1

I have a zip file (considerably large for ClamAV) that has EICAR file in it and for whatever reason, clam av is unable to detect it. When I unzip the file and pass the folder path, it is able to detect the EICAR signature. It is also able to detect eicar signatures on small zip files consistently but not so consistent with large files. I have also observed that ClamAV is not able to detect EICAR signatures on some golang and java lib compressed files but is able to detect them when compressed using the zip command line util.

Max file size and scan size are set to 0 to disable any limit.

Steps to reproduce: Please clone the repo here and compress using golang's archive/zip. Pass this on to ClamAV to find that the EICAR signature is not detected.

Here is what I have used to compress the file in golang.

package main

import (
    "archive/zip"
    "io"
    "log"
    "os"
    "path/filepath"
)

func zipSource(source, target string) error {
    // 1. Create a ZIP file and zip.Writer
    f, err := os.Create(target)
    if err != nil {
        return err
    }
    defer f.Close()

    writer := zip.NewWriter(f)
    defer writer.Close()

    // 2. Go through all the files of the source
    return filepath.Walk(source, func(path string, info os.FileInfo, err error) error {
        if err != nil {
            return err
        }

        // 3. Create a local file header
        header, err := zip.FileInfoHeader(info)
        if err != nil {
            return err
        }

        // set compression
        header.Method = zip.Deflate

        // 4. Set relative path of a file as the header name
        header.Name, err = filepath.Rel(filepath.Dir(source), path)
        if err != nil {
            return err
        }
        if info.IsDir() {
            header.Name += "/"
        }

        // 5. Create writer for the file header and save content of the file
        headerWriter, err := writer.CreateHeader(header)
        if err != nil {
            return err
        }

        if info.IsDir() {
            return nil
        }

        f, err := os.Open(path)
        if err != nil {
            return err
        }
        defer f.Close()

        _, err = io.Copy(headerWriter, f)
        return err
    })
}

func main() {
    if err := zipSource({sourcefolderLocation}, {targetZipFileName}); err != nil {
        log.Fatal(err)
    }
}

Any help in understanding this unpredictable behavior is highly appreciated.

Mani Kanta Ankam
  • 33
  • 5
  • I don't see how this is a programming question. First note that ClamAV like most tools has a size limit on what it will scan - see [ClamAV file size restrictions](https://askubuntu.com/questions/1423199/clamav-file-size-restrictions). If this is not the cause of your problem: if you can unpack eicar from your zip file with normal zip programs but ClamAV does not see the file -> file a bug with ClamAV. If you cannot unpack eicar from your file with normal zip tools -> then it might be a bug in how you create zip files, which is unrelated to eicar and ClamAV. – Steffen Ullrich Oct 06 '22 at 14:48

0 Answers0