On 2/17/2015 12:11 AM, Manoj Ramakrishnan wrote: > Hi Al, > > Thanks for replying. > It is exactly what I thought. But why is it different from ZIP file? > I added extra characters in the beginning of the ZIP file but no issues in > scanning that and finding eicar signature.
zip and gzip are very different formats. I suppose you added your random character at a point where unzip ignored it. > > Also curious to see why is it not working in case #4 and #6? Either broke the eicar file with leading or trailing characters, or maybe the squid plugin didn't recognize the file as a gzip. Use the clam debug tools to examine the files extracted and scanned. The eicar signature is *very* specific, anchored at both the beginning and end allowing only for a few extra spaces at the end of the payload, no other extra characters. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
