I didn't expect the test signature to be successful as my understanding of the way the scanner works requires an exact match to the ASCII string. My familiarity is with ClamXav for OS X which uses an unmatched version of the UNIX ClamAV engine and have no idea what ClamWin uses that might cause different results. Certainly appears that a bug report is in order for either ClamAV or Perhaps ClamWin. I understand you are certain that what you have is malware, but there is no guarantee that ClamAV signatures detect it, so this could currently be a false positive of that specific infection name. Try submitting it to http://www.virustotal.com to see what other scanners have to say. Let us know what the analysis link is.
As far as submitting to Cisco/ClamAV I think you should wait until we hear from them. They can always get it from VirusTotal, but they may have provisions to allow attachment to a bug report. Sent from Janet's iPad -Al- On Dec 13, 2015, at 4:27 PM, Kurt Fitzner wrote: > Just got home ans was able to test. Test signature from Steve fails to > detect on both Linux and Windows. Tested on Linux with 0.98.7 supplied > Debian binaries, and 0.99 binary compiled by myself. Tested in Windows > with ClamWin supplied binary. > > Should I submit my copy of the malware somewhere to aid with testing? > > Kurt > > On 2015-12-13 20:00, Al Varnell wrote: > >> I would want to know the results of using the test signature on both systems >> first, and file a bug report if it turns out to be a ClamAV problem. >> >> Sent from Janet's iPad >> >> -Al- >> >> On Dec 13, 2015, at 11:49 AM, Kurt Fitzner wrote: >> >>> The question remains as to why the signature correctly leads to a match in >>> Windows but not Linux. If carriage return linefeed handling differences >>> between the two OSes are to blame, then I suggest a two pronged approach. >>> Correct the signatures, AND patch clamav so that the signatures as written >>> are processed the same way. Even if they are suboptimal signatures, I'd >>> suggest they should be processed the same way on all platforms. >>> >>> That's a lot of signatures that may not be working. Perhaps I'm stating the >>> obvious, but if CR/LF are involved, it means these are likely scripts and >>> such... just the kind of signatures that would be important to catch in >>> Linux. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
