I've had opposite results recently, even for signatures which have been
in the database for years, maybe virustotal uses a different signature
database on their ClamAV scanner. Our Ubuntu 24.04 machines use the
default freshclam.conf, containing;
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
$ freshclam
daily.cvd database is up-to-date (version: 27619, sigs: 2074687, f-level: 90,
builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90,
builder: sigmgr)
bytecode.cvd database is up-to-date (version: 336, sigs: 83, f-level: 90,
builder: nrandolp)
Greetings,
- Gilles
On 4/15/25 09:23, Tai Chan Dang via clamav-users wrote:
I have a sample virus file that can be detected by ClamAV on
VirusTotal:
_https://www.virustotal.com/gui/file/6e945381416bac2657acaeccabc8daf04df0c2285ca36333419484ee2120dda4
<https://www.virustotal.com/gui/file/6e945381416bac2657acaeccabc8daf04df0c2285ca36333419484ee2120dda4>_
VirusTotal ClamAV detects that the file is infected with signature:
*Doc.Downloader.Pwshell-10001336-0*
But when I use my local ClamAV (on Ubuntu), it cannot detect the virus
file:
|abc@VNLT:~$ clamscan test_macro.doc Loading: 19s, ETA: 0s
[========================>] 10.77M/10.77M sigs Compiling: 5s, ETA:
0s [========================>] 41/41 tasks
/home/abc/test_macro.doc: OK ----------- SCAN SUMMARY -----------
Known viruses: 8706304 Engine version: 1.4.2 Scanned directories: 0
Scanned files: 1 Infected files: 0 Data scanned: 0.09 MB Data read:
0.04 MB (ratio 2.40:1) Time: 13.148 sec (0 m 13 s) Start Date:
2025:04:15 10:00:33 End Date: 2025:04:15 10:00:46 |
I already use the latest ClamAV version and CVD database:
|abc@VNLT:~$ clamscan --version ClamAV 1.4.2/27608/Mon Apr 14 15:34:28
2025 |
I unpacked the CVD file using *sigtool* and see that the signature
exists in our local database:
|abc@VNLT:/usr/local/share/clamav$ grep
"Doc.Downloader.Pwshell-10001336-0" ./* grep: ./daily.cld: binary file
matches
./daily.ldb:Doc.Downloader.Pwshell-10001336-0;Engine:151-255,Container:CL_TYPE_MSOLE2,Target:0;0&1&2&3&4&5;2323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323;4e65774d6163726f73;50726f6365647572616c;52454d2050524f4a45435448454c5046494c4550415448323a;52454d205642412070726f6a656374206578747261637465642066726f6d204d6963726f736f6674204f666669636520646f63756d656e74;706f7765727368656c6c
|
Why can't my local virus scanner detect the virus that VirusTotal can?
Do I missed some configuration?
Best Regards
Tai Dang
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
