Culprit seems to be sanesecurity-porcupine.ndb ( http://sanesecurity.com/usage/signatures/). Moving it out causes Win.Test.EICAR_NDB-1 FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 FP. Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is.
-J On Wed, Mar 16, 2016 at 9:38 PM, Al Varnell <alvarn...@mac.com> wrote: > Disregard, I found it here after they got the new main.cvd: > < > http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display > > > > I’ll see what I get once my main.cvd finishes. > > -Al- > > On Wed, Mar 16, 2016 at 09:32 PM, Al Varnell wrote: > > > > I’m still looking, but so far I can’t find any Win.Trojan.Trojan > signatures in the ClamAV Official database or listed in clamav-virusdb > e-mail list. > > > > Nor can I confirm your results using my own EICAR. > > > > Are you using any Unofficial signatures from a different source? > > > > -Al- > > > > On Wed, Mar 16, 2016 at 09:06 PM, Jason J. W. Williams wrote: > >> > >> Pulled down 21466 (and force restarted clamd) but it's still classifying > >> EICAR as Win.Trojan.Trojan: > >> > >> https://gist.github.com/williamsjj/b8104402e80f44475df5 > >> > >> Databases are up to date now: > >> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, > builder: > >> amishhammer) > >> Empty script daily-21465.cdiff, need to download entire database > >> Downloading daily.cvd [100%] > >> daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, builder: > >> amishhammer) > >> Empty script bytecode-275.cdiff, need to download entire database > >> Downloading bytecode.cvd [100%] > >> bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder: > >> amishhammer) > >> Database updated (4302724 signatures) from db.local.clamav.net (IP: > >> 193.1.193.64) > >> > >> > >> > >> On Wed, Mar 16, 2016 at 9:00 PM, Al Varnell <alvarn...@mac.com> wrote: > >> > >>> Those are normal messages for an update of this kind. The 21465.cdiff > was > >>> purposely blank in order to force you to download the entire daily.cvd. > >>> Give it plenty of time as the main.cvd is 109MB. > >>> > >>> Technical details: < > >>> > http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html > >>>> > >>> > >>> -Al- > >>> > >>> On Wed, Mar 16, 2016 at 08:56 PM, Jason J. W. Williams wrote: > >>>> > >>>> Thanks. Hopefully it'll sync up soon. I'm getting weird download > errors > >>> out > >>>> of freshclam: > >>>> > >>>> WARNING: getfile: Error while reading database from > db.local.clamav.net > >>>> (IP: 200.236.31.1): Operation now in progress > >>>> WARNING: getpatch: Can't download daily-21465.cdiff from > >>> db.local.clamav.net > >>>> nonblock_recv: recv timing out (30 secs) > >>>> WARNING: getfile: Error while reading database from > db.local.clamav.net > >>>> (IP: 194.186.47.19): Operation now in progress > >>>> WARNING: getpatch: Can't download daily-21465.cdiff from > >>> db.local.clamav.net > >>>> Empty script daily-21465.cdiff, need to download entire database > >>>> > >>>> On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com> > wrote: > >>>> > >>>>> The new database was just made available, so I recommend you hold off > >>>>> until you have the new mail.cvd v57 and daily.cvd v21466 before > getting > >>> too > >>>>> excited about this. > >>>>> > >>>>> -Al- > >>>>> > >>>>> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote: > >>>>>> > >>>>>> As of the latest daily update, running ClamAV against the EICAR test > >>>>> string > >>>>>> reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature. > >>>>>> > >>>>>> -J > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
