Discussion:
[clamav-users] Eicar test string now returning Win.Trojan.Trojan-605
(too old to reply)
Jason J. W. Williams
2016-03-17 03:49:39 UTC
Permalink
As of the latest daily update, running ClamAV against the EICAR test string
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.

-J
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2016-03-17 03:54:17 UTC
Permalink
The new database was just made available, so I recommend you hold off until you have the new mail.cvd v57 and daily.cvd v21466 before getting too excited about this.

-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test string
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
Jason J. W. Williams
2016-03-17 03:56:48 UTC
Permalink
Thanks. Hopefully it'll sync up soon. I'm getting weird download errors out
of freshclam:

WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from db.local.clamav.net
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from db.local.clamav.net
Empty script daily-21465.cdiff, need to download entire database
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before getting too
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2016-03-17 04:00:33 UTC
Permalink
Those are normal messages for an update of this kind. The 21465.cdiff was purposely blank in order to force you to download the entire daily.cvd. Give it plenty of time as the main.cvd is 109MB.

Technical details: <http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html>

-Al-
Post by Jason J. W. Williams
Thanks. Hopefully it'll sync up soon. I'm getting weird download errors out
WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from db.local.clamav.net
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from db.local.clamav.net
Empty script daily-21465.cdiff, need to download entire database
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before getting too
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
Jason J. W. Williams
2016-03-17 04:06:58 UTC
Permalink
Pulled down 21466 (and force restarted clamd) but it's still classifying
EICAR as Win.Trojan.Trojan:

https://gist.github.com/williamsjj/b8104402e80f44475df5

Databases are up to date now:
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
amishhammer)
Empty script daily-21465.cdiff, need to download entire database
Downloading daily.cvd [100%]
daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, builder:
amishhammer)
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder:
amishhammer)
Database updated (4302724 signatures) from db.local.clamav.net (IP:
193.1.193.64)
Post by Al Varnell
Those are normal messages for an update of this kind. The 21465.cdiff was
purposely blank in order to force you to download the entire daily.cvd.
Give it plenty of time as the main.cvd is 109MB.
Technical details: <
http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
-Al-
Post by Jason J. W. Williams
Thanks. Hopefully it'll sync up soon. I'm getting weird download errors
out
Post by Jason J. W. Williams
WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
Empty script daily-21465.cdiff, need to download entire database
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before getting
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2016-03-17 04:32:42 UTC
Permalink
I’m still looking, but so far I can’t find any Win.Trojan.Trojan signatures in the ClamAV Official database or listed in clamav-virusdb e-mail list.

Nor can I confirm your results using my own EICAR.

Are you using any Unofficial signatures from a different source?

-Al-
Post by Jason J. W. Williams
Pulled down 21466 (and force restarted clamd) but it's still classifying
https://gist.github.com/williamsjj/b8104402e80f44475df5
amishhammer)
Empty script daily-21465.cdiff, need to download entire database
Downloading daily.cvd [100%]
amishhammer)
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
amishhammer)
193.1.193.64)
Post by Al Varnell
Those are normal messages for an update of this kind. The 21465.cdiff was
purposely blank in order to force you to download the entire daily.cvd.
Give it plenty of time as the main.cvd is 109MB.
Technical details: <
http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
-Al-
Post by Jason J. W. Williams
Thanks. Hopefully it'll sync up soon. I'm getting weird download errors
out
Post by Jason J. W. Williams
WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
Empty script daily-21465.cdiff, need to download entire database
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before getting
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
Jason J. W. Williams
2016-03-17 04:36:57 UTC
Permalink
Yeah, the sanesecurity sigs. Moving them out, causes Win.Test.EICAR_NDB-1
FOUND to be found. Which I assume is the new name.

Not sure why the update is suddenly causing the SaneSecurity sigs to get
checked first. I'll track it down.

-J
I’m still looking, but so far I can’t find any Win.Trojan.Trojan
signatures in the ClamAV Official database or listed in clamav-virusdb
e-mail list.
Nor can I confirm your results using my own EICAR.
Are you using any Unofficial signatures from a different source?
-Al-
Post by Jason J. W. Williams
Pulled down 21466 (and force restarted clamd) but it's still classifying
https://gist.github.com/williamsjj/b8104402e80f44475df5
amishhammer)
Empty script daily-21465.cdiff, need to download entire database
Downloading daily.cvd [100%]
amishhammer)
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
amishhammer)
193.1.193.64)
Post by Al Varnell
Those are normal messages for an update of this kind. The 21465.cdiff
was
Post by Jason J. W. Williams
Post by Al Varnell
purposely blank in order to force you to download the entire daily.cvd.
Give it plenty of time as the main.cvd is 109MB.
Technical details: <
http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
Post by Jason J. W. Williams
Post by Al Varnell
-Al-
Post by Jason J. W. Williams
Thanks. Hopefully it'll sync up soon. I'm getting weird download errors
out
Post by Jason J. W. Williams
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
Empty script daily-21465.cdiff, need to download entire database
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before
getting
Post by Jason J. W. Williams
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.c
Al Varnell
2016-03-17 04:38:07 UTC
Permalink
Disregard, I found it here after they got the new main.cvd:
<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display>

I’ll see what I get once my main.cvd finishes.

-Al-
Post by Al Varnell
I’m still looking, but so far I can’t find any Win.Trojan.Trojan signatures in the ClamAV Official database or listed in clamav-virusdb e-mail list.
Nor can I confirm your results using my own EICAR.
Are you using any Unofficial signatures from a different source?
-Al-
Post by Jason J. W. Williams
Pulled down 21466 (and force restarted clamd) but it's still classifying
https://gist.github.com/williamsjj/b8104402e80f44475df5
amishhammer)
Empty script daily-21465.cdiff, need to download entire database
Downloading daily.cvd [100%]
amishhammer)
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
amishhammer)
193.1.193.64)
Post by Al Varnell
Those are normal messages for an update of this kind. The 21465.cdiff was
purposely blank in order to force you to download the entire daily.cvd.
Give it plenty of time as the main.cvd is 109MB.
Technical details: <
http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
-Al-
Post by Jason J. W. Williams
Thanks. Hopefully it'll sync up soon. I'm getting weird download errors
out
Post by Jason J. W. Williams
WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
Empty script daily-21465.cdiff, need to download entire database
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before getting
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
Jason J. W. Williams
2016-03-17 04:44:04 UTC
Permalink
Culprit seems to be sanesecurity-porcupine.ndb (
http://sanesecurity.com/usage/signatures/). Moving it out causes
Win.Test.EICAR_NDB-1
FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 FP.
Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is.

-J
Post by Al Varnell
<
http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
I’ll see what I get once my main.cvd finishes.
-Al-
I’m still looking, but so far I can’t find any Win.Trojan.Trojan
signatures in the ClamAV Official database or listed in clamav-virusdb
e-mail list.
Nor can I confirm your results using my own EICAR.
Are you using any Unofficial signatures from a different source?
-Al-
Post by Jason J. W. Williams
Pulled down 21466 (and force restarted clamd) but it's still classifying
https://gist.github.com/williamsjj/b8104402e80f44475df5
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60,
amishhammer)
Empty script daily-21465.cdiff, need to download entire database
Downloading daily.cvd [100%]
amishhammer)
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
amishhammer)
193.1.193.64)
Post by Al Varnell
Those are normal messages for an update of this kind. The 21465.cdiff
was
Post by Jason J. W. Williams
Post by Al Varnell
purposely blank in order to force you to download the entire daily.cvd.
Give it plenty of time as the main.cvd is 109MB.
Technical details: <
http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
Post by Jason J. W. Williams
Post by Al Varnell
-Al-
Post by Jason J. W. Williams
Thanks. Hopefully it'll sync up soon. I'm getting weird download
errors
Post by Jason J. W. Williams
Post by Al Varnell
out
Post by Jason J. W. Williams
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
Empty script daily-21465.cdiff, need to download entire database
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before
getting
Post by Jason J. W. Williams
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clama
Al Varnell
2016-03-17 05:16:53 UTC
Permalink
I don’t know why sanesecurity-porcupine.ndb is causing this, but I can now see that the signatures for Win.Test.EICAR_LDB-1 and Win.Trojan.Trojan-605 are identical, so this is an FP situation which would be reported.
<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Test.EICAR_LDB-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display>

However, I’m not sure where to find a copy of a Win.Test.EICAR_LDB-1 file to submit.

-Al-
Post by Jason J. W. Williams
Culprit seems to be sanesecurity-porcupine.ndb (
http://sanesecurity.com/usage/signatures/). Moving it out causes
Win.Test.EICAR_NDB-1
FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 FP.
Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is.
-J
Post by Al Varnell
<
http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
I’ll see what I get once my main.cvd finishes.
-Al-
Post by Al Varnell
I’m still looking, but so far I can’t find any Win.Trojan.Trojan
signatures in the ClamAV Official database or listed in clamav-virusdb
e-mail list.
Post by Al Varnell
Nor can I confirm your results using my own EICAR.
Are you using any Unofficial signatures from a different source?
-Al-
Post by Jason J. W. Williams
Pulled down 21466 (and force restarted clamd) but it's still classifying
https://gist.github.com/williamsjj/b8104402e80f44475df5
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60,
amishhammer)
Empty script daily-21465.cdiff, need to download entire database
Downloading daily.cvd [100%]
amishhammer)
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
amishhammer)
193.1.193.64)
Post by Al Varnell
Those are normal messages for an update of this kind. The 21465.cdiff
was
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
purposely blank in order to force you to download the entire daily.cvd.
Give it plenty of time as the main.cvd is 109MB.
Technical details: <
http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
-Al-
Post by Jason J. W. Williams
Thanks. Hopefully it'll sync up soon. I'm getting weird download
errors
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
out
Post by Jason J. W. Williams
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
Empty script daily-21465.cdiff, need to download entire database
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before
getting
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
Jason Williams
2016-03-17 05:46:13 UTC
Permalink
Hey Al,

I submitted a FP report with one attached. Just put the EICAR string into a txt file and that'll trigger it.

-J

Sent via iPhone
I don’t know why sanesecurity-porcupine.ndb is causing this, but I can now see that the signatures for Win.Test.EICAR_LDB-1 and Win.Trojan.Trojan-605 are identical, so this is an FP situation which would be reported.
<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Test.EICAR_LDB-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display>
However, I’m not sure where to find a copy of a Win.Test.EICAR_LDB-1 file to submit.
-Al-
Post by Jason J. W. Williams
Culprit seems to be sanesecurity-porcupine.ndb (
http://sanesecurity.com/usage/signatures/). Moving it out causes
Win.Test.EICAR_NDB-1
FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 FP.
Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is.
-J
Post by Al Varnell
<
http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
I’ll see what I get once my main.cvd finishes.
-Al-
I’m still looking, but so far I can’t find any Win.Trojan.Trojan
signatures in the ClamAV Official database or listed in clamav-virusdb
e-mail list.
Nor can I confirm your results using my own EICAR.
Are you using any Unofficial signatures from a different source?
-Al-
Post by Jason J. W. Williams
Pulled down 21466 (and force restarted clamd) but it's still classifying
https://gist.github.com/williamsjj/b8104402e80f44475df5
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60,
amishhammer)
Empty script daily-21465.cdiff, need to download entire database
Downloading daily.cvd [100%]
amishhammer)
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
amishhammer)
193.1.193.64)
Post by Al Varnell
Those are normal messages for an update of this kind. The 21465.cdiff
was
Post by Jason J. W. Williams
Post by Al Varnell
purposely blank in order to force you to download the entire daily.cvd.
Give it plenty of time as the main.cvd is 109MB.
Technical details: <
http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
Post by Jason J. W. Williams
Post by Al Varnell
-Al-
Post by Jason J. W. Williams
Thanks. Hopefully it'll sync up soon. I'm getting weird download
errors
Post by Jason J. W. Williams
Post by Al Varnell
out
Post by Jason J. W. Williams
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
Empty script daily-21465.cdiff, need to download entire database
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before
getting
Post by Jason J. W. Williams
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-f
Al Varnell
2016-03-17 06:49:42 UTC
Permalink
I just ran a scan against the ClamAV test files contained in the 0.99.1 source file and I’m getting all Win.Trojan.Trojan-476:

File Name Infection Name Status
/Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64 Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.7z Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_cache_emax.tgz Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.iso Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clamjol.iso Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v2.rar Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v3.rar Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.bz2 Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bz2.zip Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_int.exeaa Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam.isoaa Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_ext.exeaa Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clamjol.isoaa Win.Trojan.Trojan-476

-Al-
Post by Jason Williams
Hey Al,
I submitted a FP report with one attached. Just put the EICAR string into a txt file and that'll trigger it.
-J
Sent via iPhone
Post by Al Varnell
I don’t know why sanesecurity-porcupine.ndb is causing this, but I can now see that the signatures for Win.Test.EICAR_LDB-1 and Win.Trojan.Trojan-605 are identical, so this is an FP situation which would be reported.
<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Test.EICAR_LDB-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display>
However, I’m not sure where to find a copy of a Win.Test.EICAR_LDB-1 file to submit.
-Al-
Post by Jason J. W. Williams
Culprit seems to be sanesecurity-porcupine.ndb (
http://sanesecurity.com/usage/signatures/). Moving it out causes
Win.Test.EICAR_NDB-1
FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 FP.
Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is.
-J
Post by Al Varnell
<
http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
I’ll see what I get once my main.cvd finishes.
-Al-
Post by Al Varnell
I’m still looking, but so far I can’t find any Win.Trojan.Trojan
signatures in the ClamAV Official database or listed in clamav-virusdb
e-mail list.
Post by Al Varnell
Nor can I confirm your results using my own EICAR.
Are you using any Unofficial signatures from a different source?
-Al-
Post by Jason J. W. Williams
Pulled down 21466 (and force restarted clamd) but it's still classifying
https://gist.github.com/williamsjj/b8104402e80f44475df5
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60,
amishhammer)
Empty script daily-21465.cdiff, need to download entire database
Downloading daily.cvd [100%]
amishhammer)
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
amishhammer)
193.1.193.64)
Post by Al Varnell
Those are normal messages for an update of this kind. The 21465.cdiff
was
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
purposely blank in order to force you to download the entire daily.cvd.
Give it plenty of time as the main.cvd is 109MB.
Technical details: <
http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
-Al-
Post by Jason J. W. Williams
Thanks. Hopefully it'll sync up soon. I'm getting weird download
errors
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
out
Post by Jason J. W. Williams
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
Empty script daily-21465.cdiff, need to download entire database
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before
getting
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
Dennis Peterson
2016-03-17 07:02:24 UTC
Permalink
sigtool --unpack=main.cvd
rm -f main.cvd

grep EICAR main.*
main.hdb:44d88612fea8a8f36de82e1278abb02f:68:Win.Test.EICAR_HDB-1
main.hsb:275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Win.Test.EICAR_HSB-1
main.mdb:45056:3ea7d00dedd30bcdf46191358c36ffa4:Win.Test.EICAR_MDB-1
main.msb:45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Win.Test.EICAR_MSB-1
main.ndb:Win.Test.EICAR_NDB-1:0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Dennis Peterson
2016-03-17 07:07:09 UTC
Permalink
Sorry - didn't intend to send this to the list.
Post by Dennis Peterson
sigtool --unpack=main.cvd
rm -f main.cvd
grep EICAR main.*
main.hdb:44d88612fea8a8f36de82e1278abb02f:68:Win.Test.EICAR_HDB-1
main.hsb:275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Win.Test.EICAR_HSB-1
main.mdb:45056:3ea7d00dedd30bcdf46191358c36ffa4:Win.Test.EICAR_MDB-1
main.msb:45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Win.Test.EICAR_MSB-1
main.ndb:Win.Test.EICAR_NDB-1:0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
Post by Al Varnell
I just ran a scan against the ClamAV test files contained in the 0.99.1
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Mark Allan
2016-03-17 09:44:15 UTC
Permalink
Just to confirm, I'm also seeing everything being flagged as Win.Trojan.Trojan-476 with the new main/daily.cvd files.

Mark
Post by Al Varnell
File Name Infection Name Status
/Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64 Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.7z Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_cache_emax.tgz Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.iso Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clamjol.iso Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v2.rar Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v3.rar Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.bz2 Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bz2.zip Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_int.exeaa Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam.isoaa Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_ext.exeaa Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clamjol.isoaa Win.Trojan.Trojan-476
-Al-
Post by Jason Williams
Hey Al,
I submitted a FP report with one attached. Just put the EICAR string into a txt file and that'll trigger it.
-J
Sent via iPhone
I don’t know why sanesecurity-porcupine.ndb is causing this, but I can now see that the signatures for Win.Test.EICAR_LDB-1 and Win.Trojan.Trojan-605 are identical, so this is an FP situation which would be reported.
<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Test.EICAR_LDB-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display>
However, I’m not sure where to find a copy of a Win.Test.EICAR_LDB-1 file to submit.
-Al-
Post by Jason J. W. Williams
Culprit seems to be sanesecurity-porcupine.ndb (
http://sanesecurity.com/usage/signatures/). Moving it out causes
Win.Test.EICAR_NDB-1
FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 FP.
Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is.
-J
Post by Al Varnell
<
http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
I’ll see what I get once my main.cvd finishes.
-Al-
I’m still looking, but so far I can’t find any Win.Trojan.Trojan
signatures in the ClamAV Official database or listed in clamav-virusdb
e-mail list.
Nor can I confirm your results using my own EICAR.
Are you using any Unofficial signatures from a different source?
-Al-
Post by Jason J. W. Williams
Pulled down 21466 (and force restarted clamd) but it's still classifying
https://gist.github.com/williamsjj/b8104402e80f44475df5
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60,
amishhammer)
Empty script daily-21465.cdiff, need to download entire database
Downloading daily.cvd [100%]
amishhammer)
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
amishhammer)
193.1.193.64)
Post by Al Varnell
Those are normal messages for an update of this kind. The 21465.cdiff
was
Post by Jason J. W. Williams
Post by Al Varnell
purposely blank in order to force you to download the entire daily.cvd.
Give it plenty of time as the main.cvd is 109MB.
Technical details: <
http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
Post by Jason J. W. Williams
Post by Al Varnell
-Al-
Post by Jason J. W. Williams
Thanks. Hopefully it'll sync up soon. I'm getting weird download
errors
Post by Jason J. W. Williams
Post by Al Varnell
out
Post by Jason J. W. Williams
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
Empty script daily-21465.cdiff, need to download entire database
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before
getting
Post by Jason J. W. Williams
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://w
Dennis Peterson
2016-03-17 17:27:16 UTC
Permalink
We're not yet sure if it's broken or a result of renaming signatures.

dp
Is anyone still seeing this or have they fixed it?
-J
Sent via iPhone
Post by Mark Allan
Just to confirm, I'm also seeing everything being flagged as Win.Trojan.Trojan-476 with the new main/daily.cvd files.
Mark
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/
Al Varnell
2016-03-17 17:31:08 UTC
Permalink
There have not been any additional updates released yet, so nothing could have changed.

-Al-
Is anyone still seeing this or have they fixed it?
-J
Sent via iPhone
Post by Mark Allan
Just to confirm, I'm also seeing everything being flagged as Win.Trojan.Trojan-476 with the new main/daily.cvd files.
Mark
File Name Infection Name Status
/Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64 Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.7z Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_cache_emax.tgz Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.iso Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clamjol.iso Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v2.rar Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v3.rar Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.bz2 Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bz2.zip Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_int.exeaa Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam.isoaa Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_ext.exeaa Win.Trojan.Trojan-476
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clamjol.isoaa Win.Trojan.Trojan-476
-Al-
Post by Jason Williams
Hey Al,
I submitted a FP report with one attached. Just put the EICAR string into a txt file and that'll trigger it.
-J
Sent via iPhone
Post by Al Varnell
I don’t know why sanesecurity-porcupine.ndb is causing this, but I can now see that the signatures for Win.Test.EICAR_LDB-1 and Win.Trojan.Trojan-605 are identical, so this is an FP situation which would be reported.
<http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Test.EICAR_LDB-1&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display>
However, I’m not sure where to find a copy of a Win.Test.EICAR_LDB-1 file to submit.
-Al-
Post by Jason J. W. Williams
Culprit seems to be sanesecurity-porcupine.ndb (
http://sanesecurity.com/usage/signatures/). Moving it out causes
Win.Test.EICAR_NDB-1
FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 FP.
Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is.
-J
Post by Al Varnell
<
http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
I’ll see what I get once my main.cvd finishes.
-Al-
Post by Al Varnell
I’m still looking, but so far I can’t find any Win.Trojan.Trojan
signatures in the ClamAV Official database or listed in clamav-virusdb
e-mail list.
Post by Al Varnell
Nor can I confirm your results using my own EICAR.
Are you using any Unofficial signatures from a different source?
-Al-
Post by Jason J. W. Williams
Pulled down 21466 (and force restarted clamd) but it's still classifying
https://gist.github.com/williamsjj/b8104402e80f44475df5
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60,
amishhammer)
Empty script daily-21465.cdiff, need to download entire database
Downloading daily.cvd [100%]
amishhammer)
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
amishhammer)
193.1.193.64)
Post by Al Varnell
Those are normal messages for an update of this kind. The 21465.cdiff
was
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
purposely blank in order to force you to download the entire daily.cvd.
Give it plenty of time as the main.cvd is 109MB.
Technical details: <
http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
-Al-
Post by Jason J. W. Williams
Thanks. Hopefully it'll sync up soon. I'm getting weird download
errors
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
out
Post by Jason J. W. Williams
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from
db.local.clamav.net
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from
db.local.clamav.net
Post by Jason J. W. Williams
Empty script daily-21465.cdiff, need to download entire database
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before
getting
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-Al-
--
Al Varnell
Mountain View, CA
Jason J. W. Williams
2016-05-16 20:45:17 UTC
Permalink
Looks like EICAR is getting classified as Win.Trojan.Trojan-605 again
(daily 21557).

https://gist.github.com/williamsjj/b8104402e80f44475df5

-J
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before getting too
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
Post by Jason J. W. Williams
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2016-05-17 06:25:33 UTC
Permalink
I’m unable to replicate your findings:

~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND

Taking a look at the current daily.cld I see entries in both ignore sections:

daily.ign1374002516fake:1:Dont_remove_this_line
...
main:42:Win.Trojan.Trojan-605

daily.ign21072002573fake_dont_remove_this_line
...
Win.Trojan.Trojan-605

I wonder if it’s engine specific? Are you using 0.99.x

-Al-
Post by Jason J. W. Williams
Looks like EICAR is getting classified as Win.Trojan.Trojan-605 again
(daily 21557).
https://gist.github.com/williamsjj/b8104402e80f44475df5
-J
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before getting too
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
Jason J. W. Williams
2016-05-17 20:11:01 UTC
Permalink
No ClamAV 0.98.7.

-J
Post by Al Varnell
~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
Taking a look at the current daily.cld I see entries in both ignore
daily.ign
1374
002516
fake:1:Dont_remove_this_line
...
main:42:Win.Trojan.Trojan-605
daily.ign2
1072 002573
fake_dont_remove_this_line
...
Win.Trojan.Trojan-605
I wonder if it’s engine specific? Are you using 0.99.x
-Al-
Post by Jason J. W. Williams
Looks like EICAR is getting classified as Win.Trojan.Trojan-605 again
(daily 21557).
https://gist.github.com/williamsjj/b8104402e80f44475df5
-J
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before getting
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/cl
Alain Zidouemba
2016-05-17 20:13:31 UTC
Permalink
Jason:

Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was
dropped several weeks ago, but would only be reflected in your installation
if you have both main.cvd and daily.cvd. Please confirm.

Thanks,

- Alain



On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
Post by Jason J. W. Williams
No ClamAV 0.98.7.
-J
Post by Al Varnell
~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
Taking a look at the current daily.cld I see entries in both ignore
daily.ign
1374
002516
fake:1:Dont_remove_this_line
...
main:42:Win.Trojan.Trojan-605
daily.ign2
1072 002573
fake_dont_remove_this_line
...
Win.Trojan.Trojan-605
I wonder if it’s engine specific? Are you using 0.99.x
-Al-
Post by Jason J. W. Williams
Looks like EICAR is getting classified as Win.Trojan.Trojan-605 again
(daily 21557).
https://gist.github.com/williamsjj/b8104402e80f44475df5
-J
Post by Al Varnell
The new database was just made available, so I recommend you hold off
until you have the new mail.cvd v57 and daily.cvd v21466 before
getting
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR test
string
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/
Jason J. W. Williams
2016-05-17 20:22:09 UTC
Permalink
We do.

-J
Post by Alain Zidouemba
Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was
dropped several weeks ago, but would only be reflected in your installation
if you have both main.cvd and daily.cvd. Please confirm.
Thanks,
- Alain
On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
Post by Jason J. W. Williams
No ClamAV 0.98.7.
-J
Post by Al Varnell
~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
Taking a look at the current daily.cld I see entries in both ignore
daily.ign
1374
002516
fake:1:Dont_remove_this_line
...
main:42:Win.Trojan.Trojan-605
daily.ign2
1072 002573
fake_dont_remove_this_line
...
Win.Trojan.Trojan-605
I wonder if it’s engine specific? Are you using 0.99.x
-Al-
Post by Jason J. W. Williams
Looks like EICAR is getting classified as Win.Trojan.Trojan-605 again
(daily 21557).
https://gist.github.com/williamsjj/b8104402e80f44475df5
-J
Post by Al Varnell
The new database was just made available, so I recommend you hold
off
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
until you have the new mail.cvd v57 and daily.cvd v21466 before
getting
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR
test
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
string
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://ww
Alain Zidouemba
2016-05-17 20:25:32 UTC
Permalink
$ sigtool -u /usr/local/share/clamav/daily.cld

$ grep -i 'Win.Trojan.Trojan-605' daily.ign
main:42:Win.Trojan.Trojan-605


Same on your end?

- Alain

On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams <
Post by Jason J. W. Williams
We do.
-J
On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
Post by Alain Zidouemba
Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was
dropped several weeks ago, but would only be reflected in your
installation
Post by Alain Zidouemba
if you have both main.cvd and daily.cvd. Please confirm.
Thanks,
- Alain
On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
Post by Jason J. W. Williams
No ClamAV 0.98.7.
-J
Post by Al Varnell
~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
Taking a look at the current daily.cld I see entries in both ignore
daily.ign
1374
002516
fake:1:Dont_remove_this_line
...
main:42:Win.Trojan.Trojan-605
daily.ign2
1072 002573
fake_dont_remove_this_line
...
Win.Trojan.Trojan-605
I wonder if it’s engine specific? Are you using 0.99.x
-Al-
Post by Jason J. W. Williams
Looks like EICAR is getting classified as Win.Trojan.Trojan-605
again
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(daily 21557).
https://gist.github.com/williamsjj/b8104402e80f44475df5
-J
Post by Al Varnell
The new database was just made available, so I recommend you hold
off
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
until you have the new mail.cvd v57 and daily.cvd v21466 before
getting
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR
test
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
string
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrt
Jason J. W. Williams
2016-05-17 20:33:18 UTC
Permalink
Yessir:

# sigtool -u /var/lib/clamav/daily.cld

# grep -i 'Win.Trojan.Trojan-605' daily.ign
main:42:Win.Trojan.Trojan-605
Post by Alain Zidouemba
$ sigtool -u /usr/local/share/clamav/daily.cld
$ grep -i 'Win.Trojan.Trojan-605' daily.ign
main:42:Win.Trojan.Trojan-605
Same on your end?
- Alain
On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams <
Post by Jason J. W. Williams
We do.
-J
On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
Post by Alain Zidouemba
Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was
dropped several weeks ago, but would only be reflected in your
installation
Post by Alain Zidouemba
if you have both main.cvd and daily.cvd. Please confirm.
Thanks,
- Alain
On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
Post by Jason J. W. Williams
No ClamAV 0.98.7.
-J
Post by Al Varnell
~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
Taking a look at the current daily.cld I see entries in both ignore
daily.ign
1374
002516
fake:1:Dont_remove_this_line
...
main:42:Win.Trojan.Trojan-605
daily.ign2
1072 002573
fake_dont_remove_this_line
...
Win.Trojan.Trojan-605
I wonder if it’s engine specific? Are you using 0.99.x
-Al-
Post by Jason J. W. Williams
Looks like EICAR is getting classified as Win.Trojan.Trojan-605
again
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(daily 21557).
https://gist.github.com/williamsjj/b8104402e80f44475df5
-J
Post by Al Varnell
The new database was just made available, so I recommend you
hold
Post by Jason J. W. Williams
Post by Alain Zidouemba
off
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
until you have the new mail.cvd v57 and daily.cvd v21466 before
getting
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the EICAR
test
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
string
reports Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www
David Raynor
2016-05-17 21:02:25 UTC
Permalink
If you run clamscan with "--debug" it will tell you which files it is
loading, even the files inside a cvd or cld file. It will also remark about
which signatures is skips when loading.

You should see these lines within your debug output:

...
LibClamAV debug: daily.ign2 loaded
...
LibClamAV debug: /var/lib/clamav/daily.cld loaded
...
LibClamAV debug: Ignoring signature Win.Trojan.Trojan-605
...
LibClamAV debug: main.ndb loaded
...

Which of these rows you see is going to be affected by the contents of your
database, but this is what I see with an up-to-date daily and main.cvd. The
signature is in the latest main. The ignore is set in the latest daily
(21562) and has been for weeks. Once you get to a fresh enough daily it
will have the ignore set. If there is something else going on that is
preventing clamscan from loading that daily.cld (e.g. file permissions,
path difference) that would be the culprit.

Hope this helps,

Dave R.


On Tue, May 17, 2016 at 4:33 PM, Jason J. W. Williams <
Post by Jason J. W. Williams
# sigtool -u /var/lib/clamav/daily.cld
# grep -i 'Win.Trojan.Trojan-605' daily.ign
main:42:Win.Trojan.Trojan-605
On Tue, May 17, 2016 at 1:25 PM, Alain Zidouemba <
Post by Alain Zidouemba
$ sigtool -u /usr/local/share/clamav/daily.cld
$ grep -i 'Win.Trojan.Trojan-605' daily.ign
main:42:Win.Trojan.Trojan-605
Same on your end?
- Alain
On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams <
Post by Jason J. W. Williams
We do.
-J
On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
Post by Alain Zidouemba
Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605
was
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Alain Zidouemba
dropped several weeks ago, but would only be reflected in your
installation
Post by Alain Zidouemba
if you have both main.cvd and daily.cvd. Please confirm.
Thanks,
- Alain
On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
Post by Jason J. W. Williams
No ClamAV 0.98.7.
-J
Post by Al Varnell
~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
Taking a look at the current daily.cld I see entries in both
ignore
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Al Varnell
daily.ign
1374
002516
fake:1:Dont_remove_this_line
...
main:42:Win.Trojan.Trojan-605
daily.ign2
1072 002573
fake_dont_remove_this_line
...
Win.Trojan.Trojan-605
I wonder if it’s engine specific? Are you using 0.99.x
-Al-
Post by Jason J. W. Williams
Looks like EICAR is getting classified as Win.Trojan.Trojan-605
again
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(daily 21557).
https://gist.github.com/williamsjj/b8104402e80f44475df5
-J
Post by Al Varnell
The new database was just made available, so I recommend you
hold
Post by Jason J. W. Williams
Post by Alain Zidouemba
off
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
until you have the new mail.cvd v57 and daily.cvd v21466
before
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Alain Zidouemba
Post by Jason J. W. Williams
getting
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the
EICAR
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Alain Zidouemba
test
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
string
reports Win.Trojan.Trojan-605 instead of
Eicar-Test-Signature.
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--
---
Dave Raynor
Talos Security Intelligence and Research Group
***@sourcefire.com
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html
Jason J. W. Williams
2016-05-17 21:37:28 UTC
Permalink
Hi Dave,

Thanks. I don't see any issues with it loading the daily.cld. I'm going to
wipe it out and let Freshclam reload it and the ign.

-J
Post by David Raynor
If you run clamscan with "--debug" it will tell you which files it is
loading, even the files inside a cvd or cld file. It will also remark about
which signatures is skips when loading.
...
LibClamAV debug: daily.ign2 loaded
...
LibClamAV debug: /var/lib/clamav/daily.cld loaded
...
LibClamAV debug: Ignoring signature Win.Trojan.Trojan-605
...
LibClamAV debug: main.ndb loaded
...
Which of these rows you see is going to be affected by the contents of your
database, but this is what I see with an up-to-date daily and main.cvd. The
signature is in the latest main. The ignore is set in the latest daily
(21562) and has been for weeks. Once you get to a fresh enough daily it
will have the ignore set. If there is something else going on that is
preventing clamscan from loading that daily.cld (e.g. file permissions,
path difference) that would be the culprit.
Hope this helps,
Dave R.
On Tue, May 17, 2016 at 4:33 PM, Jason J. W. Williams <
Post by Jason J. W. Williams
# sigtool -u /var/lib/clamav/daily.cld
# grep -i 'Win.Trojan.Trojan-605' daily.ign
main:42:Win.Trojan.Trojan-605
On Tue, May 17, 2016 at 1:25 PM, Alain Zidouemba <
Post by Alain Zidouemba
$ sigtool -u /usr/local/share/clamav/daily.cld
$ grep -i 'Win.Trojan.Trojan-605' daily.ign
main:42:Win.Trojan.Trojan-605
Same on your end?
- Alain
On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams <
Post by Jason J. W. Williams
We do.
-J
On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
Post by Alain Zidouemba
Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605
was
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Alain Zidouemba
dropped several weeks ago, but would only be reflected in your
installation
Post by Alain Zidouemba
if you have both main.cvd and daily.cvd. Please confirm.
Thanks,
- Alain
On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
Post by Jason J. W. Williams
No ClamAV 0.98.7.
-J
Post by Al Varnell
~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
Taking a look at the current daily.cld I see entries in both
ignore
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Al Varnell
daily.ign
1374
002516
fake:1:Dont_remove_this_line
...
main:42:Win.Trojan.Trojan-605
daily.ign2
1072 002573
fake_dont_remove_this_line
...
Win.Trojan.Trojan-605
I wonder if it’s engine specific? Are you using 0.99.x
-Al-
Post by Jason J. W. Williams
Looks like EICAR is getting classified as
Win.Trojan.Trojan-605
Post by Jason J. W. Williams
Post by Alain Zidouemba
Post by Jason J. W. Williams
again
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
(daily 21557).
https://gist.github.com/williamsjj/b8104402e80f44475df5
-J
On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <
Post by Al Varnell
The new database was just made available, so I recommend you
hold
Post by Jason J. W. Williams
Post by Alain Zidouemba
off
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
until you have the new mail.cvd v57 and daily.cvd v21466
before
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Alain Zidouemba
Post by Jason J. W. Williams
getting
Post by Al Varnell
too
Post by Jason J. W. Williams
Post by Al Varnell
excited about this.
-Al-
On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams
Post by Jason J. W. Williams
As of the latest daily update, running ClamAV against the
EICAR
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Alain Zidouemba
test
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
string
reports Win.Trojan.Trojan-605 instead of
Eicar-Test-Signature.
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Alain Zidouemba
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
Post by Al Varnell
Post by Jason J. W. Williams
-J
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--
---
Dave Raynor
Talos Security Intelligence and Research Group
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/co
Helmut Hullen
2016-05-18 04:27:00 UTC
Permalink
Hallo, Jason,
Post by Jason J. W. Williams
Post by David Raynor
...
LibClamAV debug: daily.ign2 loaded
...
LibClamAV debug: /var/lib/clamav/daily.cld loaded
...
LibClamAV debug: Ignoring signature Win.Trojan.Trojan-605
...
LibClamAV debug: main.ndb loaded
...
[...]
Post by Jason J. W. Williams
Thanks. I don't see any issues with it loading the daily.cld. I'm
going to wipe it out and let Freshclam reload it and the ign.
That changes the warnings ...

cd <clamav-directory>
rm -f *.cvd *.cld
freshclam
clamscan /tmp

now tells

LibClamAV Warning: cli_loadldb: logical signature for Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping
LibClamAV Warning: cli_loadldb: logical signature for Win.Ransomware.Locky-4 uses PCREs but support is disabled, skipping
LibClamAV Warning: cli_loadldb: logical signature for Html.Exploit.CVE_2016_0184-1 uses PCREs but support is disabled, skipping

Viele Gruesse!
Helmut

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Andreas Schulze
2016-05-19 05:14:36 UTC
Permalink
Post by Helmut Hullen
LibClamAV Warning: cli_loadldb: logical signature for Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping
LibClamAV Warning: cli_loadldb: logical signature for Win.Ransomware.Locky-4 uses PCREs but support is disabled, skipping
LibClamAV Warning: cli_loadldb: logical signature for Html.Exploit.CVE_2016_0184-1 uses PCREs but support is disabled, skipping
your clamav was build without pcre support. You have to compile a new binary
--
A. Schulze
DATEV eG
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Helmut Hullen
2016-05-19 10:59:00 UTC
Permalink
Hallo, Andreas,
Post by Andreas Schulze
Post by Helmut Hullen
LibClamAV Warning: cli_loadldb: logical signature for
Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping
LibClamAV Warning: cli_loadldb: logical signature for
Win.Ransomware.Locky-4 uses PCREs but support is disabled, skipping
LibClamAV Warning: cli_loadldb: logical signature for
Html.Exploit.CVE_2016_0184-1 uses PCREs but support is disabled,
skipping
your clamav was build without pcre support. You have to compile a new
binary
Sorry - no. Configuring with "--disable_pcre" doesn't change this
behaviour.
see
Ddpn+***@helmut.hullen.de

from 2016-05-14 ("yum-installing ClamAV in Amazon Linux")

Viele Gruesse!
Helmut

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Matus UHLAR - fantomas
2016-05-19 13:11:18 UTC
Permalink
Post by Helmut Hullen
Post by Andreas Schulze
Post by Helmut Hullen
LibClamAV Warning: cli_loadldb: logical signature for
Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping
LibClamAV Warning: cli_loadldb: logical signature for
Win.Ransomware.Locky-4 uses PCREs but support is disabled, skipping
LibClamAV Warning: cli_loadldb: logical signature for
Html.Exploit.CVE_2016_0184-1 uses PCREs but support is disabled,
skipping
your clamav was build without pcre support. You have to compile a new
binary
Sorry - no. Configuring with "--disable_pcre" doesn't change this
behaviour.
of course DISABLING does NOT help, you need to ENABLE it.
the whole problem comes out of the fact that PCRE is disabled...

in most linux distributions you need development packaged of pcre library.
Post by Helmut Hullen
see
from 2016-05-14 ("yum-installing ClamAV in Amazon Linux")
the same mistake there.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Helmut Hullen
2016-05-19 16:46:00 UTC
Permalink
Hallo, Matus,
Post by Matus UHLAR - fantomas
Post by Helmut Hullen
Post by Andreas Schulze
your clamav was build without pcre support. You have to compile a
new binary
Sorry - no. Configuring with "--disable_pcre" doesn't change this
behaviour.
of course DISABLING does NOT help, you need to ENABLE it.
the whole problem comes out of the fact that PCRE is disabled...
Thanks - that has helped. "disable" seems to be the default option.

Viele Gruesse!
Helmut

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Loading...