ClamAV Fails to Detect EICAR Test File When Base32 or Base64 Encoded #1332
Comments
|
It's an interesting idea. I'm surprised any AV would do automatic base64 detection and decoding. It's not like you can run a base64 encoded EXE, or open a base64 encoded PDF. Some other program would have to decode it, first. If you were scanning HTTP GET/POST payloads, then base64 detection and decoding would enable a lot more file transfer scans. But ClamAV is not made for scanning network traffic, and you're better off using something like Snort - or else scanning files after the receiving application has written them to disk. I'll send this issue/proposal over to our threat research team to discuss. I'm curious if they'd have anything else to say about it. If someone wants to make this, we could do some testing with our extensive malware collection to if it detects anything new. 🤷 |
|
This is also the case on Linux filesystem |
|
No one uploaded to Virustotal this versions of EICAR. 21 engines detected this base64 coded text: https://www.virustotal.com/gui/file/29774cdf9bc10fada55d4578a4bf43162106c945214fc1cd3eed632b511063d5 it's so normal to antiviruses detect base64 text but when it comes to base32 it's novelty https://www.virustotal.com/gui/file/7f8c4e35374b28427d77c032f6eec0be6f0459fb8751ec11281888d175162786 |
|
I detected that some other coded text will be not detected as well - are you interested?
|
I hope it will be rust based |
|
|
it will be great if this will be a part of ClamAV - see my new issue #1354 as well |
I encountered an issue where ClamAV does not detect the EICAR test file if it is encoded using either Base32 or Base64. This could represent a potential security risk, as malware could potentially bypass detection using these common encoding schemes.
Eicar:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*Base32:
LA2U6IKQEVAECUC3GROFAWSYGU2CQUC6FE3UGQZJG56SIRKJINAVELKTKRAU4RCBKJCC2QKOKREVMSKSKVJS2VCFKNKC2RSJJRCSCJCIFNECU===Base64:
WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=Expected Behavior
ClamAV should detect and flag the Base32 and Base64 encoded files as containing the EICAR test virus.
Observed Behavior
ClamAV does not detect the EICAR test virus in either the Base32 or Base64 encoded files. The scan completes without any alerts or detections.
Environment
ClamAV Version: 1.3.1
Test System: Windows 11 Pro
Additional Information
It's worth noting that Windows Virus and Threat Protection immediately identified and quarantined the Base64 encoded EICAR string, highlighting a potential gap in ClamAV's detection capabilities.
Please advise if more information is needed, or if there is any ongoing work to address this issue.
The text was updated successfully, but these errors were encountered: