-2139686994