Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 8 subscribers
  • Views 1728 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAV for Linux : savscan intermittently does not find virus

Thorsten Kampe

SAV: 9.15.1, Engine: 3.74.2, Data: 5.67

We're using savscan to test files for viruses or malware. For testing purposes we found a malware file which is an email (.eml) file containing a zip file which contains a Windows executable (.exe):

>>> Virus 'Mal/Generic-S' found in file 1-1i2sYO-0000Sk-6u.eml/doc8753626.r29.zip/doc8753626.exe
>>> Virus 'Mal/Generic-S' found in file 1-1i2sYO-0000Sk-6u.eml/doc8753626.r29.zip

We've scanned this file a few hundred times on the same machine about every 15 seconds. About every 4th scan, savscan says "no viruses were discovered". How is it possible that SAV generates different scan results for the same file?



This thread was automatically locked due to age.
Parents
  • 0

    Hello Thorsten Kampe,

    you scanned just this .eml? Which switches did you use?
    about every 15 seconds
    Waited for the savscan to complete and then started the next one? With repeating results, i.e. it missed on every fourth or fifth scan with three or four detections in a row between? 

    Christian

  • 0 in reply to QC

    Christian,

    We're using "-ss --stop-scan -sc -f -tnef -actmime -mime -oe -pua -suspicious -archive". The "-mime" switch is the one that actually detects the malware.

    At first we did the test manually - savscan run by a script to test the script. When we saw for the first time that the scan failed to detect the virus, we got suspicious and did some more tests. Then we automated the test and ran it in a loop: scan the file - which takes about 5 seconds - sleep ten seconds and scan again. We logged the results and calculated the ratio of failed scans which was surprisingly stable at around 25 percent.

    The pattern itself is not predictable - not three times suceeding, then one time failing. But over a few dozen times, it reaches quickly 25 percent failing.

    Thorsten

  • 0 in reply to Thorsten Kampe

    Hello Thorsten,

    I see. While Mal/Generic-S is, as the name suggests, a generic detection (that potentially triggers an additional Live Protection lookup) the results should be consistent. Perhaps has an idea what could be going on.

    Christian

Reply Children
No Data
Unfiltered HTML