I followed this guide on an Ubuntu 20.04 server: How to install and use ClamAV on Ubuntu Server 20.04 | TechRepublic
And the eicar test just completely failed.
File was not detected as infected, nothing happens.
Are there new, modern ways of doing things? Or is ClamAV just not very good?
Literally nothing? No output, errors, logs, disk activity, syscalls?
Might want to look into GitHub - kpcyrd/libredefender: Imagine the information security compliance guideline says you need an antivirus but you run Arch Linux
Just followed the linked instructions and yeah, a little bit off, @Vordreller
Using Debian, so might be a bit different
instructions say:
sudo apt-get install clamav clamav-daemon mailutils -y
sudo systemctl stop clamav-freshclam
sudo freshclam
When freshclam completes, download the latest database signature file with the command:
sudo wget https://database.clamav.net/daily.cvd #### this failed for me. but it’s fine…
sudo systemctl start clamav-freshclam
wget -P ~/ http://www.eicar.org/download/eicar.com ####This is an error on their part, I think
if you load this link in your browser Instead, and right click Download, you get a better link to download the test file. For me it was:
wget https://www.eicar.org/download/eicar-com/?wpdmdl=8840&refresh=659ddd6d0a5d51704844653
but I don’t know if there is tracking / telemetry in the link. you might get a different link.
then the file saved, will be veeeery small.
if you cat the file, it will be short.
the example instructions, it is a whole web page, with html.
if you manually get the link from the page, and download the tool, you literally get the following, which is what you want:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
if the file is this short, simple string, instead of a long page of code, then you have the correct test file.
Then run clamscan on it:
root@redripper:~# clamscan eticatest.exe
Loading: 11s, ETA: 0s [========================>] 8.68M/8.68M sigs
Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
/root/eticatest.exe: Win.Test.EICAR_HDB-1 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8682481
Engine version: 1.0.3
Scanned directories: 0
Scanned files: 1
Infected files: 1 ########## this is what you wanna see
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 14.540 sec (0 m 14 s)
Start Date: 2024:01:10 00:10:39
End Date: 2024:01:10 00:10:53
root@redripper:~# cat eticatest.exe
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
When I check the file that the instructions say to wget, I get something like this, which does not count as virus:
root@redripper:~# tail eicar.com
-7-js-extra">var wpcf7 = {"api":{"root":"https:\/\/www.eicar.org\/wp-json\/","namespace":"contact-form-7\/v1"},"cached":"1"};</script> <script type="text/javascript" src="https://www.eicar.org/wp-includes/js/dist/vendor/wp-polyfill-inert.min.js" id="wp-polyfill-inert-js"></script> <script type="text/javascript" src="https://www.eicar.org/wp-includes/js/dist/vendor/regenerator-runtime.min.js" id="regenerator-runtime-js"><
Thanks, I’ll have a look at this again.
The one thing I’m missing is on-access scanning, or whatever it’s called when a scan happens when you download a file or open a file