[clamav-users] [SUSPECTED SPAM] Re: Calamav cannot scan tar file and gzip files?

Scott Kitterman ubuntu at kitterman.com
Tue Feb 17 19:10:22 EST 2015

On Tuesday, February 17, 2015 11:58:02 PM Manoj Ramakrishnan wrote:
> On 18/02/15 6:09 AM, "Steven Morgan" <smorgan at sourcefire.com> wrote:
> >On Tue, Feb 17, 2015 at 1:11 AM, Manoj Ramakrishnan <
> >
> >manojramakrishnan at nbnco.com.au> wrote:
> >> Hi Al,
> >> 
> >> Thanks for replying.
> >> It is exactly what I thought. But why is it different from ZIP file?
> >> I added extra characters in the beginning of the ZIP file but no issues
> >>
> >>in
> >>
> >> scanning that and finding eicar signature.
> >> 
> >> It may be because of this file typing signature, which is not tied to a
> >
> >fixed offset (the '*' in second field is wildcard offset):
> >  "1:*:504b0304:ZIP-SFX:CL_TYPE_ANY:CL_TYPE_ZIPSFX"
> >
> >There are no corresponding wildcard magics for GZIP. Could you please
> >confirm by looking for a message containing "ZIP/ZIP-SFX signature found
> >at" in your debug output.
> >
> >> Also curious to see why is it not working in case #4 and #6?
> >
> >Using "LeaveTemporaryFiles yes", you should be able to inspect files in
> >the
> >ClamAV temp directory as forwarded by your web proxy. This will show the
> >files as seen by ClamAV. As already pointed out, if there are any
> >additional characters (http headers, etc.), it will not be recognized as
> >GZIP. Are there any settings in squidclamav to control how files are
> >formed
> >for forwarding to ClamAV?
> At the moment there is no settings in squidclamav to extract the multipart
> form data and send only the attachment to clamd.
> As Kevin mentioned, if clamd doesn't natively support parsing HTTP
> messages then we need to find a way to pass correct data to clamd.
> Is HTTP message parsing support on your feature roadmap for clamd?

I haven't been following this thread very closely, so this may be off track, 
but would havp do what you need:


Scott K

More information about the clamav-users mailing list