Red Hat Bugzilla – Bug 865176
not detecting eicor.com as "infection"
Last modified: 2012-10-12 13:35:59 EDT
Description of problem: When I wget eicor.com and run clamscan, it does not pick up this test file as infected I also tried downloading eicor.com.txt and running with that ... and renaming eicor.com.txt to eicor.com per eicor website info I then went to my F16 box where, when I originally installed it in May 2012 this test worked. I discovered it wasn't picking it up there. Didn't spot anything online regarding this for 2012 (there were some kinda similiar from 2010 and earlier that didn't pan out) Version-Release number of selected component (if applicable): clamav.i686 0.97.6-1700.fc17 clamav-update.i686 0.97.6-1700.fc17 ClamAV update process started at Wed Oct 10 15:43:41 2012 Downloading main.cvd [100%] main.cvd updated (version: 54, sigs: 1044387, f-level: 60, builder: sven) Downloading daily.cvd [100%] daily.cvd updated (version: 15452, sigs: 276207, f-level: 63, builder: ccordes) Downloading bytecode.cvd [100%] bytecode.cvd updated (version: 190, sigs: 36, f-level: 63, builder: neo) Database updated (1320630 signatures) from database.clamav.net (IP: 168.143.19.95) How reproducible: Steps to Reproduce: 1. as root in ~root 2 .wget http://www.eicar.org/download/eicor.com.txt 3. clamscan --infected . Actual results: ----------- SCAN SUMMARY ----------- Known viruses: 1315276 Engine version: 0.97.6 Scanned directories: 1 Scanned files: 38 Infected files: 0 Data scanned: 0.93 MB Data read: 0.55 MB (ratio 1.70:1) Time: 9.035 sec (0 m 9 s) [root@parsnip ~]# Expected results: clamscan is supposed to report eicor.com.txt as infected Additional info: Please let me know if there is anything else I can provide and/or if I missed something obvious for finding a solution Thanks, Paul
May you please perform the following steps and provide all output? 1. wget http://www.eicar.org/download/eicor.com.txt 2. file eicor.com.txt # "eicor.com.txt: UTF-8 Unicode English text, with very long lines, with CRLF line terminators" 3. head eicor.com.txt 4. Ouch... I would say you did not download "eicar" but "eicor" (404 error page).
Note, if I download http://www.eicar.org/download/eicar.com.txt (not eicor), my local clamscan also yells "Eicar-Test-Signature FOUND". Please confirm.
Robert: Whoops !!! You are correct ... loud groan on my end. Apparently I made a typo in my notes and got 'eicor' and not 'eicar'. To make sure I wasn't making a mistake, I was using cut-and-paste and hence never retyped. I apologize ... but I also send thanks for the prompt response showing me my error. Obviously, this "bug" can be closed. Thanks, Paul ps: what is interesting is that the typo works as I think you discovered and not with a 404 error, so the typo wasn't caught on the download [root@parsnip ~]# wget http://www.eicar.org/download/eicor.com.txt --2012-10-10 16:38:16-- http://www.eicar.org/download/eicor.com.txt Resolving www.eicar.org... 188.40.238.250 Connecting to www.eicar.org|188.40.238.250|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 12959 (13K) [text/html] Saving to: `eicor.com.txt' 100%[======================================>] 12,959 33.9K/s in 0.4s 2012-10-10 16:38:17 (33.9 KB/s) - `eicor.com.txt' saved [12959/12959] [root@parsnip ~]# file eicor.com.txt eicor.com.txt: HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Closing as it is a pilot error Thanks for help, Paul