Hey Al, I submitted a FP report with one attached. Just put the EICAR string into a txt file and that'll trigger it.
-J Sent via iPhone > On Mar 16, 2016, at 22:16, Al Varnell <alvarn...@mac.com> wrote: > > I don’t know why sanesecurity-porcupine.ndb is causing this, but I can now > see that the signatures for Win.Test.EICAR_LDB-1 and Win.Trojan.Trojan-605 > are identical, so this is an FP situation which would be reported. > <http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Test.EICAR_LDB-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display> > > However, I’m not sure where to find a copy of a Win.Test.EICAR_LDB-1 file to > submit. > > -Al- > > >> On Wed, Mar 16, 2016 at 09:44 PM, Jason J. W. Williams wrote: >> >> Culprit seems to be sanesecurity-porcupine.ndb ( >> http://sanesecurity.com/usage/signatures/). Moving it out causes >> Win.Test.EICAR_NDB-1 >> FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 FP. >> Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is. >> >> -J >> >>> On Wed, Mar 16, 2016 at 9:38 PM, Al Varnell <alvarn...@mac.com> wrote: >>> >>> Disregard, I found it here after they got the new main.cvd: >>> < >>> http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display >>>> >>> >>> I’ll see what I get once my main.cvd finishes. >>> >>> -Al- >>> >>>> On Wed, Mar 16, 2016 at 09:32 PM, Al Varnell wrote: >>>> >>>> I’m still looking, but so far I can’t find any Win.Trojan.Trojan >>> signatures in the ClamAV Official database or listed in clamav-virusdb >>> e-mail list. >>>> >>>> Nor can I confirm your results using my own EICAR. >>>> >>>> Are you using any Unofficial signatures from a different source? >>>> >>>> -Al- >>>> >>>>> On Wed, Mar 16, 2016 at 09:06 PM, Jason J. W. Williams wrote: >>>>> >>>>> Pulled down 21466 (and force restarted clamd) but it's still classifying >>>>> EICAR as Win.Trojan.Trojan: >>>>> >>>>> https://gist.github.com/williamsjj/b8104402e80f44475df5 >>>>> >>>>> Databases are up to date now: >>>>> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, >>> builder: >>>>> amishhammer) >>>>> Empty script daily-21465.cdiff, need to download entire database >>>>> Downloading daily.cvd [100%] >>>>> daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, builder: >>>>> amishhammer) >>>>> Empty script bytecode-275.cdiff, need to download entire database >>>>> Downloading bytecode.cvd [100%] >>>>> bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder: >>>>> amishhammer) >>>>> Database updated (4302724 signatures) from db.local.clamav.net (IP: >>>>> 193.1.193.64) >>>>> >>>>> >>>>> >>>>>> On Wed, Mar 16, 2016 at 9:00 PM, Al Varnell <alvarn...@mac.com> wrote: >>>>>> >>>>>> Those are normal messages for an update of this kind. The 21465.cdiff >>> was >>>>>> purposely blank in order to force you to download the entire daily.cvd. >>>>>> Give it plenty of time as the main.cvd is 109MB. >>>>>> >>>>>> Technical details: < >>>>>> >>> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html >>>>>>> >>>>>> >>>>>> -Al- >>>>>> >>>>>>> On Wed, Mar 16, 2016 at 08:56 PM, Jason J. W. Williams wrote: >>>>>>> >>>>>>> Thanks. Hopefully it'll sync up soon. I'm getting weird download >>> errors >>>>>> out >>>>>>> of freshclam: >>>>>>> >>>>>>> WARNING: getfile: Error while reading database from >>> db.local.clamav.net >>>>>>> (IP: 200.236.31.1): Operation now in progress >>>>>>> WARNING: getpatch: Can't download daily-21465.cdiff from >>>>>> db.local.clamav.net >>>>>>> nonblock_recv: recv timing out (30 secs) >>>>>>> WARNING: getfile: Error while reading database from >>> db.local.clamav.net >>>>>>> (IP: 194.186.47.19): Operation now in progress >>>>>>> WARNING: getpatch: Can't download daily-21465.cdiff from >>>>>> db.local.clamav.net >>>>>>> Empty script daily-21465.cdiff, need to download entire database >>>>>>> >>>>>>> On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com> >>> wrote: >>>>>>> >>>>>>>> The new database was just made available, so I recommend you hold off >>>>>>>> until you have the new mail.cvd v57 and daily.cvd v21466 before >>> getting >>>>>> too >>>>>>>> excited about this. >>>>>>>> >>>>>>>> -Al- >>>>>>>> >>>>>>>>> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote: >>>>>>>>> >>>>>>>>> As of the latest daily update, running ClamAV against the EICAR test >>>>>>>> string >>>>>>>>> reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature. >>>>>>>>> >>>>>>>>> -J >>> >>> >>> _______________________________________________ >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > -Al- > -- > Al Varnell > Mountain View, CA > > > > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
