On 18/02/15 6:09 AM, "Steven Morgan" <smor...@sourcefire.com> wrote:
>On Tue, Feb 17, 2015 at 1:11 AM, Manoj Ramakrishnan < >manojramakrish...@nbnco.com.au> wrote: > >> Hi Al, >> >> Thanks for replying. >> It is exactly what I thought. But why is it different from ZIP file? >> I added extra characters in the beginning of the ZIP file but no issues >>in >> scanning that and finding eicar signature. >> >> It may be because of this file typing signature, which is not tied to a >fixed offset (the '*' in second field is wildcard offset): > > "1:*:504b0304:ZIP-SFX:CL_TYPE_ANY:CL_TYPE_ZIPSFX" > >There are no corresponding wildcard magics for GZIP. Could you please >confirm by looking for a message containing "ZIP/ZIP-SFX signature found >at" in your debug output. > > >> Also curious to see why is it not working in case #4 and #6? >> >> >Using "LeaveTemporaryFiles yes", you should be able to inspect files in >the >ClamAV temp directory as forwarded by your web proxy. This will show the >files as seen by ClamAV. As already pointed out, if there are any >additional characters (http headers, etc.), it will not be recognized as >GZIP. Are there any settings in squidclamav to control how files are >formed >for forwarding to ClamAV? At the moment there is no settings in squidclamav to extract the multipart form data and send only the attachment to clamd. As Kevin mentioned, if clamd doesn't natively support parsing HTTP messages then we need to find a way to pass correct data to clamd. Is HTTP message parsing support on your feature roadmap for clamd? Regards Manoj > >Hope this helps, >Steve >_______________________________________________ >Help us build a comprehensive ClamAV guide: >https://github.com/vrtadmin/clamav-faq > >http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
