ClamAV returns "OK" for EICAR-embedded image files — not detecting virus signature appended to PNG/JPG or injected into metadata [closed]

I have a Spring Boot application that scans uploaded image files using ClamAV before storing them. The scan is performed by streaming the file bytes to the ClamAV daemon using the INSTREAM command via a custom ClamAVClient.

The problem is that ClamAV consistently returns "OK" (clean) for image files that I have deliberately injected with the EICAR antivirus test string. Based on my understanding, ClamAV must detect EICAR if it is doing a full file scan. The fact that it is not detecting it tells me something is wrong with either my configuration or the way the file is being streamed.

What I tested

I embedded the EICAR string into PNG and JPEG images using three methods:

Appending raw EICAR bytes at the end of the image file (file stays valid/openable) Injecting EICAR into the JPEG comment field / PNG tEXt chunk via Pillow (Python) Encoding EICAR into pixel LSB values (steganography)

Methods 1 and 2 should be caught by ClamAV with a proper full-file scan. Method 3 is a steganographic approach and I understand AV tools rarely catch it.

I also converted the infected image to a Base64 string and sent it directly in the JSON request body (not as multipart/form-data). ClamAV also returned "OK" for this. The back-end decoded the Base64 back to bytes before scanning.

All three methods resulted in ClamAV returning "OK". The file was accepted.

My Spring Boot ClamAV configuration

application.yml: clamav: host: localhost port: 3310 connection-timeout: 5000 read-timeout: 60000 enabled: true max-scan-size: 5368709120 # 5 GB fail-on-unavailable: true

ClamAVConfig.java:

@Value("${clamav.max-scan-size}") private long maxScanSize;

The maxScanSize value is passed to the streaming client to limit how many bytes are sent to ClamAV in one INSTREAM session.

My questions

If ClamAV silently truncates the stream and stops scanning, does it still return "OK" instead of an error? How do I make it return an error or alert in that case? What clamd.conf settings should I use to ensure the full file is always scanned, and that ClamAV never silently passes a file it could not fully scan? Are there any Spring Boot / Java ClamAV client libraries that handle stream chunking and size limits correctly out of the box?

What I expect

ClamAV should return "stream: Eicar-Signature FOUND" for any file containing the EICAR test string, regardless of whether it is appended, in metadata, or embedded in any other way — as long as the bytes are present in the stream.

Any help on the correct clamd.conf settings and Spring Boot integration to ensure full-file scanning would be greatly appreciated.