ClamAV -- fail!

Using a USB drive infected from a Windows PC from school, I attempted to scan for viruses using ClamAV. Result, though: a big, epic fail. ClamAV could not recognize the infection even when I used the latest virus definitions from the ClamAV web site. Nothing to do but shake my head and claim disappointment; of course, since I'm new to virus detection on Linux and ClamAV, the fault may be mine. Still....

I first attempted the scan using ClamTK, which I wrote about earlier. However, I've been having doubts about ClamTK because there's no way for me to check on the validity or currency of the virus database.

I then ran the scan using the command-line tool clamscan, using the virus definitions main.cvd (released ver. 51 released on 14 May 2009 10:28 :0400) and daily.cvd (ver. 9814 released on 17 Sep 2009 13:17 :0400) from the ClamAV site. The command I used was:

clamscan -d CVD -r /media/disk

where CVD was the directory where I put the virus definition files. The result:

----------- SCAN SUMMARY -----------
Known viruses: 623483
Engine version: 0.95.2
Scanned directories: 8
Scanned files: 37
Infected files: 0
Data scanned: 50.70 MB
Data read: 88.91 MB (ratio 0.57:1)
Time: 9.567 sec (0 m 9 s)

So, no detection from ClamAV. However, a listing of the files on the USB disk reveals:

-rwx------ 1 dodgie root 1426205 2009-09-17 16:14 Beej's Guides.exe
-r-x------ 1 dodgie root 1426205 2009-09-17 16:14 Recycle.exe
-rwx------ 1 dodgie root 1426205 2009-09-17 16:14 Sample Programs.exe

Running a search on the file size 1426205 led me to the submitted definition on Threat Expert. Checking the MD5SUM on my infected files gives a match on the submitted MD5 numbers on the site. To be fair, the signature was submitted on September 9, but on the other hand, several of the other AV products seem to have already detected the virus.

So, nothing else to do but to submit the file to the ClamAV folks.
Let's see what happens next.