Bug in ClamAV 0.80

Dhawal Doshy dhawal at NETMAGICSOLUTIONS.COM
Tue Nov 2 21:30:53 GMT 2004 

    [ The following text is in the "utf-8" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Julian Field writes:

> Can someone confirm this for me please?
> I have a copy of the F-Prot distribution, which includes a copy of EICAR
> inside their docs so that you have a test file.
> ClamAV finds this file when it is checking individual elements of the
> tgz file, but then reports the tgz file itself as being clean.
>
> I get this output from
> /usr/lib/MailScanner/clamav-wrapper /usr/local -r --disable-summary
> --stdout .
> ---SNIP---
> /tmp/clamav.17357/clamav-ed6a79aa30cd343a/f-prot/doc_ws/screenshot.jpg: OK
> /tmp/clamav.17357/clamav-ed6a79aa30cd343a/f-prot/doc_ws/sys_req.html: OK
> /tmp/clamav.17357/clamav-ed6a79aa30cd343a/f-prot/doc_ws/test_eicar.html:
> Eicar-Test-Signature FOUND
> /tmp/clamav.17357/clamav-ed6a79aa30cd343a/f-prot/doc_ws/test_inst.html: OK
> /tmp/clamav.17357/clamav-ed6a79aa30cd343a/f-prot/doc_ws/tip.jpg: OK
> ---SNIP---
> (raw) /tmp/clamav.17357/clamav-fcf5882c8ea0c1ad/fp-linux-ws-4.0.0.tgz: OK
> ---SNIP---
>
> As you can see, it reports the EICAR but then says the tgz is clean. I
> can find no way of reliably pulling out all this /tmp stuff so that I
> can deduce the real name of the archive.
>
> Why did the ClamAV guys break their nice tidy output format?
>
> For now, do *not* use the "clamav" scanner. The "clamavmodule" scanner
> should still work okay.
>
> --
> Julian Field

I seem to be getting the same result.. am using 0.80-1 from dag-weers

[root at mx2 root]# clamscan --tgz -r --disable-summary --stdout /tmp/eicar
a/
a/b/
a/b/eicar.com
c/
c/d/
c/d/eicarcom2.zip
e/
e/f/
e/f/eicar_com.zip
g/
g/h/
g/h/eicar.com.txt
/tmp/clamav-e70f103d15271d45/a/b/eicar.com: Eicar-Test-Signature FOUND
/tmp/clamav-e70f103d15271d45/c/d/eicarcom2.zip: Eicar-Test-Signature FOUND
/tmp/clamav-e70f103d15271d45/e/f/eicar_com.zip: Eicar-Test-Signature FOUND
/tmp/clamav-e70f103d15271d45/g/h/eicar.com.txt: Eicar-Test-Signature FOUND
(raw) /tmp/eicar/eicar.tgz: OK
 ---snip---

 - dhawal

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list