Joe Evans wrote: > After upgrading to the latest version of ClamAV, I've noticed some files > not being detected with v0.90.2, which were detected with v0.88.7. Could > there be a bug with the pattern scanning portion of libclamav, or am I > missing something obvious? > > Both test cases are using the same signature database. > > Any ideas? > > # clamscan -V > ClamAV 0.88.7/2314/Sun Dec 10 12:02:13 2006 > # clamscan mybot* sdb* > mybot5073-TrojanMybot-5073.exe: Trojan.Mybot-5073 FOUND > mybot7502-TrojanMybot-7502.exe: Trojan.Mybot-7508 FOUND > sdbototr-W32SdbotOTR.exe: Trojan.Mybot-5073 FOUND > > > # ./clamscan -V > ClamAV 0.90.2 > # clamscan mybot* sdb* > mybot5073-TrojanMybot-5073.exe: OK > mybot7502-TrojanMybot-7502.exe: OK > sdbototr-W32SdbotOTR.exe: OK > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > Here is some additional debug details when scanning Mybot-5073:
Can anyone shed some light on the log entries below? (1) "Can't calculate offset for signature Trojan.Mybot-5073" (2) "Broken PE file" Scanning /mail/mybot5073-TrojanMybot-5073.exe LibClamAV debug: Recognized DOS/W32 executable/library/driver file LibClamAV debug: in cli_peheader LibClamAV debug: File format: PE LibClamAV debug: Broken PE file LibClamAV debug: cli_validatesig: Can't calculate offset for signature Trojan.Mybot-5073 LibClamAV debug: Signature offset: 192, expected: 184 (Trojan.Downloader.Tibs.Gen-2) LibClamAV debug: Signature offset: 192, expected: 184 (Trojan.Downloader.Tibs.Gen-1) LibClamAV debug: e_lfanew == 224 LibClamAV debug: File type: Executable LibClamAV debug: Machine type: 80386 LibClamAV debug: NumberOfSections: 4 LibClamAV debug: TimeDateStamp: Thu Mar 9 16:00:24 2006 LibClamAV debug: SizeOfOptionalHeader: e0 LibClamAV debug: File format: PE LibClamAV debug: MajorLinkerVersion: 6 LibClamAV debug: MinorLinkerVersion: 0 LibClamAV debug: SizeOfCode: 0x1f600 LibClamAV debug: SizeOfInitializedData: 0xf6800 LibClamAV debug: SizeOfUninitializedData: 0x0 LibClamAV debug: AddressOfEntryPoint: 0x11900d LibClamAV debug: BaseOfCode: 0x1000 LibClamAV debug: SectionAlignment: 0x1000 LibClamAV debug: FileAlignment: 0x200 LibClamAV debug: MajorSubsystemVersion: 4 LibClamAV debug: MinorSubsystemVersion: 0 LibClamAV debug: SizeOfImage: 0x11a000 LibClamAV debug: SizeOfHeaders: 0x400 LibClamAV debug: NumberOfRvaAndSizes: 16 LibClamAV debug: Subsystem: Win32 GUI LibClamAV debug: ------------------------------------ LibClamAV debug: Section 0 LibClamAV debug: Section name: .text LibClamAV debug: Section data (from headers - in memory) LibClamAV debug: VirtualSize: 0x1f461 0x20000 LibClamAV debug: VirtualAddress: 0x1000 0x1000 LibClamAV debug: SizeOfRawData: 0x1f600 0x15600 LibClamAV debug: PointerToRawData: 0x400 0x400 LibClamAV debug: Section contains executable code LibClamAV debug: Section's memory is executable LibClamAV debug: ------------------------------------ LibClamAV debug: Section 1 LibClamAV debug: Section name: .rdata LibClamAV debug: Section data (from headers - in memory) LibClamAV debug: VirtualSize: 0x1508 0x2000 LibClamAV debug: VirtualAddress: 0x21000 0x21000 LibClamAV debug: SizeOfRawData: 0x1600 0x1600 LibClamAV debug: PointerToRawData: 0x1fa00 0x1fa00 LibClamAV debug: ------------------------------------ LibClamAV debug: Broken PE file - Section 1 starts beyond the end of file (Offset@ 129536, Total filesize 88576) /mail/mybot5073-TrojanMybot-5073.exe: OK _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
