Red Hat Bugzilla – Bug 865176
not detecting eicor.com as "infection"
Last modified: 2012-10-12 13:35:59 EDT
Description of problem:
When I wget eicor.com and run clamscan, it does not pick up this test file as infected
I also tried downloading eicor.com.txt and running with that ... and renaming eicor.com.txt to eicor.com per eicor website info
I then went to my F16 box where, when I originally installed it in May 2012 this test worked. I discovered it wasn't picking it up there.
Didn't spot anything online regarding this for 2012 (there were some kinda similiar from 2010 and earlier that didn't pan out)
Version-Release number of selected component (if applicable):
ClamAV update process started at Wed Oct 10 15:43:41 2012
Downloading main.cvd [100%]
main.cvd updated (version: 54, sigs: 1044387, f-level: 60, builder: sven)
Downloading daily.cvd [100%]
daily.cvd updated (version: 15452, sigs: 276207, f-level: 63, builder: ccordes)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 190, sigs: 36, f-level: 63, builder: neo)
Database updated (1320630 signatures) from database.clamav.net (IP: 220.127.116.11)
Steps to Reproduce:
1. as root in ~root
2 .wget http://www.eicar.org/download/eicor.com.txt
3. clamscan --infected .
----------- SCAN SUMMARY -----------
Known viruses: 1315276
Engine version: 0.97.6
Scanned directories: 1
Scanned files: 38
Infected files: 0
Data scanned: 0.93 MB
Data read: 0.55 MB (ratio 1.70:1)
Time: 9.035 sec (0 m 9 s)
clamscan is supposed to report eicor.com.txt as infected
Please let me know if there is anything else I can provide and/or if I missed something obvious for finding a solution
May you please perform the following steps and provide all output?
1. wget http://www.eicar.org/download/eicor.com.txt
2. file eicor.com.txt # "eicor.com.txt: UTF-8 Unicode English text, with very long lines, with CRLF line terminators"
3. head eicor.com.txt
I would say you did not download "eicar" but "eicor" (404 error page).
Note, if I download http://www.eicar.org/download/eicar.com.txt (not eicor),
my local clamscan also yells "Eicar-Test-Signature FOUND". Please confirm.
You are correct ... loud groan on my end.
Apparently I made a typo in my notes and got 'eicor' and not 'eicar'. To make sure I wasn't making a mistake, I was using cut-and-paste and hence never retyped.
I apologize ... but I also send thanks for the prompt response showing me my error.
Obviously, this "bug" can be closed.
ps: what is interesting is that the typo works as I think you discovered and not with a 404 error, so the typo wasn't caught on the download
[root@parsnip ~]# wget http://www.eicar.org/download/eicor.com.txt
--2012-10-10 16:38:16-- http://www.eicar.org/download/eicor.com.txt
Resolving www.eicar.org... 18.104.22.168
Connecting to www.eicar.org|22.214.171.124|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12959 (13K) [text/html]
Saving to: `eicor.com.txt'
100%[======================================>] 12,959 33.9K/s in 0.4s
2012-10-10 16:38:17 (33.9 KB/s) - `eicor.com.txt' saved [12959/12959]
[root@parsnip ~]# file eicor.com.txt
eicor.com.txt: HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Closing as it is a pilot error
Thanks for help,