Re: [Clamav-users] EICAR Test File

Wed, 01 Sep 2004 19:26:17 -0700 

LLEGO BIEN.

Jorge Danussi

>>> "[EMAIL PROTECTED]" 09/01/04 21:32 >>>

LLEGO BIEN.

Jorge Danussi

>>> "[EMAIL PROTECTED]" 09/01/04 20:54 >>>

LLEGO BIEN.

Jorge Danussi

>>> "[EMAIL PROTECTED]" 09/01/04 20:07 >>>

On Wed, 1 Sep 2004, Andy Fiddaman wrote:

> I've been re-running some tests on an EICAR file here with mixed results.
>
> According to the eicar web page:
>
> "The first 68 characters is the known string. It may be optionally
> appended by any combination of whitespace characters with the total file
> length not exceeding 128 characters."
>
> If I scan the minimal 68-byte file, then the test virus is detected, but
> if I add any whitespace to the end of this then it is not.
>
> Is this a problem with the current signature ?

I don't see that with clamav-0.75.1.

Personally, I'm intrigued by the fact that the first two characters are
not required, and neither are the last 26.  It matches on just 38
characters:
  [EMAIL PROTECTED](P^)7CC)7}$EICAR_STANDA  (with _ replaced by -)

Interestingly, there's also a second signature (Trivial.Eicar.122) that
adds a few more characters (RD-ANTIV) on to the end.  Not sure what the
purpose of that is....

For completeness, the malware md5 signature requires exactly 68 bytes,
which might be what you were seeing?

Damian Menscher
-- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id*808&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Reply via email to