[clamav-users] Clamav doesn't seem to work when we use HTTP POST with eicar.com.png file

Manoj Ramakrishnan manojramakrishnan at nbnco.com.au
Fri Feb 13 01:54:44 EST 2015

Loos like I can't attach files here?

Anyway I tried with Leav Temp file option enabled and below is the temp
file content. I actually removed the virus signature incase if it cause

------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="entrantgivenname" lenore hubbard
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="entrantfamilyname" alyssa todd
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="entrantage" 10 ------webkitformboundaryegau8ptirxvetss4
content-disposition: form-data; name="entrantschool" sunt perspiciatis
quia tempore qui adi ------webkitformboundaryegau8ptirxvetss4
content-disposition: form-data; name="title" mrs.
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="givenname" fatima galloway ------webkitformboundaryegau8ptirxvetss4
content-disposition: form-data; name="familyname" fitzgerald romero
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="email" falerycam at yahoo.com ------webkitformboundaryegau8ptirxvetss4
content-disposition: form-data; name="phone" 04000000010
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="address" aut et debitis occaecat velit itaque recusandae ea laborum
quis beatae labore exercitationem ut anim quo voluptatem
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="suburb" consectetur consequatur tempore ut voluptatum consequatur
nulla ad aut molestiae est velit qui mollitia vel
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="postcode" 2394 ------webkitformboundaryegau8ptirxvetss4
content-disposition: form-data; name="state" nsw
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="agree" on ------webkitformboundaryegau8ptirxvetss4
content-disposition: form-data; name="g-recaptcha-response"
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="attachment"; filename="eicar.com.png" content-type: image/png <VIRUS
SIGNATURE> ------webkitformboundaryegau8ptirxvetss4--

Manoj Ramakrishnan
DevOps Engineer | POS | P +61 2 8918 5906  | M 0416 128 308

On 13/02/15 5:20 PM, "Manoj Ramakrishnan" <manojramakrishnan at nbnco.com.au>

>I have a clamd(0.98.5) + cicap(0.3.5)  + squidclamav(6.12)  +
>squid(3.1.14) on a RHEL5 box. We use this as a virus scanning for
>scanning the files uploaded through a web form. It doesn't seem to work
>if I upload a png file Actually the png file is just the "eicar.com" file
>but I renamed it to "eicar.com.png" because the form only accept the .png
>But it works beautifully when I upload  the
>"eicarcom2.zip<http://www.eicar.org/download/eicarcom2.zip>" file
>(renamed to .png).
>We did an strace on the clamd PID and found that,
>  1.  When I upload the eicar.com.png file it writes the tmp file with
>all HTML headers(including all the form field values) and the multipart
>part. Then scans it. Returns the stream OK result.
>  2.  When I upload the zip file it correctly extract the zip file from
>the HTML POST request and create the tmp file using the just the
>multipart data only. So it works
>In the case #1 I find there are two req is going to clamd, it creates two
>tmp file, scans both and no virus found.
>In the case of #2 it only create one file and found the virus.
>Am not sure about is this something to do with the other components
>c-icap or squidclamav or squid.
>See attached files for  the relevant part in strace for both cases.
>Manoj Ramakrishnan
>DevOps Engineer | POS | P +61 2 8918 5906  | M 0416 128 308
>Help us build a comprehensive ClamAV guide:

More information about the clamav-users mailing list