[clamav-users] TCP FIN Packet Received Before Data

Cory Parrish cory.parrish at strivenine.com
Mon May 8 20:43:51 UTC 2017 

Thanks for the response Steven. I will get the information that you are
looking for.

What I have done in the meantime, is setup a retry of the scan with a 50 ms
delay until I receive an expected response (i.e. non FIN packet). What I
have found is that I always eventually get the expected response within 10
tries.

*Is There A Timing Issue?*
I am immediately sending data after I get an ack back that I am connected
on the socket. So I don't think there is a timing issue but it would be
nice to find a way to test this. Do you know if there is a configuration I
can set to increase this wait time? I haven't seen one in the
configurations.

Thanks again for your help!!

On Mon, May 8, 2017 at 4:32 PM, Steven Morgan <smorgan at sourcefire.com>
wrote:

> Cory,
>
> If you can capture the tcp network traffic for a successful and a failed
> session and send me the pcap files, I'd be glad to take a look at them.
>
> I have noticed that clamd only allows a short delay following tcp
> connection establishment before receiving a clamd command or else it sends
> a fin. Is it possible that there is a timing issue?
>
> Steve
>
> On Mon, May 8, 2017 at 11:35 AM, Cory Parrish <cory.parrish at strivenine.com
> >
> wrote:
>
> > Hello, I'm trying to stream a file to clamav (V 0.99.2) using the TCP
> > Connection from a NodeJS server. Sometimes data is being sent back but
> > other times I am receiving the "FIN" packet before any data. Every time I
> > send a stream to be scanned, I see the result in the clamav logs, but for
> > some reason the result is not getting sent back on the socket
> consistently.
> > Oddly enough, if I make clamav send back an error response, I will get
> the
> > response 100% of the time. I only see inconsistency when clamav executes
> > the scan successfully, both when it finds a virus and when it does not
> find
> > a virus.
> >
> > *A couple things that I have tried:*
> >
> > 1. I was wondering if this happens on very small files. So I increased
> the
> > size of the file to over 500k and I still saw the same results.
> >
> > 2. Next I was wondering if it might happen when clamav uses its cache to
> > determine that a file has already been scanned. So I changed the
> > DisableCache configuration to 'yes' and still saw the same thing.
> >
> > Has anyone seen a problem like this in the past? Are there tests proving
> > the socket communication is working correctly? Please let me know what
> > information you would need to assist.
> >
> > *Attachments*
> > clamd.conf - configuration used for the clam daemon.
> > test-file.txt - the file I am streaming to clamav.
> >
> > Thanks so much for any help you can provide!
> >
> > --
> > Cory Parrish
> > Owner, Developer, and Fellow Geek
> > StriveNine
> >
> > _______________________________________________
> > clamav-users mailing list
> > clamav-users at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



-- 
Cory Parrish
Owner, Developer, and Fellow Geek
StriveNine

More information about the clamav-users mailing list