[Bug 325054] [NEW] gurlchecker doesn't find EICAR virus using libclamav5

Imre Gergely gimre at narancs.net
Tue Feb 3 22:03:20 UTC 2009 

Public bug reported:

Binary package hint: gurlchecker

Ubuntu version: Ubuntu 8.10
gnuchecker version: 0.10.2-2build1
libclamav5: 0.94.dfsg.2-1ubuntu0.1

Install gnuchecker with apt-get, install clamav, update database with
freshclam.

- start gnuchecker
- go to 'Edit / Preferences / Debug' and check the two option boxes
- go to 'Filters / Documents' and check 'Retrieve content of non HTML files'
- go to 'Security' and check 'Activate security checks', deactivate 'Files' and activate 'Virii' (libclamav), leave all boxes checked
- click Apply, then OK
- go to 'Project / New Project / Web site' (or press F1), enter the following URL: http://www.eicar.org/anti_virus_test_file.htm, press OK
- wait for the scan (if started from a terminal, one should see a lot of debug output)

The problem: it doesn't find the EICAR test virus using libclamav
database. gurlchecker shows the site is OK, it doesn't mention anything
about a virus being in the eicar_com.zip file for example. If one
downloads the file separately and scans with clamscan, it would found
the test signature, like this:

gimre at voy:~$ cd /tmp
gimre at voy:/tmp$ wget -q http://www.eicar.org/download/eicar_com.zip
gimre at voy:/tmp$ wget -q http://www.eicar.org/download/eicar.com.txt
gimre at voy:/tmp$ clamscan eicar*
eicar.com.txt: Eicar-Test-Signature FOUND
eicar_com.zip: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 505429
Engine version: 0.94.2
Scanned directories: 0
Scanned files: 2
Infected files: 2 <-- !
Data scanned: 0.00 MB
Time: 3.978 sec (0 m 3 s)

Because the gurlchecker is using the same libclamav engine, one would
expect it to find the 'virus' (as do dansguardian and havp, using the
same libclamav).

After further investigating, it seems gurlchecker doesn't even download
the .zip file correctly in it's cache
(~/user/.gurlchecker/cache/gurlchecker_<pid>/*). Here's the debug output
from the console:

DEBUG:         (200) http://www.eicar.org/download/eicar_com.zip


        uid: 19
        current_path: /anti_virus_test_file.htm
        link_type: 1
        link_value: http://www.eicar.org/download/eicar_com.zip
        url: http://www.eicar.org/download/eicar_com.zip
        normalized_url: (null)
        label: eicar_com.zip
        protocol: http
        h_name: www.eicar.org
        port: 80
        path: /download/eicar_com.zip
        args: 
        domain: 
        header_size: 366
        depth_level: 0
        is_parsable: 0
        is_downloadable: 1
        checked: 0
        to_delete: 0
        metas: 0
        emails: 0
        childs: 0
        similar_links_parents: 0
        bad_extensions: 0
        virii: 0
        w3c_valid: 1
DEBUG: [SECURITY] Scanning /home/gimre/.gurlchecker/cache/gurlchecker_14970/19 for virii...

It does check for viruses, but it doesn't find anything because it's not
downloaded entirely:

gimre at voy:~$ ls -la /home/gimre/.gurlchecker/cache/gurlchecker_14970/19
-rw-r--r-- 1 gimre gimre 5 2009-02-03 23:35 /home/gimre/.gurlchecker/cache/gurlchecker_14970/19

It's 5 bytes, instead of 184 bytes.

The .com file is downloaded correctly:

DEBUG:         (200) http://www.eicar.org/download/eicar.com


        uid: 17
        current_path: /anti_virus_test_file.htm
        link_type: 1
        link_value: http://www.eicar.org/download/eicar.com
        url: http://www.eicar.org/download/eicar.com
        normalized_url: (null)
        label: eicar.com
        protocol: http
        h_name: www.eicar.org
        port: 80
        path: /download/eicar.com
        args: 
        domain: 
        header_size: 377
        depth_level: 0
        is_parsable: 0
        is_downloadable: 1
        checked: 0
        to_delete: 0
        metas: 0
        emails: 0
        childs: 0
        similar_links_parents: 0
        bad_extensions: 0
        virii: 0
        w3c_valid: 1

but it doesn't get checked, although it contains the virus too:

gimre at voy:~$ clamscan /home/gimre/.gurlchecker/cache/gurlchecker_14970/17
/home/gimre/.gurlchecker/cache/gurlchecker_14970/17: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 505429
Engine version: 0.94.2
Scanned directories: 0
Scanned files: 1
Infected files: 1 <-- !
Data scanned: 0.00 MB
Time: 3.965 sec (0 m 3 s)

Here's the content of the .zip cache file:

gimre at voy:~$ cat -v /home/gimre/.gurlchecker/cache/gurlchecker_14970/19
PK^C^D

Expected behaviour: to download the zip file, find the virus and report it.
Current behaviour: it doesn't report anything, not on the zip file, not on the .txt file or .com file.

** Affects: gurlchecker (Ubuntu)
     Importance: Undecided
         Status: New

-- 
gurlchecker doesn't find EICAR virus using libclamav5
https://bugs.launchpad.net/bugs/325054
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list