On Tue, Feb 17, 2015 at 1:11 AM, Manoj Ramakrishnan < manojramakrish...@nbnco.com.au> wrote:
> Hi Al, > > Thanks for replying. > It is exactly what I thought. But why is it different from ZIP file? > I added extra characters in the beginning of the ZIP file but no issues in > scanning that and finding eicar signature. > > It may be because of this file typing signature, which is not tied to a fixed offset (the '*' in second field is wildcard offset): "1:*:504b0304:ZIP-SFX:CL_TYPE_ANY:CL_TYPE_ZIPSFX" There are no corresponding wildcard magics for GZIP. Could you please confirm by looking for a message containing "ZIP/ZIP-SFX signature found at" in your debug output. > Also curious to see why is it not working in case #4 and #6? > > Using "LeaveTemporaryFiles yes", you should be able to inspect files in the ClamAV temp directory as forwarded by your web proxy. This will show the files as seen by ClamAV. As already pointed out, if there are any additional characters (http headers, etc.), it will not be recognized as GZIP. Are there any settings in squidclamav to control how files are formed for forwarding to ClamAV? Hope this helps, Steve _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
