Closed manojgct84 closed 1 year ago
Hi ClamAV-Team, thanks for reporting the issue. Indeed we could reproduce the same. Do you get feedback from other users or projects using ClamAV on this issue? Would you have any plans to fix this in the code? Is there anything we can support a fix?
with Best Regards Martin
Hi ClamAV-Team, for a fix of this issue we offer as a reward a bug bounty of €500,00. Anyone interested in this? pls reply here to agree on details.
with Best Regards Martin
Hi ClamTeam, you can also reach out to me via email: 06_baud_fakultaet@icloud.com
thanks Martin
Hi @MartinR-cF
The files where we do not detect EICAR do not contain the EICAR test file. I've done some digging this morning. I found that some of them we do extract macros, like this:
....
sub action()
' https://github.com/mattias-ohlsson/eicar-standard-antivirus-test-files
' simple obfuscation
dim eicarpart1 as string
dim eicarpart2 as string
eicarpart1 = "X5O!P%@AP[4\PZX54(P^)7C"
eicarpart2 = "C)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
msgbox eicarpart1 + eicarpart2
end sub
or commands like this:
<externalLink xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14" xmlns:x14="http://schemas.microsoft.com/office/spreadsheetml/2009/9/main"><ddeLink xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" ddeService="cmd" ddeTopic="/C powershell.exe -NoExit -e ZQBjAGgAbwAgACIAWAA1AE8AIQBQACUAQABBAFAAWwA0AFwAUABaAFgANQA0ACgAUABeACkANwBDAEMAKQA3AH0AYAAkAEUASQBDAEEAUgAtAFMAVABBAE4ARABBAFIARAAtAEEATgBUAEkAVgBJAFIAVQBTAC0AVABFAFMAVAAtAEYASQBMAEUAIQBgACQASAArAEgAKgAiAA=="><ddeItems><ddeItem name="_xlbgnm.A1" advise="1"/><ddeItem name="StdDocumentName" ole="1" advise="1"/></ddeItems></ddeLink></externalLink>
In the first case, you can see if that if you combine the two strings then it forms the EICAR test file contents, though it is not a file.
In the second case, if you decode the base64 string you'll find ithat it is the command echo "X5O!P%@AP[4\PZX54(P^)7CC)7}
$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"⏎
, which also is not a file.
I cannot tell you how (or why) McAfee detects these. I say "or why" because according to the spec (https://www.eicar.org/download-anti-malware-testfile/), those would not be valid at all. The specification reads:
This test file has been provided to EICAR for distribution as the „EICAR Standard Anti-Virus Test File“, and it satisfies all the criteria listed above. It is safe to pass around, because it is not a virus, and does not include any fragments of viral code. Most products react to it as if it were a virus (though they typically report it with an obvious name, such as „EICAR-AV-Test“).
The file is a legitimate DOS program, and produces sensible results when run (it prints the message „EICAR-STANDARD-ANTIVIRUS-TEST-FILE!“).
It is also short and simple – in fact, it consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. To keep things simple the file uses only upper case letters, digits and punctuation marks, and does not include spaces. The only thing to watch out for when typing in the test file is that the third character is the capital letter „O“, not the digit zero.
Because the files in question are not actually the EICAR test file, but are ways to get the EICAR test file contents to be printed to the screen in a message box or whatever through scripts in document files -- we consider this to be invalid in terms of EICAR-detection.
If McAfee is detecting these with an eicar signature, and not just as some generic dropper or something (which ClamAV does for a large number of these files) then they are not being strict enough about the EICAR file format / detection rules. But if they're detecting them for having suspicious active content, then that's totally fair.
I imagine that we could add signatures to daily.cvd to detect running cmd scripts, if that's desirable. But having clam find and decode base64 strings in those commands... I'm not convinced that is reasonable.
If the purpose of these test files is to detect any sort of active/macro content-- then we can enable the --alert-macros
option, and we see this:
❯ ~/clams/1.0.0/bin/clamscan -d ~/database ~/Downloads/eicar-standard-antivirus-test-files/* --leave-temps --tempdir=$HOME/tmp --gen-json -z --alert-macros
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
Loading: 55s, ETA: 0s [========================>] 8.65M/8.65M sigs
Compiling: 7s, ETA: 0s [========================>] 41/41 tasks
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-adobe-acrobat-attachment.pdf: Pdf.Dropper.Agent-7001939-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-adobe-acrobat-attachment.pdf: Win.Test.EICAR_HDB-1 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-adobe-acrobat-attachment.pdf: Win.Test.EICAR_HSB-1 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-adobe-acrobat-attachment.pdf: Eicar-Signature FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-adobe-acrobat-attachment.pdf: Eicar-Signature FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-adobe-acrobat-javascript-alert.pdf: Pdf.Dropper.Agent-7145616-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-com.com: Win.Test.EICAR_HDB-1 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-com.com: Win.Test.EICAR_HSB-1 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-com.com: Eicar-Signature FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-com.com: Eicar-Signature FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-dde-cmd-powershell-echo.xls: OK
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-dde-cmd-powershell-echo.xlsx: OK
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xls: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xls: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xls: Doc.Malware.Prince-6784185-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xls: Xls.Dropper.Generic-6923051-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xls: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Doc.Malware.Prince-6784185-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Xls.Dropper.Generic-6923051-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Doc.Malware.Prince-6784185-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Xls.Dropper.Generic-6923051-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Doc.Malware.Prince-6784185-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Xls.Dropper.Generic-6923051-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-cmd-echo.xlsm: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-msgbox.xls: Xls.Dropper.Agent-7505951-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-msgbox.xls: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-msgbox.xlsm: Doc.Dropper.Agent-6997781-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-msgbox.xlsm: Doc.Dropper.Agent-6997781-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-msgbox.xlsm: Doc.Dropper.Agent-6997781-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-msgbox.xlsm: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-powershell-echo.xls: Doc.Dropper.Agent-6488415-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-powershell-echo.xls: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-powershell-echo.xlsm: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-write-file.xls: Doc.Dropper.Agent-6835303-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-write-file.xls: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-write-file.xlsm: Doc.Dropper.Agent-6609394-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-excel-macro-write-file.xlsm: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-powerpoint-action-macro-msgbox.ppt: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-powerpoint-action-macro-msgbox.pptm: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-powerpoint-action-powershell-echo.ppt: OK
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-powerpoint-action-powershell-echo.pptx: OK
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-test.txt: Win.Test.EICAR_HDB-1 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-test.txt: Win.Test.EICAR_HSB-1 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-test.txt: Eicar-Signature FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-test.txt: Eicar-Signature FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.doc: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.doc: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.doc: Doc.Malware.Prince-6784185-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.doc: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.docm: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.docm: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.docm: Doc.Malware.Prince-6784185-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.docm: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.docm: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.docm: Doc.Malware.Prince-6784185-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.docm: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.docm: Doc.Malware.Prince-6784184-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.docm: Doc.Malware.Prince-6784185-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-cmd-echo.docm: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-msgbox.doc: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-msgbox.docm: Doc.Dropper.Agent-6507099-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-msgbox.docm: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-powershell-echo.doc: Doc.Dropper.Agent-6496090-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-powershell-echo.doc: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-powershell-echo.docm: Doc.Dropper.Agent-6507997-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-powershell-echo.docm: Doc.Dropper.Agent-6496169-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-powershell-echo.docm: Doc.Dropper.Agent-6507997-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-powershell-echo.docm: Doc.Dropper.Agent-6507997-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-powershell-echo.docm: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-write-file.doc: Doc.Dropper.Agent-6361752-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-write-file.doc: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-write-file.docm: Doc.Dropper.Agent-6460256-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-write-file.docm: Doc.Dropper.Agent-6459212-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-write-file.docm: Doc.Dropper.Agent-6460256-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-write-file.docm: Doc.Dropper.Agent-6460256-0 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-word-macro-write-file.docm: Heuristics.OLE2.ContainsMacros.VBA FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-zip.zip: Win.Test.EICAR_HDB-1 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-zip.zip: Win.Test.EICAR_HSB-1 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-zip.zip: Eicar-Signature FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-zip.zip: Eicar-Signature FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-zip2.zip: Win.Test.EICAR_HDB-1 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-zip2.zip: Win.Test.EICAR_HSB-1 FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-zip2.zip: Eicar-Signature FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/eicar-zip2.zip: Eicar-Signature FOUND
/mnt/c/Users/micasnyd/Downloads/eicar-standard-antivirus-test-files/README.md: OK
----------- SCAN SUMMARY -----------
Known viruses: 8649895
Engine version: 1.0.0
Scanned directories: 0
Scanned files: 29
Infected files: 24
Data scanned: 3.18 MB
Data read: 0.60 MB (ratio 5.29:1)
Time: 88.080 sec (1 m 28 s)
Start Date: 2023:01:13 12:47:58
End Date: 2023:01:13 12:49:26
As you can see, these 4 files failed to detect macros or "malware":
The file eicar-excel-dde-cmd-powershell-echo.xlsx
uses the technique ddeService="cmd" ddeTopic="/C powershell.exe -NoExit -e ZQBjAGgAbw...
to run a CMD/powershell. To me it's suspicious enough that I imagine we could add a signature for that type of command without a lot of false positives. But I am not a malware analyst. I'll talk it over with our Threat Research team to see what they thing. I'm unsure how the other 3 files work.
So to summarize:
--alert-macros
is enabled, but not as EICAR, specifically. The remaining three I'm unsure of how they execute powershell, but I imagine we should also detect them as having "macros" (active content). @micahsnyder thank you for your input on this. I think having the EICAR signatures in the database would be sufficient. They are in fact not infected, so I see your point. But recognizing them would be beneficial as these files (with EICAR signatures) are commonly used in pentests.
@micahsnyder , at first thanks for your response and effort. I'm supporting @bbasman with his response and proposal.
thanks & with Best Regards
@bbasman @MartinR-cF I'm sorry for the delay in responding to you.
Our threat research team added the signatures to detect the suspicious techniques used in those last few test files that we didn't detect before.
They still don't detect the actual "eicar" content, so it doesn't mention "eicar". But they're not simple signatures that would only detect the test files. The signatures should actually protect against other malware using the same technique. So that's actually the best possible news!
This is what testing on my laptop showed.
/mnt/c/Users/micah/Downloads/eicar-standard-antivirus-test-files-master/eicar-excel-dde-cmd-powershell-echo.xls: Xls.Exploit.Agent-9987934-0 FOUND
/mnt/c/Users/micah/Downloads/eicar-standard-antivirus-test-files-master/eicar-excel-dde-cmd-powershell-echo.xlsx: Xml.Exploit.DDE_Abuse-9987933-0 FOUND
/mnt/c/Users/micah/Downloads/eicar-standard-antivirus-test-files-master/eicar-powerpoint-action-powershell-echo.ppt: Ppt.Exploit.Agent-9987931-1 FOUND
/mnt/c/Users/micah/Downloads/eicar-standard-antivirus-test-files-master/eicar-powerpoint-action-powershell-echo.pptx: Xml.Exploit.External_Relationship_Abuse-9987932-1 FOUND
Describe the bug
When we pass an eicar ppt for pptx to clamav it gives a ok stream, But the expected is infected.
When the same file is passed to McAfee, it tells the file is infected.
How to reproduce the problem
The output from the ClamAV command: stream: OK