A slight tangent, which I bring up since I have seen it discussed on
Twitter: Clam AV will erroneously trigger on some specific EICAR false
positives due to file normalization. The example that was being discussed
at that time was a whitespace prepended file. Since the EICAR string is all
printable text, it can be the output of a File Type 7 scan.
As such clamscan will detect on some corner case files that it should not,
but not on cases like the email being discussed here.
The industry was discussing the poor EICAR triggering because solutions
that falsely flag such emails might also destroy important files such as
web logs if the string is injected there.
On Tue, Oct 3, 2017 at 10:40 AM, Anssi Johansson <cla...@miuku.net> wrote:
> Ralph Seichter kirjoitti 3.10.2017 klo 17.33:
>
>> A virus was found: {HEX}EICAR.TEST.10.UNOFFICIAL
>>>
>>> First upstream SMTP client IP address: [198.148.79.53]:24855
>>> lists.clamav.net
>>> Received from: 198.148.79.53 < 127.0.0.1 < 204.29.186.62 < 172.26.252.15
>>> <
>>> 10.76.1.211 < 149.32.192.35
>>>
>>> Return-Path: <clamav-users-boun...@lists.clamav.net>
>>> From: Nymblewyke <nymblew...@compuserve.com>
>>> Sender: "clamav-users" <clamav-users-boun...@lists.clamav.net>
>>> Message-ID: <15ee2954485-c0d-1...@webjas-vac032.srv.aolmail.net>
>>> Subject: Re: [clamav-users] EICAR file problems
>>>
>>
>> Sending virus samples (including EICAR) to public mailing lists is
>> problematic. The lists are not testing grounds, and it can quickly
>> earn you a blacklisting with various recipient organisations.
>>
>
> I agree, I understood this a few seconds after I sent my message. My
> apologies.
>
> On the other hand, if your virus scanner detected EICAR from my message, I
> dare to say that it is broken. http://www.eicar.org/86-0-Intended-use.html
> says ".. should detect it in any file providing that the file starts with
> the following 68 characters, and is exactly 68 bytes long". The message did
> not start with the EICAR string, and the message certainly wasn't 68 bytes
> long.
>
> For reference, clamscan does not detect EICAR in these messages, and
> rightly so.
>
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
--
Matthew Molyett
Malware Researcher
mmoly...@cisco.com
Phone: (410) 309-4834
Mobile: (410) 674-2049
Cisco.com - http://www.cisco.com
This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender by
reply email and delete all copies of this message.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
