Paul, You may be seeing cases where a signature match of the raw file also matches the file after it has been: * normalized (for html or other text files) * extracted (eg uncompressed archives or archives where compression has little effect) * or otherwise parsed (eg where a signature written to match on a subcomponent/buffer in the file and the signature also matches on the whole file because it is very lenient about the offset).
Is there a particular problem with seeing duplicate matches on a file? -Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. On 2/14/19, 2:09 PM, "clamav-users on behalf of Kris Deugau" <[email protected] on behalf of [email protected]> wrote: Paul wrote: > Hi > > I have been looking at using the -z option on either clamdscan or > clamscan and stumbled onto some odd behavior. > > This is with version 101.1. 101.0 also behaves the same. > Take 2 paultest-010E110713-000 is constructed from test/clam.mail with > the addition of a line of text to the text/plain part of clam.mail which > triggers SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND > > paule@larch:~# clamscan -z /var/lib/quarantine/paultest-010E110713-000 > /var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND > /var/lib/quarantine/paultest-010E110713-000: > SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND > /var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND > /var/lib/quarantine/paultest-010E110713-000: > SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND > Anyway to prevent the duplicate signature hits being displayed. -z, --allmatch After a match, continue scanning within the file for additional matches. .... don't use -z? There's no way I know of to specify which signature takes precedence during a single scan, so if you're continuing after you've found a match, I would call it reasonable that you also want to know all of the signatures that matched. If you only want to report one signature, then continuing to scan the file seems to be a waste. If you want to separately report hits from subsets of signatures, you'll probably need to store them in different directories, and use the -d option: -d FILE/DIR, --database=FILE/DIR Load virus database from FILE or load all virus database files from DIR. to run multiple, independent scans with each subset of signatures. This way you can pick which set to check in which order, and skip further processing as desired based on the results. -kgd _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
