Bug 865176 - not detecting eicor.com as "infection"
not detecting eicor.com as "infection"
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: clamav (Show other bugs)
17
i686 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Robert Scheck
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-10 19:18 EDT by Paul
Modified: 2012-10-12 13:35 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-11 12:13:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul 2012-10-10 19:18:07 EDT
Description of problem:
When I wget eicor.com and run clamscan, it does not pick up this test file as infected

I also tried downloading eicor.com.txt and running with that ... and renaming eicor.com.txt to eicor.com per eicor website info

I then went to my F16 box where, when I originally installed it in May 2012 this test worked. I discovered it wasn't picking it up there.

Didn't spot anything online regarding this for 2012 (there were some kinda similiar from 2010 and earlier that didn't pan out)

Version-Release number of selected component (if applicable):
clamav.i686                          0.97.6-1700.fc17
clamav-update.i686                   0.97.6-1700.fc17

ClamAV update process started at Wed Oct 10 15:43:41 2012
Downloading main.cvd [100%]
main.cvd updated (version: 54, sigs: 1044387, f-level: 60, builder: sven)
Downloading daily.cvd [100%]
daily.cvd updated (version: 15452, sigs: 276207, f-level: 63, builder: ccordes)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 190, sigs: 36, f-level: 63, builder: neo)
Database updated (1320630 signatures) from database.clamav.net (IP: 168.143.19.95)
How reproducible:


Steps to Reproduce:
1. as root in ~root
2 .wget http://www.eicar.org/download/eicor.com.txt
3. clamscan --infected .
  
Actual results:
----------- SCAN SUMMARY -----------
Known viruses: 1315276
Engine version: 0.97.6
Scanned directories: 1
Scanned files: 38
Infected files: 0
Data scanned: 0.93 MB
Data read: 0.55 MB (ratio 1.70:1)
Time: 9.035 sec (0 m 9 s)
[root@parsnip ~]#

Expected results:
clamscan is supposed to report eicor.com.txt as infected

Additional info:
Please let me know if there is anything else I can provide and/or if I missed something obvious for finding a solution

Thanks,
Paul
Comment 1 Robert Scheck 2012-10-10 19:27:26 EDT
May you please perform the following steps and provide all output?

1. wget http://www.eicar.org/download/eicor.com.txt
2. file eicor.com.txt  # "eicor.com.txt: UTF-8 Unicode English text, with very long lines, with CRLF line terminators"
3. head eicor.com.txt
4. Ouch...

I would say you did not download "eicar" but "eicor" (404 error page).
Comment 2 Robert Scheck 2012-10-10 19:28:55 EDT
Note, if I download http://www.eicar.org/download/eicar.com.txt (not eicor),
my  local clamscan also yells "Eicar-Test-Signature FOUND". Please confirm.
Comment 3 Paul 2012-10-10 19:48:18 EDT
Robert:

Whoops !!!

You are correct ... loud groan on my end.

Apparently I made a typo in my notes and got 'eicor' and not 'eicar'. To make sure I wasn't making a mistake, I was using cut-and-paste and hence never retyped.

I apologize ... but I also send thanks for the prompt response showing me my error.

Obviously, this "bug" can be closed.

Thanks,
Paul

ps: what is interesting is that the typo works as I think you discovered and not with a 404 error, so the typo wasn't caught on the download

[root@parsnip ~]# wget http://www.eicar.org/download/eicor.com.txt
--2012-10-10 16:38:16--  http://www.eicar.org/download/eicor.com.txt
Resolving www.eicar.org... 188.40.238.250
Connecting to www.eicar.org|188.40.238.250|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12959 (13K) [text/html]
Saving to: `eicor.com.txt'

100%[======================================>] 12,959      33.9K/s   in 0.4s    

2012-10-10 16:38:17 (33.9 KB/s) - `eicor.com.txt' saved [12959/12959]

[root@parsnip ~]# file eicor.com.txt
eicor.com.txt: HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Comment 4 Paul 2012-10-11 12:13:27 EDT
Closing as it is a pilot error

Thanks for help,
Paul

Note You need to log in before you can comment on or make changes to this bug.