Hello list, I have a little problem in detecting the Eicar test-signature. At the Snort-inline project we have developed a clamav-plugin that scans all data that passes the IPS. Until recently just visiting the Eicar website: http://www.eicar.org/anti_virus_test_file.htm was enough to make sure that the clamav-plugin was setup properly. The page would stop loading exactly at the point where the test-sig is shown.
Currently this is no longer working (with no changes at all to the snort-inline code) so i did some tests and was surprised by the following behaviour: If you have a textfile containing the eicar-sig like this: --- file start--- <eicar sig> --- file end --- then Eicar is detected by clamscan. However is you have a file like this: --- file start --- HTTP/1.1 200 OK Date: Sat, 12 Mar 2005 10:56:17 GMT Server: Apache/1.3.26 (Unix) Debian GNU/Linux mod_ssl/2.8.9 OpenSSL/0.9.6c PHP/4.3.9 Last-Modified: Tue, 03 Aug 2004 15:23:41 GMT ETag: "30400e-44-410fadfd" Accept-Ranges: bytes Content-Length: 68 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/plain; charset=iso-8859-1 <eicar sig> --- file end --- then clamscan won't detect Eicar. I tested this with 0.81 and with 0.83. Is this behaviour normal? Is the change intentionally or maybe a bug? Or am i just doing something completely wrong ;-) Regards, Victor _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html
