Bug in ClamAV 0.80
Alex Laslavic
alaslavic at HAVERTYS.COM
Tue Nov 2 20:50:03 GMT 2004
MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK> wrote on 11/02/2004
03:03:10 PM:
> Can someone confirm this for me please?
> I have a copy of the F-Prot distribution, which includes a copy of EICAR
> inside their docs so that you have a test file.
> ClamAV finds this file when it is checking individual elements of the
> tgz file, but then reports the tgz file itself as being clean.
>
> I get this output from
> /usr/lib/MailScanner/clamav-wrapper /usr/local -r --disable-summary
> --stdout .
> ---SNIP---
> /tmp/clamav.17357/clamav-ed6a79aa30cd343a/f-prot/doc_ws/screenshot.jpg:
OK
> /tmp/clamav.17357/clamav-ed6a79aa30cd343a/f-prot/doc_ws/sys_req.html: OK
> /tmp/clamav.17357/clamav-ed6a79aa30cd343a/f-prot/doc_ws/test_eicar.html:
> Eicar-Test-Signature FOUND
> /tmp/clamav.17357/clamav-ed6a79aa30cd343a/f-prot/doc_ws/test_inst.html:
OK
> /tmp/clamav.17357/clamav-ed6a79aa30cd343a/f-prot/doc_ws/tip.jpg: OK
> ---SNIP---
> (raw) /tmp/clamav.17357/clamav-fcf5882c8ea0c1ad/fp-linux-ws-4.0.0.tgz: OK
> ---SNIP---
>
> As you can see, it reports the EICAR but then says the tgz is clean. I
> can find no way of reliably pulling out all this /tmp stuff so that I
> can deduce the real name of the archive.
>
> Why did the ClamAV guys break their nice tidy output format?
>
> For now, do *not* use the "clamav" scanner. The "clamavmodule" scanner
> should still work okay.
>
> --
> Julian Field
> www.MailScanner.info
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> Buy the MailScanner book at www.MailScanner.info/store
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Julian,
I get something slightly different, running:
ClamAV .80-1
mailscanner-4.33.3-1
I get the tmp madness too, but the tgz file itself is seen as FOUND,
although the path is mangled. This was ClamAV-Test-Signature, not Eicar,
but I wouldn't think that would make a difference.
-----------------------------------------------
/home/alex/test/test1: ClamAV-Test-Signature FOUND
/home/alex/test/README: OK
/home/alex/test/test1.bz2: ClamAV-Test-Signature FOUND
/home/alex/test/test1.exe: ClamAV-Test-Signature FOUND
test1.exe
/tmp/clamav.22782/clamav-aa8d47299cf568cb/test1.exe: ClamAV-Test-Signature
FOUND
/tmp/clamav.22782/clamav-02f7a97706784945/test1.tgz: Infected Archive FOUND
(Real infected archive: /home/alex/test/test1.tgz)
/home/alex/test/test2.zip: ClamAV-Test-Signature FOUND
/home/alex/test/test3.rar: ClamAV-Test-Signature FOUND
/home/alex/test/test2.badext: ClamAV-Test-Signature FOUND
-------------------------------------------------
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
More information about the MailScanner
mailing list