Clamav not able to detect EICAR content when prepended with a new line

[himanshusati]

Hi Team,

As we know, EICAR files are detected by all antivirus software and are useful for determining whether an attempt to upload arbitrary malicious content is possible.

We tested the following scenario with an EICAR file:

1. The EICAR file was flagged as infected by the ClamAV scan, as expected.
2. However, when a new line was prepended to the EICAR file, ClamAV did not flag it as infected.file.zip

Shouldn't ClamAV have identified this as an EICAR file, even with the extra line, and flagged it as infected? Could you please investigate this issue and provide feedback?

EICAR file content

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

EICAR file content with newline prepended

add a new line
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Config file: clamd.conf

LogTime = "yes"
LogVerbose = "yes"
ExtendedDetectionInfo = "yes"
TemporaryDirectory = "/var/tmp/clamav"
DatabaseDirectory = "/var/lib/clamav"
LocalSocket = "/var/run/clamav/clamd.socket"
LocalSocketGroup = "clamav"
LocalSocketMode = "660"
MaxConnectionQueueLength = "30"
StreamMaxLength = "524288000"
StreamMaxPort = "3320"
MaxThreads = "20"
ReadTimeout = "300"
CommandReadTimeout = "5"
ExcludePath = "^/proc/", "^/sys/", "^/dev/", "^/var/log/clamav/"
MaxDirectoryRecursion = "25"
ExitOnOOM = "yes"
Foreground = "yes"
User = "clamav"
HeuristicScanPrecedence = "yes"
MaxScanTime = "40000"
MaxScanSize = "524288000"
MaxFileSize = "524288000"
MaxRecursion = "4"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
PCREMatchLimit = "10000"
PCREMaxFileSize = "26214400"

Config file: freshclam.conf

LogFileMaxSize = "2097152"
PidFile = "/var/run/clamav/freshclam.pid"
DatabaseDirectory = "/var/lib/clamav"
Foreground = "yes"
DNSDatabaseInfo = "currentfreshclam.adobesc.com"
DatabaseMirror = "http://freshclam-ue1.adobesc.com", "http://freshclam-ew1.adobesc.com", "http://freshclam-ew1.adobesc.com", "http://freshclam-ue1.adobesc.com"
MaxAttempts = "1"
OnErrorExecute = "exit 0"
ReceiveTimeout = "120"
*** AllowSupplementaryGroups is DEPRECATED ***

clamav-milter.conf not found

Software settings

Version: 1.3.0
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR JIT

Database information

Database directory: /var/lib/clamav
daily.cld: version 27426, sigs: 2067214, built on Sun Oct 13 08:30:02 2024
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
bytecode.cvd: version 335, sigs: 86, built on Tue Feb 27 15:37:24 2024
Total number of signatures: 8714727

Platform information

uname: Linux 6.1.96-flatcar #1 SMP PREEMPT Mon Jul 1 23:26:07 -00 2024 aarch64
OS: Linux, ARCH: aarch64, CPU: aarch64
zlib version: 1.2.11 (1.2.11), compile flags: a9
Triple: aarch64-unknown-linux-gnu
CPU: neoverse-n1, Little-endian
platform id: 0x0a01c8c8080b0400030b0400

Build information

GNU C: 11.4.0 (11.4.0)
GNU C++: 11.4.0 (11.4.0)
sizeof(void*) = 8
Engine flevel: 200, dconf: 200

[micahsnyder]

Pre-pending with a /n is not a valid way to modify EICAR and still have detection.

Please see my explanation here: #1277 (comment)