[clamav-users] [SUSPECTED SPAM] Re: Calamav cannot scan tar file and gzip files?

Manoj Ramakrishnan manojramakrishnan at nbnco.com.au
Tue Feb 17 21:25:03 EST 2015


UmmmŠ the text diagram is not rendered as intended.

What I was trying to show is:

Client ---> Apache Reverse Proxy ---non scanning urls---->bunch of
application servers

Client ---> Apache Reverse Proxy ---Scan a list of urls for virus in
client uploaded files --> Squid(act as a reverse proxy) + CICAP + Clamd
---> Virus found --> HTTP 403 to Clent

Client ---> Apache Reverse Proxy ---Scan a list of urls for virus in
client uploaded files --> Squid(act as a reverse proxy) + CICAP + Clamd
---> No virus --> bunch of application servers



Manoj





On 18/02/15 12:42 PM, "Manoj Ramakrishnan"
<manojramakrishnan at nbnco.com.au> wrote:

>Hi Scott,
>
>I had a look at what havp does and am not sure it will fit with our
>current design. Will do a spike to find out.
>
>Our application stack has the following design
>
>
>Client ==> Apache Reverse Proxy ============>(non scanning
>urls)================> Bunch of app servers
>                        ||
>                 ^^
>                        ||
>                 ||
>                Scan a list of urls for virus
>                 ||
>                in client uploaded files
>                 ||
>                        ||
>                 ||
>                        ||
>                 ||
>                        ||
>                 ||
>                   Squid(act as a reverse proxy) + CICAP + Clamd
>========>No virus ==>Go to ||
>                        ||
>                        ||
>                   Virus found(Go back to client with 403)
>                  
>		
>
>I probably can replace CICAP with HAVP But I am not sure how can I use the
>HAVP to act as a reverse proxy without another Squid.
>
>
>Hope this explains.
>
>Manoj
>
>
>
>
>On 18/02/15 11:10 AM, "Scott Kitterman" <ubuntu at kitterman.com> wrote:
>
>>On Tuesday, February 17, 2015 11:58:02 PM Manoj Ramakrishnan wrote:
>>> On 18/02/15 6:09 AM, "Steven Morgan" <smorgan at sourcefire.com> wrote:
>>> >On Tue, Feb 17, 2015 at 1:11 AM, Manoj Ramakrishnan <
>>> >
>>> >manojramakrishnan at nbnco.com.au> wrote:
>>> >> Hi Al,
>>> >> 
>>> >> Thanks for replying.
>>> >> It is exactly what I thought. But why is it different from ZIP file?
>>> >> I added extra characters in the beginning of the ZIP file but no
>>>issues
>>> >>
>>> >>in
>>> >>
>>> >> scanning that and finding eicar signature.
>>> >> 
>>> >> It may be because of this file typing signature, which is not tied
>>>to a
>>> >
>>> >fixed offset (the '*' in second field is wildcard offset):
>>> >  "1:*:504b0304:ZIP-SFX:CL_TYPE_ANY:CL_TYPE_ZIPSFX"
>>> >
>>> >There are no corresponding wildcard magics for GZIP. Could you please
>>> >confirm by looking for a message containing "ZIP/ZIP-SFX signature
>>>found
>>> >at" in your debug output.
>>> >
>>> >> Also curious to see why is it not working in case #4 and #6?
>>> >
>>> >Using "LeaveTemporaryFiles yes", you should be able to inspect files
>>>in
>>> >the
>>> >ClamAV temp directory as forwarded by your web proxy. This will show
>>>the
>>> >files as seen by ClamAV. As already pointed out, if there are any
>>> >additional characters (http headers, etc.), it will not be recognized
>>>as
>>> >GZIP. Are there any settings in squidclamav to control how files are
>>> >formed
>>> >for forwarding to ClamAV?
>>> 
>>> At the moment there is no settings in squidclamav to extract the
>>>multipart
>>> form data and send only the attachment to clamd.
>>> 
>>> As Kevin mentioned, if clamd doesn't natively support parsing HTTP
>>> messages then we need to find a way to pass correct data to clamd.
>>> 
>>> Is HTTP message parsing support on your feature roadmap for clamd?
>>
>>I haven't been following this thread very closely, so this may be off
>>track, 
>>but would havp do what you need:
>>
>>http://www.server-side.de/
>>
>>Scott K
>>_______________________________________________
>>Help us build a comprehensive ClamAV guide:
>>https://github.com/vrtadmin/clamav-faq
>>
>>http://www.clamav.net/contact.html#ml
>
>_______________________________________________
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
>
>http://www.clamav.net/contact.html#ml




More information about the clamav-users mailing list