gurlchecker doesn't find EICAR virus using libclamav5
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gurlchecker (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: gurlchecker
Ubuntu version: Ubuntu 8.10
gnuchecker version: 0.10.2-2build1
libclamav5: 0.94.dfsg.
Install gnuchecker with apt-get, install clamav, update database with freshclam.
- start gnuchecker
- go to 'Edit / Preferences / Debug' and check the two option boxes
- go to 'Filters / Documents' and check 'Retrieve content of non HTML files'
- go to 'Security' and check 'Activate security checks', deactivate 'Files' and activate 'Virii' (libclamav), leave all boxes checked
- click Apply, then OK
- go to 'Project / New Project / Web site' (or press F1), enter the following URL: http://
- wait for the scan (if started from a terminal, one should see a lot of debug output)
The problem: it doesn't find the EICAR test virus using libclamav database. gurlchecker shows the site is OK, it doesn't mention anything about a virus being in the eicar_com.zip file for example. If one downloads the file separately and scans with clamscan, it would found the test signature, like this:
gimre@voy:~$ cd /tmp
gimre@voy:/tmp$ wget -q http://
gimre@voy:/tmp$ wget -q http://
gimre@voy:/tmp$ clamscan eicar*
eicar.com.txt: Eicar-Test-
eicar_com.zip: Eicar-Test-
----------- SCAN SUMMARY -----------
Known viruses: 505429
Engine version: 0.94.2
Scanned directories: 0
Scanned files: 2
Infected files: 2 <-- !
Data scanned: 0.00 MB
Time: 3.978 sec (0 m 3 s)
Because the gurlchecker is using the same libclamav engine, one would expect it to find the 'virus' (as do dansguardian and havp, using the same libclamav).
After further investigating, it seems gurlchecker doesn't even download the .zip file correctly in it's cache (~/user/
DEBUG: (200) http://
uid: 19
link_type: 1
link_value: http://
url: http://
label: eicar_com.zip
protocol: http
h_name: www.eicar.org
port: 80
path: /download/
args:
domain:
checked: 0
to_delete: 0
metas: 0
emails: 0
childs: 0
virii: 0
w3c_valid: 1
DEBUG: [SECURITY] Scanning /home/gimre/
It does check for viruses, but it doesn't find anything because it's not downloaded entirely:
gimre@voy:~$ ls -la /home/gimre/
-rw-r--r-- 1 gimre gimre 5 2009-02-03 23:35 /home/gimre/
It's 5 bytes, instead of 184 bytes.
The .com file is downloaded correctly:
DEBUG: (200) http://
uid: 17
link_type: 1
link_value: http://
url: http://
label: eicar.com
protocol: http
h_name: www.eicar.org
port: 80
path: /download/eicar.com
args:
domain:
checked: 0
to_delete: 0
metas: 0
emails: 0
childs: 0
virii: 0
w3c_valid: 1
but it doesn't get checked, although it contains the virus too:
gimre@voy:~$ clamscan /home/gimre/
/home/gimre/
----------- SCAN SUMMARY -----------
Known viruses: 505429
Engine version: 0.94.2
Scanned directories: 0
Scanned files: 1
Infected files: 1 <-- !
Data scanned: 0.00 MB
Time: 3.965 sec (0 m 3 s)
Here's the content of the .zip cache file:
gimre@voy:~$ cat -v /home/gimre/
PK^C^D
Expected behaviour: to download the zip file, find the virus and report it.
Current behaviour: it doesn't report anything, not on the zip file, not on the .txt file or .com file.
Filed bug on upstream's site:
http:// labs.libre- entreprise. org/tracker/ index.php? func=detail& aid=1784& group_id= 7&atid= 109