Paul, I know what you mean. We had encountered this type of behavior when we were adding the byte-compare signature feature and we initially put in a change (specific to byte-compare) to prevent the 2nd scan from occurring. We ended up reverting that change when we realized that we really needed to scan both the raw and parsed data (https://github.com/Cisco-Talos/clamav-devel/commit/fa3f8914a6963700bfc070becb5d18c4bd63e9e6).
If you put in a bug on Bugzilla and attach the file, I'll step through it in a debugger to see if it's doing what I think it's doing. Regards, -Micah On 2/14/19, 3:32 PM, "clamav-users on behalf of Paul" <[email protected] on behalf of [email protected]> wrote: Hi Micah I can code to handle this but basing handling code on "appears to behaviour" is far from an ideal start. The multiple matches on test/clam.mail from the clamav 101.1 sources with Clamav.Test.File-6 reported twice sure looks like a bug to me. Regards Paul On 14/02/2019 19:46, Micah Snyder (micasnyd) wrote: > Paul, > > You may be seeing cases where a signature match of the raw file also matches the file after it has been: > * normalized (for html or other text files) > * extracted (eg uncompressed archives or archives where compression has little effect) > * or otherwise parsed (eg where a signature written to match on a subcomponent/buffer in the file and the signature also matches on the whole file because it is very lenient about the offset). > > Is there a particular problem with seeing duplicate matches on a file? > > -Micah > > Micah Snyder > ClamAV Development > Talos > Cisco Systems, Inc. > > > On 2/14/19, 2:09 PM, "clamav-users on behalf of Kris Deugau" <[email protected] on behalf of [email protected]> wrote: > > Paul wrote: > > Hi > > > > I have been looking at using the -z option on either clamdscan or > > clamscan and stumbled onto some odd behavior. > > > > This is with version 101.1. 101.0 also behaves the same. > > > > Take 2 paultest-010E110713-000 is constructed from test/clam.mail with > > the addition of a line of text to the text/plain part of clam.mail which > > triggers SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND > > > > paule@larch:~# clamscan -z /var/lib/quarantine/paultest-010E110713-000 > > /var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND > > /var/lib/quarantine/paultest-010E110713-000: > > SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND > > /var/lib/quarantine/paultest-010E110713-000: Clamav.Test.File-6 FOUND > > /var/lib/quarantine/paultest-010E110713-000: > > SecuriteInfo.com.Spam-48198.UNOFFICIAL FOUND > > > > Anyway to prevent the duplicate signature hits being displayed. > > -z, --allmatch > After a match, continue scanning within the file for > additional matches. > > .... don't use -z? There's no way I know of to specify which signature > takes precedence during a single scan, so if you're continuing after > you've found a match, I would call it reasonable that you also want to > know all of the signatures that matched. If you only want to report one > signature, then continuing to scan the file seems to be a waste. > > If you want to separately report hits from subsets of signatures, you'll > probably need to store them in different directories, and use the -d option: > > -d FILE/DIR, --database=FILE/DIR > Load virus database from FILE or load all virus database > files from DIR. > > to run multiple, independent scans with each subset of signatures. This > way you can pick which set to check in which order, and skip further > processing as desired based on the results. > > -kgd > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
