6

I have a sample virus file that can be detected by ClamAV on VirusTotal: https://www.virustotal.com/gui/file/6e945381416bac2657acaeccabc8daf04df0c2285ca36333419484ee2120dda4

VirusTotal ClamAV detects that the file is infected with signature: Doc.Downloader.Pwshell-10001336-0

But when I use my local ClamAV (on Ubuntu), it cannot detect the virus file:

abc@VNLT:~$ clamscan test_macro.doc
Loading:    19s, ETA:   0s [========================>]   10.77M/10.77M sigs
Compiling:   5s, ETA:   0s [========================>]       41/41 tasks

/home/abc/test_macro.doc: OK


----------- SCAN SUMMARY -----------
Known viruses: 8706304
Engine version: 1.4.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.09 MB
Data read: 0.04 MB (ratio 2.40:1)
Time: 13.148 sec (0 m 13 s)
Start Date: 2025:04:15 10:00:33
End Date:   2025:04:15 10:00:46

I already use the latest ClamAV version and CVD database:

abc@VNLT:~$ clamscan --version
ClamAV 1.4.2/27608/Mon Apr 14 15:34:28 2025

I unpacked the CVD file using sigtool and see that the signature exists in our local database:

 abc@VNLT:/usr/local/share/clamav$ grep "Doc.Downloader.Pwshell-10001336-0" ./*
grep: ./daily.cld: binary file matches
./daily.ldb:Doc.Downloader.Pwshell-10001336-0;Engine:151-255,Container:CL_TYPE_MSOLE2,Target:0;0&1&2&3&4&5;2323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323;4e65774d6163726f73;50726f6365647572616c;52454d2050524f4a45435448454c5046494c4550415448323a;52454d205642412070726f6a656374206578747261637465642066726f6d204d6963726f736f6674204f666669636520646f63756d656e74;706f7765727368656c6c

Why my local virus scanner cannot detect the virus that VirusTotal can? Do I missed some configuration?

Destroy666
  • 12,350
taichan
  • 71

1 Answers1

7

You probably want to use freshclam to update their signature database. It's their recommended way of staying up-to-date. Make sure it reports that status after you use it.

It could also be caused by the fact that VirusTotal doesn't use the most up-to-date versions of antiviruses - so the other way round than you though.

This can be checked by scanning versions through their API or just opening the request they're making when you're scanning a file through their website in dev tools -> Network tab. The request is made to the following URL: https://www.virustotal.com/ui/files/[file_hash]

It contains scan results and versions of each antivirus:

    "ClamAV": {
      "method": "blacklist",
      "engine_name": "ClamAV",
      "engine_version": "1.3.1.0",
      "engine_update": "20240705",
      "category": "confirmed-timeout",
      "result": null
    },

As you can see, they are few versions behind, which might be the reason for the difference. I doubt, as the tools themselves don't have usually nearly as big influence as the virus definitions, but it's worth trying to downgrade.

The documentation of VirusTotal responses doesn't say if the update date is for only the software or also definitions, but surely they update those way more often, I can't find how often though.

Destroy666
  • 12,350