[Pkg-clamav-devel] 0.97.8 not detecting virus in RAR?

Scott Kitterman debian at kitterman.com
Fri May 17 15:52:58 UTC 2013 

On Friday, May 17, 2013 05:18:38 PM eRVee Moskovic wrote:
> Hi,
> 
> I always check ClamAV updates with a few test and real virus files. After
> the last update to 0.97.8 I noticed not all files where detected as a
> Virus. The files not detected where both an eicar file in a RAR archive.
> 
> The first time I noticed this is after the 0.97.8 update. This is the output
> from a scan on rar-ed eicar files:
> 
> webandmail:/tmp# clamscan ~/VIRUSES/Eicar-Test-Signatur/*.rar
> /root/VIRUSES/Eicar-Test-Signatur/eicar.com.rar: OK
> /root/VIRUSES/Eicar-Test-Signatur/eicar.com-with-newline.rar: OK
> 
> ----------- SCAN SUMMARY -----------
> Known viruses: 2311231
> Engine version: 0.97.8
> Scanned directories: 0
> Scanned files: 2
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 5.586 sec (0 m 5 s)
> webandmail:/tmp# md5sum ~/VIRUSES/Eicar-Test-Signatur/*.rar
> c329fba5cffdabeecd80a1cbf2711300 
> /root/VIRUSES/Eicar-Test-Signatur/eicar.com.rar
> 4e34932863cc0f7f39ffd5cdce13a0f3
> /root/VIRUSES/Eicar-Test-Signatur/eicar.com-with-newline.rar
> 
> I have an old SuSE Server running my hand built and updated ClamAv and this
> does detect the eicar in the RAR files:
> 
> banana:/tmp # clamscan ~/VIRUSES/Eicar-Test-Signatur/*.rar
> /root/VIRUSES/Eicar-Test-Signatur/eicar.com-with-newline.rar:
> Eicar-Test-Signature FOUND
> /root/VIRUSES/Eicar-Test-Signatur/eicar.com.rar: Eicar-Test-Signature FOUND
> 
> ----------- SCAN SUMMARY -----------
> Known viruses: 2311235
> Engine version: 0.97.8
> Scanned directories: 0
> Scanned files: 2
> Infected files: 2
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 6.412 sec (0 m 6 s)
> banana:/tmp # md5sum ~/VIRUSES/Eicar-Test-Signatur/*.rar
> c329fba5cffdabeecd80a1cbf2711300 
> /root/VIRUSES/Eicar-Test-Signatur/eicar.com.rar
> 4e34932863cc0f7f39ffd5cdce13a0f3
> /root/VIRUSES/Eicar-Test-Signatur/eicar.com-with-newline.rar
> 
> Did something change when building the 0.97.8 package or am I the only one
> with this problem and could it be a problem on my system?

Do you have libclamunrar installed?

Scott K

More information about the Pkg-clamav-devel mailing list