> I have just compiled and installed version 0.98.1 of Clam on my > computer. According to the documentation, this version should support > decompression and scanning of files in the Xz compression format. > However, when I run clamscan to check an Xz file which I know contains a > virus (the EICAR test virus) it fails to detect it. Running it with the > debug option, I get an entry in the log saying the file was recognised > as a binary.
Here's the windows view... :( eicar.com: Eicar-Test-Signature FOUND eicar.com.xz: OK ----------- SCAN SUMMARY ----------- Known viruses: 3082027 Engine version: 0.98.1 Scanned directories: 1 Scanned files: 2 Infected files: 1 LibClamAV debug: * Submodule XZ: On LibClamAV debug: Bytecode: 42 bytecode prepared with JIT LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized binary data LibClamAV debug: cache_check: 3904dfb8e6bda8ad4c87c6319dc5f766 is negative LibClamAV debug: in cli_check_mydoom_log() LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: cli_magic_scandesc: returning 0 at line 2902 LibClamAV debug: cache_add: 3904dfb8e6bda8ad4c87c6319dc5f766 (level 0) c:\07\eicar.com.xz: OK LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up ----------- SCAN SUMMARY ----------- Known viruses: 3082027 Engine version: 0.98.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 14.266 sec (0 m 14 s) test 1... Creating an md5 of eicar.... works.... so it's decompression is ok... sigtool --md5 eicar.com > testdb.hdb e7e5fa40569514ec442bbdf755d89c2f:70:eicar.com clamscan eicar.com.xz --database=testdb.hdb eicar.com.xz: eicar.com.UNOFFICIAL FOUND test 2.... clamscan eicar.com.xz --database=main.ndb eicar.com.xz: OK test 3.... grep -i "EICAR" main.ndb > test.ndb clamscan eicar.com.xz --database=test.ndb eicar.com.xz: Eicar-Test-Signature.UNOFFICIAL FOUND huh? Cheers, Steve Sanesecurity _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
