[Avcheck] avcheck 0.5 and eicar.(msg|txt) problem
Michael Kubecka
mkubecka@swansystems.com
Tue, 30 Oct 2001 11:21:43 -0800
(I choose to install avcheck in /var/chroot/avp instead of
/var/spool/avp, so my path is different from the suggested path in the
avcheck instructions).
avpcheck correctly discovers the EICAR test virus in eicar.txt, however
it _doesn't_ discover it in eicar.msg:
>>
# /var/chroot/avp/avpcheck -n -f root -d /var/chroot/avp/./tst -s
avp:/var/chroot/avp/ctl/AvpCtl root < eicar.txt
/var/chroot/avp/./tst/80256.tmp (from root, to root) is infected:
infected: EICAR-Test-File
<<
And it discovers the virus here:
>>
# /var/chroot/avp/uchroot -u avclient / /var/chroot/avp/avpcheck -n -f
root -d /var/chroot/avp/./tst -s avp:/var/chroot/avp/ctl/AvpCtl -i
/var/chroot/avp/infected.ex2.en root < /var/chroot/avp/eicar.txt
<<
(I get an e-mail letting me know the virus was found).
but scanning the eicar.msg reveals no infection...
>>
# /var/chroot/avp/avpcheck -n -f root -d /var/chroot/avp/./tst -s
avp:/var/chroot/avp/ctl/AvpCtl root < eicar.msg
#
<<
I don't get an e-mail about eicar.msg here, either:
>>
# /var/chroot/avp/uchroot -u avclient / /var/chroot/avp/avpcheck -n -f
root -d /var/chroot/avp/./tst -s avp:/var/chroot/avp/ctl/AvpCtl -i
/var/chroot/avp/infected.ex2.en root < /var/chroot/avp/eicar.msg
<<
The eicar.msg seems fine; the attachment is given an octet-stream
instead of text:
--eicar-boundary
Content-Type: application/octet-stream; name="eicar.com"
Content-Disposition: attachtment; filename="eicar.com"
Content-Description: EICAR test file
Content-Transfer-Encoding: 7bit
[snip]
--eicar-boundary--
Does anybody have any suggestions as to what I should check to find out
why eicar.msg gives a false negative?
Please reply directly to me since I am not yet on the avcheck list.
Thanks!