Closed zhaidarbek closed 1 year ago
micahsnyder
commented
1 year ago @zhaidarbek This doesn't sound right to me. Can you share some files that I can test with? If they exist on virustotal.com, I can download them if you give me the hash or a link to the file.
zhaidarbek
commented
1 year ago @micahsnyder Sorry for delay, i had to modify the script to not delete infected file. Here is a sample infected file
https://www.virustotal.com/gui/file/ece9073fd97b30f398ba27d7e45717fe4e0225e76d64246eb70ebdc8b09c0acb https://www.virustotal.com/gui/file/649f3b0148c4f8202b0c2d24a490a99523acc0bd3245c08499162b94ca5d30a5
We are using INSTREAM mode to scan files programmatically.
micahsnyder
commented
1 year ago @zhaidarbek it worked okay for me. I download them and then ran:
❯ docker run -it --mount type=bind,source=/home/micah/Downloads/gh-932-1.1.0-missing-detections,target=/gh-932-1.1.0-missing-detections clamav/clamav:1.1.0-1_base /bin/ash
/ # freshclam
ClamAV update process started at Thu Jun 1 22:39:19 2023
daily database available for download (remote version: 26925)
Time: 5.4s, ETA: 0.0s [========================>] 58.58MiB/58.58MiB
WARNING: ******* RESULT 200, SIZE: 61430057 *******
Testing database: '/var/lib/clamav/tmp.38bcc95179/clamav-3557b5eafff2c1d73f718b4ec487cc84.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 26925, sigs: 2036167, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
Time: 15.8s, ETA: 0.0s [========================>] 162.58MiB/162.58MiB
WARNING: ******* RESULT 200, SIZE: 170479789 *******
Testing database: '/var/lib/clamav/tmp.38bcc95179/clamav-5759737fbe7b7c4a4730aec6315d3619.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 334)
Time: 0.2s, ETA: 0.0s [========================>] 285.12KiB/285.12KiB
WARNING: ******* RESULT 200, SIZE: 291965 *******
Testing database: '/var/lib/clamav/tmp.38bcc95179/clamav-525958d912a52d53e4ce10e7c05e9eca.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
WARNING: Clamd was NOT notified: Can't connect to clamd through /tmp/clamd.sock: No such file or directory
/ # clamscan /gh-932-1.1.0-missing-detections/*
Loading: 16s, ETA: 0s [========================>] 8.67M/8.67M sigs
Compiling: 3s, ETA: 0s [========================>] 41/41 tasks
/gh-932-1.1.0-missing-detections/649f3b0148c4f8202b0c2d24a490a99523acc0bd3245c08499162b94ca5d30a5: Win.Malware.Agent-6359986-0 FOUND
LibClamAV Warning: cli_codepage_to_utf8: iconv error: An invalid multibyte sequence has been encountered in the input.
LibClamAV Warning: cli_codepage_to_utf8: iconv error: An invalid multibyte sequence has been encountered in the input.
/gh-932-1.1.0-missing-detections/ece9073fd97b30f398ba27d7e45717fe4e0225e76d64246eb70ebdc8b09c0acb: Xls.Trojan.Laroux-48 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8668070
Engine version: 1.1.0
Scanned directories: 0
Scanned files: 2
Infected files: 2
Data scanned: 5.82 MB
Data read: 2.79 MB (ratio 2.09:1)
Time: 21.942 sec (0 m 21 s)
Start Date: 2023:06:01 22:40:02
End Date: 2023:06:01 22:40:24Perhaps something else was going wrong when you were using 1.1.0?
micahsnyder
commented
1 year ago Closing due to inactivity and because it worked for me.
Describe the bug
I was using clamav:1.0.1-1_base for a few months and decided to upgrade to clamav:1.1.0-1_base a few days ago. After upgrade I noticed that clamav not detecting any viruses. And when I changed back to clamav:1.0.1-1_base it started catching viruses again. Here is the sample list of viruses it detected during the last 6 hours:
Is it a feature or a bug?
How to reproduce the problem
Here is the config that i'm using: