[clamav-users] Clamav doesn't seem to work when we use HTTP POST with eicar.com.png file

Manoj Ramakrishnan manojramakrishnan at nbnco.com.au
Fri Feb 13 01:54:44 EST 2015


Loos like I can't attach files here?

Anyway I tried with Leav Temp file option enabled and below is the temp
file content. I actually removed the virus signature incase if it cause
trouble. 

------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="authorization"
l9lujbf8pm96budl9qewplci3dic6+0f1to5up7suyuf1dvepdi6dfygp34x2a7g
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="entrantgivenname" lenore hubbard
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="entrantfamilyname" alyssa todd
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="entrantage" 10 ------webkitformboundaryegau8ptirxvetss4
content-disposition: form-data; name="entrantschool" sunt perspiciatis
quia tempore qui adi ------webkitformboundaryegau8ptirxvetss4
content-disposition: form-data; name="title" mrs.
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="givenname" fatima galloway ------webkitformboundaryegau8ptirxvetss4
content-disposition: form-data; name="familyname" fitzgerald romero
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="email" falerycam at yahoo.com ------webkitformboundaryegau8ptirxvetss4
content-disposition: form-data; name="phone" 04000000010
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="address" aut et debitis occaecat velit itaque recusandae ea laborum
quis beatae labore exercitationem ut anim quo voluptatem
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="suburb" consectetur consequatur tempore ut voluptatum consequatur
nulla ad aut molestiae est velit qui mollitia vel
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="postcode" 2394 ------webkitformboundaryegau8ptirxvetss4
content-disposition: form-data; name="state" nsw
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="agree" on ------webkitformboundaryegau8ptirxvetss4
content-disposition: form-data; name="g-recaptcha-response"
03ahj_vuuaecmen-_mvccrjnykob9dm5voahl3hii57h9bhjezc_iwfhmgmcgeidjckrgibwh8r
3ua3dzjxu8s9nwxs5byf0adzml1n3_qwzgiyivq3vrngi-xeu7kh-aju1iw92bn1gstua1wg1vq
bwkm4vsf8ganh2s218utmxqv7h5_fhk2cc7wqddogztxf5xsoao8npux4-5il29xnx1gaoriuwj
crap5umb5-bnm16xd3fily76d8q_9u5daxrrvtitw9oagke-gdics5j-vlkd0yqowlj3loenucx
wxplbbvdvk3yzwofnty4in73lb5lxi9hb7bqbybozlye-dr-jwsmik4q
------webkitformboundaryegau8ptirxvetss4 content-disposition: form-data;
name="attachment"; filename="eicar.com.png" content-type: image/png <VIRUS
SIGNATURE> ------webkitformboundaryegau8ptirxvetss4--



Manoj Ramakrishnan
DevOps Engineer | POS | P +61 2 8918 5906  | M 0416 128 308




On 13/02/15 5:20 PM, "Manoj Ramakrishnan" <manojramakrishnan at nbnco.com.au>
wrote:

>Hi,
>
>I have a clamd(0.98.5) + cicap(0.3.5)  + squidclamav(6.12)  +
>squid(3.1.14) on a RHEL5 box. We use this as a virus scanning for
>scanning the files uploaded through a web form. It doesn't seem to work
>if I upload a png file Actually the png file is just the "eicar.com" file
>but I renamed it to "eicar.com.png" because the form only accept the .png
>files.
>
>But it works beautifully when I upload  the
>"eicarcom2.zip<http://www.eicar.org/download/eicarcom2.zip>" file
>(renamed to .png).
>
>We did an strace on the clamd PID and found that,
>
>
>  1.  When I upload the eicar.com.png file it writes the tmp file with
>all HTML headers(including all the form field values) and the multipart
>part. Then scans it. Returns the stream OK result.
>  2.  When I upload the zip file it correctly extract the zip file from
>the HTML POST request and create the tmp file using the just the
>multipart data only. So it works
>
>In the case #1 I find there are two req is going to clamd, it creates two
>tmp file, scans both and no virus found.
>In the case of #2 it only create one file and found the virus.
>
>Am not sure about is this something to do with the other components
>c-icap or squidclamav or squid.
>
>
>See attached files for  the relevant part in strace for both cases.
>
>Regards
>Manoj Ramakrishnan
>DevOps Engineer | POS | P +61 2 8918 5906  | M 0416 128 308
>_______________________________________________
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
>
>http://www.clamav.net/contact.html#ml




More information about the clamav-users mailing list