We are trying to scan (Virus: DOS/EICAR_Test_File) malicious files and clamav is not detecting as malicious

[kannn012]

Describe the bug

We are using ClamAV as an antivirus container solution in our Microservice application environment. ClamAV will scan the files when there is a file upload/download happening via the application. We are trying to upload a set of malicious files (Virus: DOS/EICAR_Test_File) with types of .xls, and .csv, and it is not detecting those files as malicious. The same files are detected as malicious by other Antivirus software. I have attached the scan logs.

Attachments

clamav-scan-logs.txt - file having scanning log information. clamconf.txt - file having the clamconf -n information.

[micahsnyder]

@kannn012 without the exact test files you're using I can't help identify why Clam isn't detecting your particular test file. But if you want the real EICAR files, you can get it from https://www.eicar.org/download-anti-malware-testfile/

ClamAV is very particular to follow the EICAR rules described on that website and will not detect invalid variations of the EICAR file. Many other AV products are more relaxed and will match on any test file that people think is EICAR-ish enough to be used in testing.

[kannn012]

Hello Micah Snyder, I have attached the virus files which we used as a zip file. Please test and let us know the results. These files were detected by deleted by Microsoft Defender in our system, but ClamAV is not catching them.

Just so you know, I was able to download eicar file from the link you suggested and test it. ClamAV detected the virus. eicar-test-virus-files.zip

[aralvin09]

@kannn012 @micahsnyder were you able to resolve the issue? I am trying the same and clamav is not able to flag (ppt, pptx, xlsx) eicar files. The files I am using to test are from here: https://github.com/fire1ce/eicar-standard-antivirus-test-files Any leads would be greatly appreciated.

[micahsnyder]

@aralvin09 I missed your message.

The XLSX detection was resolved with a signature update:

❯ ./bin/clamscan ~/Downloads/eicar-test-virus-files/*
Loading:    22s, ETA:   0s [========================>]    8.67M/8.67M sigs
Compiling:   3s, ETA:   0s [========================>]       41/41 tasks

/mnt/c/Users/micah/Downloads/eicar-test-virus-files/test (2).csv: OK
/mnt/c/Users/micah/Downloads/eicar-test-virus-files/test (2).xlsx: Xml.Exploit.DDE_Abuse-9987933-1 FOUND
/mnt/c/Users/micah/Downloads/eicar-test-virus-files/Virus.csv: OK

The CSV files are not EICAR related and should not be detected. The contents for each are:

❯ bat ~/Downloads/eicar-test-virus-files/test\ \(2\).csv
───────┬────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: /home/micah/Downloads/eicar-test-virus-files/test (2).csv
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ UserId,BillToDate,ProjectName,Description,DurationMinutes
   2   │ 1,2017-07-25,Test Project,Flipped the jibbet,60
   3   │ 2,2017-07-25,Important Client,"Bop, dop, and giglip", 240
   4   │ 2,2017-07-25,Important Client,"=2+5+cmd|' /C calc'!A0", 240
───────┴────────────────────────────────────────────────────────────────────────────────────────────────────

❯ bat ~/Downloads/eicar-test-virus-files/Virus.csv
───────┬────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: /home/micah/Downloads/eicar-test-virus-files/Virus.csv
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ UserId,BillToDate,ProjectName,Description,DurationMinutes
   2   │ 1,2017-07-25,Test Project,Flipped the jibbet,60
   3   │ 2,2017-07-25,Important Client,"Bop, dop, and giglip", 240
   4   │ 2,2017-07-25,Important Client,"=2+5+cmd|' /C calc'!A0", 240
───────┴────────────────────────────────────────────────────────────────────────────────────────────────────