How to test ClamAV service for potential threats

Question

As part of an enterprise software project, our application connects to an antivirus service backed by ClamAV, using ICAP as communication protocol. I would like to test the antivirus service response to malicious documents but, of course, I cannot use a document which is actually infected with something malicious. I found EICAR Anti Malware Testfile, but it only seems to come as either a .txt or a .zip and the system only allows upload of Word or PDF. The antivirus service only recognizes EICAR if it is send to it "as-is" but not when embedded inside a Word or PDF.

My question is: how can I create a Word and/or PDF document that is recognized by ClamAV as a threat despite it is actually not harmful at all?

Answer 1

I initially suggested

Since docx is a zip you could try rename eicar.zip as eicar.docx it proves only that a docx is reviewed/scanned similar to a zip, not that the AV can detect malicious VBA macros which would be a different payload.

However, the uploading step, involving Apache Tika file verification, blocked that simplistic approach, as the file type was not as expected.

My second suggestion was

Take a valid docx rename to zip drop the eicar text into it with explorer (or use zip add) and rename to docx as that's likely to bypass Tika checking.

Apparently that worked.

Likewise it should be possible to embed eicar.txt inside a PDF however detection again would not mean the av is scanning for JavaScript exploitation, just that the plain text signature is seen in a PDF file, thus only hints that a PDF is scanned.

This is more difficult due to PDF encryption, but with a hand crafted text file attachment in an editor, it may not be encoded, simply stored as plain text, sufficient basic for the eicar trigger to be seen.

It could look something like this but cut and pasting this binary shown as text will likely fail storage as eicar.pdf due to ansi line endings encoding. so grab a binary copy from link below

%PDF-1.4
%µ¶

1 0 obj
<</Pages 2 0 R/Type/Catalog>>
endobj

2 0 obj
<</Count 1/Kids[3 0 R]/Type/Pages>>
endobj

3 0 obj
<</Contents 4 0 R/MediaBox[0 0 500 800]/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>>>/Type/Page>>
endobj

4 0 obj
<</Length 57>>
stream
q BT /F1 24 Tf 1 0 0 1 50 720 Tm (Hello World!) Tj ET Q

endstream
endobj

5 0 obj
<</BaseFont/Courier/Subtype/Type1/Type/Font>>
endobj

xref
0 6
0000000000 65536 f 
0000000016 00000 n 
0000000062 00000 n 
0000000114 00000 n 
0000000227 00000 n 
0000000333 00000 n 

trailer
<</Size 6/Root 1 0 R/ID[<89311A609A751F1666063E6962E79BD5><FDDAE606D8247DFCBA7D13E1833DEDE3>]>>
startxref
395
%%EOF
%X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
%%EOF

temporarily available from https://gofile.io/d/53fylg should look like this assuming your antivirus allows download :-) try save download as text otherwise I will need to upload as RAR

However those two "Positives" would be just as good a detection as telltales that any AV is searching those file types for current known exploits.

I recommend download the live script running version bottom of this article for deeper testing. https://blog.didierstevens.com/2015/08/28/test-file-pdf-with-embedded-doc-dropping-eicar/