[clamav-users] [SUSPECTED SPAM] Re: Calamav cannot scan tar file and gzip files?

Manoj Ramakrishnan manojramakrishnan at nbnco.com.au
Tue Feb 17 20:42:44 EST 2015


Hi Scott,

I had a look at what havp does and am not sure it will fit with our
current design. Will do a spike to find out.

Our application stack has the following design


Client ==> Apache Reverse Proxy ============>(non scanning
urls)================> Bunch of app servers
                        ||
                 ^^
                        ||
                 ||
                Scan a list of urls for virus
                 ||
                in client uploaded files
                 ||
                        ||
                 ||
                        ||
                 ||
                        ||
                 ||
                   Squid(act as a reverse proxy) + CICAP + Clamd
========>No virus ==>Go to ||
                        ||
                        ||
                   Virus found(Go back to client with 403)
                   
		

I probably can replace CICAP with HAVP But I am not sure how can I use the
HAVP to act as a reverse proxy without another Squid.


Hope this explains.

Manoj




On 18/02/15 11:10 AM, "Scott Kitterman" <ubuntu at kitterman.com> wrote:

>On Tuesday, February 17, 2015 11:58:02 PM Manoj Ramakrishnan wrote:
>> On 18/02/15 6:09 AM, "Steven Morgan" <smorgan at sourcefire.com> wrote:
>> >On Tue, Feb 17, 2015 at 1:11 AM, Manoj Ramakrishnan <
>> >
>> >manojramakrishnan at nbnco.com.au> wrote:
>> >> Hi Al,
>> >> 
>> >> Thanks for replying.
>> >> It is exactly what I thought. But why is it different from ZIP file?
>> >> I added extra characters in the beginning of the ZIP file but no
>>issues
>> >>
>> >>in
>> >>
>> >> scanning that and finding eicar signature.
>> >> 
>> >> It may be because of this file typing signature, which is not tied
>>to a
>> >
>> >fixed offset (the '*' in second field is wildcard offset):
>> >  "1:*:504b0304:ZIP-SFX:CL_TYPE_ANY:CL_TYPE_ZIPSFX"
>> >
>> >There are no corresponding wildcard magics for GZIP. Could you please
>> >confirm by looking for a message containing "ZIP/ZIP-SFX signature
>>found
>> >at" in your debug output.
>> >
>> >> Also curious to see why is it not working in case #4 and #6?
>> >
>> >Using "LeaveTemporaryFiles yes", you should be able to inspect files in
>> >the
>> >ClamAV temp directory as forwarded by your web proxy. This will show
>>the
>> >files as seen by ClamAV. As already pointed out, if there are any
>> >additional characters (http headers, etc.), it will not be recognized
>>as
>> >GZIP. Are there any settings in squidclamav to control how files are
>> >formed
>> >for forwarding to ClamAV?
>> 
>> At the moment there is no settings in squidclamav to extract the
>>multipart
>> form data and send only the attachment to clamd.
>> 
>> As Kevin mentioned, if clamd doesn't natively support parsing HTTP
>> messages then we need to find a way to pass correct data to clamd.
>> 
>> Is HTTP message parsing support on your feature roadmap for clamd?
>
>I haven't been following this thread very closely, so this may be off
>track, 
>but would havp do what you need:
>
>http://www.server-side.de/
>
>Scott K
>_______________________________________________
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
>
>http://www.clamav.net/contact.html#ml




More information about the clamav-users mailing list