clamav-users January 2014 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [clamav-users] QUESTION ABOUT XZ SUPPORT IN VE


From: Steve Basford <steveb_clamav_at_nospam>
Date: Thu Jan 23 2014 - 11:14:20 GMT
To: "ClamAV users ML" <>

> I have just compiled and installed version 0.98.1 of Clam on my
> computer. According to the documentation, this version should support
> decompression and scanning of files in the Xz compression format.
> However, when I run clamscan to check an Xz file which I know contains a
> virus (the EICAR test virus) it fails to detect it. Running it with the
> debug option, I get an entry in the log saying the file was recognised
> as a binary.

Here's the windows view... :( Eicar-Test-Signature FOUND OK

----------- SCAN SUMMARY -----------
Known viruses: 3082027
Engine version: 0.98.1
Scanned directories: 1
Scanned files: 2
Infected files: 1

LibClamAV debug: * Submodule XZ: On

LibClamAV debug: Bytecode: 42 bytecode prepared with JIT
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized binary data
LibClamAV debug: cache_check: 3904dfb8e6bda8ad4c87c6319dc5f766 is negative
LibClamAV debug: in cli_check_mydoom_log()
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: cli_magic_scandesc: returning 0 at line 2902
LibClamAV debug: cache_add: 3904dfb8e6bda8ad4c87c6319dc5f766 (level 0)
c:\07\ OK
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

----------- SCAN SUMMARY -----------
Known viruses: 3082027
Engine version: 0.98.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 14.266 sec (0 m 14 s)

test 1...

Creating an md5 of eicar.... works.... so it's decompression is ok...

sigtool --md5 > testdb.hdb

clamscan --database=testdb.hdb FOUND

test 2....

clamscan --database=main.ndb OK

test 3....

grep -i "EICAR" main.ndb > test.ndb

clamscan --database=test.ndb Eicar-Test-Signature.UNOFFICIAL FOUND




Help us build a comprehensive ClamAV guide: