[clamav-users] [SUSPECTED SPAM] Re: Calamav cannot scan tar file and gzip files?

Steven Morgan smorgan at sourcefire.com
Tue Feb 17 14:09:18 EST 2015


On Tue, Feb 17, 2015 at 1:11 AM, Manoj Ramakrishnan <
manojramakrishnan at nbnco.com.au> wrote:

> Hi Al,
>
> Thanks for replying.
> It is exactly what I thought. But why is it different from ZIP file?
> I added extra characters in the beginning of the ZIP file but no issues in
> scanning that and finding eicar signature.
>
> It may be because of this file typing signature, which is not tied to a
fixed offset (the '*' in second field is wildcard offset):

  "1:*:504b0304:ZIP-SFX:CL_TYPE_ANY:CL_TYPE_ZIPSFX"

There are no corresponding wildcard magics for GZIP. Could you please
confirm by looking for a message containing "ZIP/ZIP-SFX signature found
at" in your debug output.


> Also curious to see why is it not working in case #4 and #6?
>
>
Using "LeaveTemporaryFiles yes", you should be able to inspect files in the
ClamAV temp directory as forwarded by your web proxy. This will show the
files as seen by ClamAV. As already pointed out, if there are any
additional characters (http headers, etc.), it will not be recognized as
GZIP. Are there any settings in squidclamav to control how files are formed
for forwarding to ClamAV?

Hope this helps,
Steve



More information about the clamav-users mailing list