Summary
The built-in EICAR detection in src/engine.cpp (line ~130) hardcodes the EICAR test string prefix check at the engine layer. This was added as a temporary workaround so --eicar-test passes without a loaded .akavdb.
Problem
- AV engines should not hardcode detection signatures in source code
- EICAR should be detected via its MD5/SHA256 hash in the signature database like any other malware
- The hardcoded check bypasses the entire scan pipeline (bloom, hash match, etc.)
Solution
- Add EICAR MD5/SHA256 to the default
.akavdb built by akavdb-tool
- Ensure
install.ps1 deploys a minimal .akavdb containing at least the EICAR signature
- Remove the hardcoded EICAR prefix check from
src/engine.cpp
- Remove the duplicate check from
src/scanner.cpp (Stage 0)
Files to modify
src/engine.cpp — remove built-in EICAR blocksrc/scanner.cpp — remove Stage 0 EICAR blocktools/akavdb-tool/ — add EICAR entry to default DB buildscripts/install.ps1 — ensure minimal .akavdb is deployed
Summary
The built-in EICAR detection in
src/engine.cpp(line ~130) hardcodes the EICAR test string prefix check at the engine layer. This was added as a temporary workaround so--eicar-testpasses without a loaded.akavdb.Problem
Solution
.akavdbbuilt byakavdb-toolinstall.ps1deploys a minimal.akavdbcontaining at least the EICAR signaturesrc/engine.cppsrc/scanner.cpp(Stage 0)Files to modify
src/engine.cpp— remove built-in EICAR blocksrc/scanner.cpp— remove Stage 0 EICAR blocktools/akavdb-tool/— add EICAR entry to default DB buildscripts/install.ps1— ensure minimal.akavdbis deployed