Hi Steve, Thanks for the reply. Really appreciated
I tried your suggestion and it mostly works when we use the clamdscan command except some cases like modified gzip, other types like tar, bz2. Will explain below. Dowloaded these two files wget http://www.eicar.org/download/eicar.com wget http://www.eicar.org/download/eicarcom2.zip Case 1: clamdscan eicar.com -- WORKS Case 2: gzip the eicar.com file and scan it using clamdscan --- WORKS Case 3: clamdscan eicarcom2.zip -- WORKS Case 4: Opened the gz file(in Case #2) in vi editor and add a character say "a" at the beginning of the file and scan it using clamdscan. Not WORKING Case 5: Modified the zip files in Case #3 in vi editor, added some character in beginning and scan it using clamdscan -- WORKS. This always works if there is a PK\003\004 signature in the test file Case 6: use the eicar.com as it is in a curl command POST request(upload file) then it is NOT WORKING We modified these files assuming this is exactly what is happening in POST request. Request body may have additional form data at the begging of the byte stream or/and end of the byte stream. As an example here is the strace output for the POST request (curl -v -H "Expect:" -H "host:www.srv1.com" -F "attachment=@/tmp/clamd/eicar.com.gz" http://localhost:9091/form1/submit) pread(12, "------------------------------d40d9eade79b\r\nContent-Disposition: form-data; name=\"attachment\"; filename=\"eicar.com.gz\"\r\nContent-Type: application/octet-stream\r\n\r\n\37\213\10\10t~\342T\0\3eicar.com\0\2130\36 5W\fPup\f\2106\211\t\210\21205\321\10\210\3234wv\3264\257Uq\365tv\f\322\r\1 6q\364sq\fr\321u\364\v\361\f\363\f\n\r\326\rq\r\16\321u\363\364qUT\361\320\ 366\320\2\0<\317QhD\0\0\0\r\n------------------------------d40d9eade79b--\r \n", 318, 0) = 318 write(2, "LibClamAV debug: Recognized binary data\n", 40) = 40 write(2, "LibClamAV debug: cache_check: 6503faa52c4f86f6aa90119703c7f352 is negative\n", 75) = 75 write(2, "LibClamAV debug: in cli_check_mydoom_log()\n", 43) = 43 write(2, "LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0\n", 68) = 68 write(2, "LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470\n", 63) = 63 write(2, "LibClamAV debug: cache_add: 6503faa52c4f86f6aa90119703c7f352 (level 0)\n", 71) = 71 munmap(0x2b7e6856d000, 8192) = 0 sendto(11, "fd[12]: OK\0", 11, 0, NULL, 0) = 11 I am wondering why is this difference in test results for ZIP and GZIP? Is there a difference between handling magic sequence for ZIP (PK\003\004) and GZIP(\037\213)? Or are we missing any proper configuration settings? Please let us know if you want me to provide more information. Regards Manoj Ramakrishnan DevOps Engineer | POS | P +61 2 8918 5906 | M 0416 128 308 On 17/02/15 5:13 AM, "Steven Morgan" <smor...@sourcefire.com> wrote: >Manoj, > >Seem like this should work. What happens if you scan your tar and tar.gz >files just using clamscan? > >You can run your clamd in debug mode by setting "Foreground yes" and >"Debug >yes" in clamd.conf, then run clamd from a terminal window. This may give >you an indication about why clamd does not see the inner file when using >squid. Also, "LeaveTemporaryFiles yes" will keep the inner files from >archives in the ClamAV temp directory for inspection. > >Hope this helps, >Steve > >On Sun, Feb 15, 2015 at 11:30 PM, Manoj Ramakrishnan < >manojramakrish...@nbnco.com.au> wrote: > >> Hi, >> >> I tried to scan tar files and tar.gz files using clamav(through squid, >> squidclamav and c-icap) but it just pass through. Both these files >>contain >> the "eicar.com" test file. >> But if it is a zip file then it works!!! >> >> ScanArchive parameter is enabled in clamd.conf. >> >> Do I need any special setting to scan these files? I am using a RHEL5 >> server and clamd/clamav version 0.98.5 >> >> Regards >> Manoj Ramakrishnan >> DevOps Engineer | POS | P +61 2 8918 5906 | M 0416 128 308 >> >> >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> >_______________________________________________ >Help us build a comprehensive ClamAV guide: >https://github.com/vrtadmin/clamav-faq > >http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
