[clamav-users] Clamav doesn't seem to work when we use HTTP POST with eicar.com.png file

Manoj Ramakrishnan manojramakrishnan at nbnco.com.au
Fri Feb 13 01:20:09 EST 2015


I have a clamd(0.98.5) + cicap(0.3.5)  + squidclamav(6.12)  + squid(3.1.14) on a RHEL5 box. We use this as a virus scanning for scanning the files uploaded through a web form. It doesn't seem to work if I upload a png file Actually the png file is just the "eicar.com" file but I renamed it to "eicar.com.png" because the form only accept the .png files.

But it works beautifully when I upload  the "eicarcom2.zip<http://www.eicar.org/download/eicarcom2.zip>" file (renamed to .png).

We did an strace on the clamd PID and found that,

  1.  When I upload the eicar.com.png file it writes the tmp file with all HTML headers(including all the form field values) and the multipart part. Then scans it. Returns the stream OK result.
  2.  When I upload the zip file it correctly extract the zip file from the HTML POST request and create the tmp file using the just the multipart data only. So it works

In the case #1 I find there are two req is going to clamd, it creates two tmp file, scans both and no virus found.
In the case of #2 it only create one file and found the virus.

Am not sure about is this something to do with the other components c-icap or squidclamav or squid.

See attached files for  the relevant part in strace for both cases.

Manoj Ramakrishnan
DevOps Engineer | POS | P +61 2 8918 5906  | M 0416 128 308

More information about the clamav-users mailing list