Mailing List Archive: ClamAV: users

Clam virus database for test purposes

Index | Next | Previous | View Threaded

wojciech.michalak at nask

Jul 2, 2012, 3:24 AM

Post #1 of 11 (1454 views)
Permalink

Clam virus database for test purposes

Hello,

I was wondering if you could release (or point me to if one exists)
a set of cvd files which would contain only the eicar test samples? When
developing software I was hoping to refrain from having to commit/host
the whole current virus database. Checkout/download becomes cumbersome
when running software deployment tests. I tried searching both the web
and the mailing list, but didn't find anything useful. I was hoping to
have a set of files that I could place in "/var/lib/clamav" which would
be sufficient for starting "/etc/init.d/clamav-daemon" and running tests
with the eicar sample.

Kind regards,
Wojciech Michalak
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

molney at sourcefire

Jul 3, 2012, 7:34 AM

Post #2 of 11 (1399 views)
Permalink

Re: Clam virus database for test purposes [In reply to]

You can create a file called test.ndb and add the following lines to it:

Eicar-Test-Signature:0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
Eicar-Test-Signature-1:0:*:574456504956416c51454651577a5263554670594e54516f554634704e304e444b5464394a45564a513046534c564e555155354551564a454c55464f56456c5753564a565579315552564e550a4c555a4a544555684a45677253436f3d0a

Then run clamscan against that database file:

kpyke [at] vrt-dev-0:~$ clamscan --database=./test.ndb eicar.com

eicar.com: Eicar-Test-Signature.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 2
Engine version: 0.97.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.007 sec (0 m 0 s)

Let me know if that doesn't answer your question.

Matt

On Mon, Jul 2, 2012 at 6:24 AM, Wojciech Michalak
<wojciech.michalak [at] nask> wrote:
> Hello,
>
> I was wondering if you could release (or point me to if one exists)
> a set of cvd files which would contain only the eicar test samples? When
> developing software I was hoping to refrain from having to commit/host
> the whole current virus database. Checkout/download becomes cumbersome
> when running software deployment tests. I tried searching both the web
> and the mailing list, but didn't find anything useful. I was hoping to
> have a set of files that I could place in "/var/lib/clamav" which would
> be sufficient for starting "/etc/init.d/clamav-daemon" and running tests
> with the eicar sample.
>
> Kind regards,
> Wojciech Michalak
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

wojciech.michalak at nask

Jul 4, 2012, 7:12 AM

Post #3 of 11 (1410 views)
Permalink

Re: Clam virus database for test purposes [In reply to]

Thank you for your reply.

The suggested solution doesn't solve the problem as I am trying to
communicate with clamav-daemon which (as far as I can tell) checks for
the cvd databases and doesn't take a database argument. Any other
suggestions?

Kind regards,
Wojciech Michalak

On 04.07.2012 12:00, clamav-users-request [at] lists wrote:
> Message: 1
> Date: Tue, 3 Jul 2012 10:34:44 -0400
> From: Matt Olney <molney [at] sourcefire>
> Subject: Re: [clamav-users] Clam virus database for test purposes
> To: ClamAV users ML <clamav-users [at] lists>
> Message-ID:
> <CAN+QiX-CPEuZuzruJQnN0teQ38+Us6wz_+8f=PR9_qEOUMPvXw [at] mail>
> Content-Type: text/plain; charset=ISO-8859-1
>
> You can create a file called test.ndb and add the following lines to it:
>
> Eicar-Test-Signature:0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
> Eicar-Test-Signature-1:0:*:574456504956416c51454651577a5263554670594e54516f554634704e304e444b5464394a45564a513046534c564e555155354551564a454c55464f56456c5753564a565579315552564e550a4c555a4a544555684a45677253436f3d0a
>
> Then run clamscan against that database file:
>
> kpyke [at] vrt-dev-0:~$ clamscan --database=./test.ndb eicar.com
>
> eicar.com: Eicar-Test-Signature.UNOFFICIAL FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 2
> Engine version: 0.97.4
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 0.007 sec (0 m 0 s)
>
> Let me know if that doesn't answer your question.
>
> Matt
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

steveb_clamav at sanesecurity

Jul 4, 2012, 7:30 AM

Post #4 of 11 (1399 views)
Permalink

Re: Clam virus database for test purposes [In reply to]

> Thank you for your reply.
>
> The suggested solution doesn't solve the problem as I am trying to
> communicate with clamav-daemon which (as far as I can tell) checks for
> the cvd databases and doesn't take a database argument. Any other
> suggestions?

Create the test.ndb file as shown earlier... and copy to your database
area, eg /var/lib/clamav

Restart clamd

clamdscan eircar.com

Cheers,

Steve
Sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

me at junc

Jul 4, 2012, 9:50 AM

Post #5 of 11 (1399 views)
Permalink

Re: Clam virus database for test purposes [In reply to]

Den 2012-07-04 16:12, Wojciech Michalak skrev:

> The suggested solution doesn't solve the problem as I am trying to
> communicate with clamav-daemon which (as far as I can tell) checks
> for
> the cvd databases and doesn't take a database argument.

clamscan --database=/path/to/test.ndb ?

test.ndb must be in same dir at daily.cvd

then restart clamd

if you want to be an non unofficial database it need to be signed from
clamav, that part is where i am aswell, an i like to know how aswell

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

wojciech.michalak at nask

Jul 5, 2012, 3:19 AM

Post #6 of 11 (1389 views)
Permalink

Re: Clam virus database for test purposes [In reply to]

The suggested solutions still fail at the same point. If I have only a
custom database without the original ones clamd fails to start.

[FAIL] Clamav signatures not found in /var/lib/clamav ... failed!
[FAIL] Please retrieve them using freshclam ... failed!
[FAIL] Then run '/etc/init.d/clamav-daemon start' ... failed!

I want to have a working clamav-daemon without the need to download the
full database using only the custom one. That's why I need the empty (or
eicar only) clamav databases. Any suggestions on achieving this?

Thank you both for your suggestions,
Wojciech Michalak

On 05.07.2012 12:00, clamav-users-request [at] lists wrote:
> Create the test.ndb file as shown earlier... and copy to your database
> area, eg /var/lib/clamav
>
> Restart clamd
>
> clamdscan eircar.com
>
> Cheers,
>
> Steve
> Sanesecurity
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

tjudge at sourcefire

Jul 5, 2012, 8:57 AM

Post #7 of 11 (1388 views)
Permalink

Re: Clam virus database for test purposes [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/07/2012 10:30, Steve Basford wrote:
>
>> Thank you for your reply.
>>
>> The suggested solution doesn't solve the problem as I am trying
>> to communicate with clamav-daemon which (as far as I can tell)
>> checks for the cvd databases and doesn't take a database
>> argument. Any other suggestions?
>
> Create the test.ndb file as shown earlier... and copy to your
> database area, eg /var/lib/clamav

This is the correct approach, path may vary depending on the platform
being used, but should be documented in clamd.conf.

Tom

>
> Restart clamd
>
> clamdscan eircar.com
>
> Cheers,
>
> Steve Sanesecurity
>
> _______________________________________________ Help us build a
> comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP9blpAAoJEEJSM9yB4iIW4GsIAJA+QKwaOKH+/IVh/G0NB7f0
OkVB2zoka3yv2qRKifHMptrZXDNZ9GjAX8RgN/nUhFI3102P+s+rc28qHfd7n0l7
NdTni9mWc4OjwJxo9GNaqQoRtCuDkGm9V807mqGr1z0lqmVYyFVE9Lykv3v4CICD
yHV5G5jpypZZiBR9sQBSipcfY9XKuFWgTT5QtB+Z7zUUhw0122CyHY9w9NXABkb8
w0nfVGv66PyVXN9As35MYhnVv2KO/i3JknUXjv3ytwx14PheEnmrWo4DNcJlMr9E
TWB0vC1o9Larly22izpAieuCG9Lybh6Lp6cd4NRsYOAS69wvulMS8OgZI1ZS8TM=
=jq5U
-----END PGP SIGNATURE-----
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

wojciech.michalak at nask

Jul 6, 2012, 3:41 AM

Post #8 of 11 (1390 views)
Permalink

Re: Clam virus database for test purposes [In reply to]

On 06.07.2012 12:00, clamav-users-request [at] lists wrote:
> This is the correct approach, path may vary depending on the platform
> being used, but should be documented in clamd.conf.
>
> Tom
If this is the correct approach then should I treat clamav-daemon
failing to start as a bug?

Reproduction steps are easy:
* remove all default clamav database files (*.cld,*.cvd) - move them for
example into a directory
* create the custom database (as described in the previously suggested
approach).
* try to startup clamav-daemon ("e.g. /etc/init.d/clamav-daemon start")

Clamav-daemon will fail to start. I want it to start with only a custom
database. If it isn't possible then please could the database maintainer
provide empty database files (daily.cld, bytecode.cld,main.cvd)?

Regards,
Wojciech Michalak

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

me at junc

Jul 6, 2012, 5:40 AM

Post #9 of 11 (1391 views)
Permalink

Re: Clam virus database for test purposes [In reply to]

Den 2012-07-06 12:41, Wojciech Michalak skrev:

> Clamav-daemon will fail to start. I want it to start with only a
> custom
> database. If it isn't possible then please could the database
> maintainer
> provide empty database files (daily.cld, bytecode.cld,main.cvd)?

create them self, and disable freshclam, not tested but should be it

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

wojciech.michalak at nask

Jul 8, 2012, 10:45 PM

Post #10 of 11 (1355 views)
Permalink

Re: Clam virus database for test purposes [In reply to]

Hi

Sorry for double sending this to the list but ever since I switched to
digests I sometimes forget to change the subject.

> create them self, and disable freshclam, not tested but should be it

I cannot create the files myself. Signtool for creating the cvd files
requires access to a (as far as I know) publicly unavailable signing
server. Just empty files don't work as they don't pass verification
tests that are run on startup.

Regards,
Wojciech Michalak

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

me at junc

Jul 9, 2012, 2:57 AM

Post #11 of 11 (1354 views)
Permalink

Re: Clam virus database for test purposes [In reply to]

Den 2012-07-09 07:45, Wojciech Michalak skrev:
> server. Just empty files don't work as they don't pass verification
> tests that are run on startup.

ups :/

cd /tmp
sigtool --unpack-current=daily
sigtool --unpack-current=main

move whats is needed into database dir, freshclam and clamd can have 2
diff database dirs, and one can script the sigtool commands into this
hole :=)

imho the unpacked can be modified as in opensource

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads