ClamAV – Manually Scanning for viruses

Background

Manually scanning for viruses.

 

Outline

  1. Viruses
    • Identify Virus Sources
    • Identify Virus Definitions
  2. Avail Viruses
    • Download Viruses
  3. Scan For Viruses
    • Tools
      • clamscan
      • clamdscan

Tasks

Viruses

Identify Virus Sources

Here are some of the websites that avail viruses that we can use for our test.

Entity WebSite Link
GEOTEK – DATENTECHNIK https://ipinfo.info/html/testvirus.php Link

Identify Virus Definitions

Here are the virus definition files.

GEOTEK – DATENTECHNIK

File File Name Link
EICAR Testvirus (DOS/Windows executable) eicar.com Link
EICAR Testvirus (ZIP – packed) eicar.zip Link
EICAR Testvirus (ZIP – double packed) eicar2.zip Link
EICAR Testvirus (ZIP – triple packed) eicar3.zip Link
EICAR Testvirus (ZIP – quadruple packed) eicar4.zip Link
EICAR Testvirus (tar – packed) eicar.tar Link
EICAR Testvirus (gz – packed) eicar.com.gz Link
EICAR Testvirus (MS-cabinet – packed) eicar.cab Link

Explanation

  1. The availed files differ in terms of packaging
    • Packing? ( packed, double packed, and quadruple packed )
    • Type of packaging includes com, zip, tar, gz, and cab

Avail Viruses

Please use a convenient OS Tool to avail the sampled Virus files.

OS – Linux

On Linux consider using a web browser and command-line tools such as wget.

Tools

wget
Syntax

wget -O [filename] [URL]

Sample

wget -O /tmp/personal/eicar.cab https://meineipadresse.de/testvirus/eicar.cab

Output – Image

Output – Text
>wget -O /tmp/personal/eicar.cab https://meineipadresse.de/testvirus/eicar.cab
--2020-11-21 21:39:27-- https://meineipadresse.de/testvirus/eicar.cab
Resolving meineipadresse.de (meineipadresse.de)... 159.69.68.106
Connecting to meineipadresse.de (meineipadresse.de)|159.69.68.106|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 150 [application/x-cab]
Saving to: ‘/tmp/personal/eicar.cab’

/tmp/personal/eicar.cab 100%[===========================================>] 150 --.-KB/s in 0s

2020-11-21 21:39:28 (255 MB/s) - ‘/tmp/personal/eicar.cab’ saved [150/150]

 

Scan Viruses

Please use a convenient OS Tool to avail the sampled Virus files.

Tools

clamscan

Outline
  1. Command-line tool.
  2. Able to check files and folders for viruses.
  3. It is standalone
Option
  1. Basic
  2. Quiet
    • Options
      • –quiet
      • –bell
Basic
Syntax

clamscan [folder]

Sample

clamscan /tmp/personal
Output – Image

Output – Text

>clamscan /tmp/personal
/tmp/personal/eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/Gen:Variant.Johnnie.97338.zip: OK
/tmp/personal/eicar.tar: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.com.gz: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.cab: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 9128582
Engine version: 0.102.4
Scanned directories: 1
Scanned files: 5
Infected files: 4
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 1.00:1)
Time: 19.591 sec (0 m 19 s)
>

Quiet
Syntax

clamscan --quiet --bell [folder]

Sample

clamscan --quiet --bell /tmp/personal

Output – Image

Output – Text

 

clamdscan

Outline
  1. Command-line tool.
  2. Able to check files and folders for viruses.
  3. It relies on and needs the clamd daemon
Options
  1. Basic
  2. Quiet
    • Options
      • –quiet
Basic
Syntax

sudo clamdscan [folder]

Sample

sudo clamdscan /tmp/personal
Output – Image

Output – Text

>sudo clamdscan /tmp/personal
/tmp/personal/eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.tar: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.com.gz: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/tmp/personal/eicar.cab: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND</pre>
----------- SCAN SUMMARY -----------
Infected files: 4
Time: 0.035 sec (0 m 0 s)
>
<pre>
Quiet
Syntax

clamdscan --quiet [folder]

Sample

clamdscan --quiet /tmp/personal

Output – Image

Output – Text

TroubleShooting

If the clamd daemon is not running or not accessible, one will get error messages including:-

  1. ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: No such file or directory
Image

Textual

ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: No such file or directory

Technical Analysis

calmscan versus calmdscan

  1. calmscan
    • calmscan is a standalone application.  Upon launch, it loads anew into memory, reads its virus database, and checks files against the signature.
  2. calmdscan
    • calmdscan uses IPC to connect to a separately running application.  It sends a payload over, waits for the host to complete its check, receives, and renders the result.

 

Summary

Please install an AntiVirus ( AV ) tool.

Occasionally, revisit your system and ensure its AV Subsystem is functional.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s