I've opened https://bugzilla.clamav.net/show_bug.cgi?id=11380. Please attach to this bugzilla ticket the original pdf file and the original multipart document.
Thanks. On Tue, Aug 18, 2015 at 10:48 AM, P K <pkopen...@gmail.com> wrote: > Hi Guys, > > Again troubling you. Can you please let me know why its not working for > windows server. Do i need to enable any setting in ClamAv configuration? > > I was trying same exploit.pdf virus file to upload in Windows server and > its not detected by ClamAv Antivirus. > > *I tried with detect-pua also and it didn't worked for me*. > > It works fine with curl and other software. *Maybe we have to handle > separately for windows server*. > > Looks like its due to way windows servers work to upload file using > Boundary mechanism. > > Below is output of virus file to clamav: > > Content-Disposition: form-data; name="__EVENTVALIDATION" > > /wEWBAK5276uAwLv4ZO6DgLmgPS1DQL374fcBaj9ZhJYdIZVwZS464ZHv7T3ou6w > -----------------------------21154944191352840482619583850 > Content-Disposition: form-data; name="destination" > > > > > > > */AnalyticsReports-----------------------------21154944191352840482619583850Content-Disposition: > form-data; name="ctl00$PlaceHolderMain$ctl01$ctl05$InputFile"; > filename="exploit.pdf"Content-Type: application/force-download* > %PDF-1.1 > 1 0 obj > << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 5 0 R >> > endobj > 2 0 obj > << /Type /Outlines /Count 0 >> > endobj > 3 0 obj > << /Type /Pages /Kids [4 0 R] /Count 1 >> > endobj > 4 0 obj > << /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] >> > endobj > 5 0 obj > << /Type /Action /S /JavaScript /JS ( > VIRUS DATA ..................... > ........................................... > > spray_heap(); > trigger_bug(); > > ) >> > endobj > xref > 0 6 > 0000000000 65535 f > 0000000010 00000 n > 0000000096 00000 n > 0000000145 00000 n > 0000000205 00000 n > 0000000279 00000 n > trailer > << /Size 6 /Root 1 0 R >> > startxref > 1787 > %%EOF > -----------------------------21154944191352840482619583850 > Content-Disposition: form-data; > name="ctl00$PlaceHolderMain$ctl01$ctl05$OverwriteSingle" > > on > -----------------------------21154944191352840482619583850 > Content-Disposition: form-data; name="__spText1" > > > -----------------------------21154944191352840482619583850 > > > On Thu, Jul 30, 2015 at 3:39 PM, P K <pkopen...@gmail.com> wrote: > > > thanks Shaun. I seen its pushed in latest update. > > > > Hope to learn more from you guys. > > > > On Wed, Jul 29, 2015 at 7:32 PM, Shaun Hurley <shahu...@sourcefire.com> > > wrote: > > > >> PK, > >> > >> Thank you for bringing this to our attention. > >> > >> I have created another signature that doesn't rely upon PUA being > enabled. > >> As soon as the signature is done being tested for false positives we > will > >> publish it. > >> > >> Thanks again, > >> Shaun Hurley > >> ClamAV Malware Team > >> > >> On Tue, Jul 28, 2015 at 10:54 AM, P K <pkopen...@gmail.com> wrote: > >> > >> > worked properly after enabling PUA. > >> > > >> > Cheers, > >> > --PK > >> > > >> > On Tue, Jul 28, 2015 at 8:14 PM, Steve Basford < > >> > steveb_cla...@sanesecurity.com> wrote: > >> > > >> > > > >> > > On Tue, July 28, 2015 3:41 pm, P K wrote: > >> > > > So how to detect same in my clamAv? > >> > > > > >> > > > >> > > Until a proper sig is added, you could try > >> > > > >> > > clamscan --detect-pua=yes > >> > > > >> > > Cheers, > >> > > > >> > > Steve > >> > > Web : sanesecurity.com > >> > > Blog: sanesecurity.blogspot.com > >> > > > >> > > _______________________________________________ > >> > > Help us build a comprehensive ClamAV guide: > >> > > https://github.com/vrtadmin/clamav-faq > >> > > > >> > > http://www.clamav.net/contact.html#ml > >> > > > >> > _______________________________________________ > >> > Help us build a comprehensive ClamAV guide: > >> > https://github.com/vrtadmin/clamav-faq > >> > > >> > http://www.clamav.net/contact.html#ml > >> > > >> _______________________________________________ > >> Help us build a comprehensive ClamAV guide: > >> https://github.com/vrtadmin/clamav-faq > >> > >> http://www.clamav.net/contact.html#ml > >> > > > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
