Antivirus & Multiple Detections

"When a file contains more than one signature, for example EICAR and a real virus, what will the antivirus report?".

I'm paraphrasing a question I've been asked a couple of times.

The answer depends on the sample file and the antivirus.

To illustrate this question, I made a sample file: a ZIP file containing the EICAR antivirus test file and mimikatz.exe.

The EICAR file appears first:

The different antivirus programs I'm familiar with, will report just one detection: EICAR or mimikatz.

Like ClamAV:

Here we can see that ClamAV detects EICAR, and not mimikatz. This is because of performance reasons, ClamAV will stop scanning a file after the first detection. However, ClamAV has an option to make it continue scanning after a match:

Using this option makes that ClamAV reports EICAR and mimikatz:

Do you know antivirus programs with a similar option? Please post a comment!


Didier Stevens
Senior handler
Microsoft MVP


677 Posts
ISC Handler
May 17th 2020
I have never seen this always the AV shows the two malicious files.

1 Posts
What does VirusTotal say about your file?

4 Posts
Click on the first link in my diary entry and you'll see VT's analysis.

677 Posts
ISC Handler
Hi.. Now I'm interested.. Mainly free Avast (private user and trying to keep up where we "good guys" stand..

I'm just a single user (admin, 6 comps, including sandbox juat to pass time) But this was awakening for a while... I'll need to check my comps for a possible breach.. Alienvault OSSIM/SIEM employed, but need to restrict somethin.. Ty for sharing.

10 Posts

Sign Up for Free or Log In to start participating in the conversation!