[clamav-users] [SUSPECTED SPAM] Re: Calamav cannot scan tar file and gzip files?

Manoj Ramakrishnan manojramakrishnan at nbnco.com.au
Tue Feb 17 18:58:02 EST 2015


On 18/02/15 6:09 AM, "Steven Morgan" <smorgan at sourcefire.com> wrote:


>On Tue, Feb 17, 2015 at 1:11 AM, Manoj Ramakrishnan <
>manojramakrishnan at nbnco.com.au> wrote:
>
>> Hi Al,
>>
>> Thanks for replying.
>> It is exactly what I thought. But why is it different from ZIP file?
>> I added extra characters in the beginning of the ZIP file but no issues
>>in
>> scanning that and finding eicar signature.
>>
>> It may be because of this file typing signature, which is not tied to a
>fixed offset (the '*' in second field is wildcard offset):
>
>  "1:*:504b0304:ZIP-SFX:CL_TYPE_ANY:CL_TYPE_ZIPSFX"
>
>There are no corresponding wildcard magics for GZIP. Could you please
>confirm by looking for a message containing "ZIP/ZIP-SFX signature found
>at" in your debug output.
>
>
>> Also curious to see why is it not working in case #4 and #6?
>>
>>
>Using "LeaveTemporaryFiles yes", you should be able to inspect files in
>the
>ClamAV temp directory as forwarded by your web proxy. This will show the
>files as seen by ClamAV. As already pointed out, if there are any
>additional characters (http headers, etc.), it will not be recognized as
>GZIP. Are there any settings in squidclamav to control how files are
>formed
>for forwarding to ClamAV?

At the moment there is no settings in squidclamav to extract the multipart
form data and send only the attachment to clamd.

As Kevin mentioned, if clamd doesn't natively support parsing HTTP
messages then we need to find a way to pass correct data to clamd.

Is HTTP message parsing support on your feature roadmap for clamd?


Regards
Manoj

>
>Hope this helps,
>Steve
>_______________________________________________
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
>
>http://www.clamav.net/contact.html#ml




More information about the clamav-users mailing list