Document toolboxDocument toolbox

How to Test Virus Scanner Compatibility

Introduction

When configuring virus scanning for Attachment Checker, we need to ensure that the virus scanner being used is compatible.

You can refer to Compatible Antivirus Command Line Scanners for the list of anti-virus scanners that we have tested.

If your virus scanner is not in the list, please follow the steps below to determine your scanner compatibility.

 

Requirements

The requirements for the Command Line Scanner for the Attachment Checker are

  1. Allow scanning of a single file

  2. File to be scanned should be the last parameter 

  3. Scanner should return the exit code value 0 if there is no threat found.

Details

Files Required

  • Non-infected file - any file that is not blacklisted / blocked

  • Infected file - eicar.txt

The EICAR test file is a computer file used to test the response of computer antivirus (AV) programs.
Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus

 

Example - Testing with ClamAV

https://docs.clamav.net/manual/Usage/Scanning.html#some-basic-scans

For One-Time Scanning the command to use is

clamscan [options] [file/directory/-]

 

Test Steps:

  1. Execute the command line scanner to scan the file

    [root@011-028-c-227 ~]# clamscan testFiles/eicar.txt testFiles/eicar.txt: Eicar-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 8558862 Engine version: 0.102.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 16.530 sec (0 m 16 s)

     

  2. Check the errorLevel returned by the previous command

    [root@011-028-c-227 ~]# echo "returning errorLevel = " $? returning errorLevel = 1

     

  3. Run Step 1 and 2 again with non-infected file

  4. The results will be:
    Scanning non-infected file: returning errorLevel = 0

    Scanning infected file: returning errorLevel = 1

As the behaviour is inline with our requirement, the antivirus is compatible.