[clamav-users] TCP FIN Packet Received Before Data

Mon May 8 21:07:27 UTC 2017

Please find the pcap file attached. This particular run had 19 failures and
then the 20 time I received the expected response. I'll analyze it on my
end too but don't have much experience at this so a little help is
definitely appreciated.

On Mon, May 8, 2017 at 4:43 PM, Cory Parrish <cory.parrish at strivenine.com>
wrote:

> Thanks for the response Steven. I will get the information that you are
> looking for.
>
> What I have done in the meantime, is setup a retry of the scan with a 50
> ms delay until I receive an expected response (i.e. non FIN packet). What I
> have found is that I always eventually get the expected response within 10
> tries.
>
> *Is There A Timing Issue?*
> I am immediately sending data after I get an ack back that I am connected
> on the socket. So I don't think there is a timing issue but it would be
> nice to find a way to test this. Do you know if there is a configuration I
> can set to increase this wait time? I haven't seen one in the
> configurations.
>
> Thanks again for your help!!
>
> On Mon, May 8, 2017 at 4:32 PM, Steven Morgan <smorgan at sourcefire.com>
> wrote:
>
>> Cory,
>>
>> If you can capture the tcp network traffic for a successful and a failed
>> session and send me the pcap files, I'd be glad to take a look at them.
>>
>> I have noticed that clamd only allows a short delay following tcp
>> connection establishment before receiving a clamd command or else it sends
>> a fin. Is it possible that there is a timing issue?
>>
>> Steve
>>
>> On Mon, May 8, 2017 at 11:35 AM, Cory Parrish <
>> cory.parrish at strivenine.com>
>> wrote:
>>
>> > Hello, I'm trying to stream a file to clamav (V 0.99.2) using the TCP
>> > Connection from a NodeJS server. Sometimes data is being sent back but
>> > other times I am receiving the "FIN" packet before any data. Every time
>> I
>> > send a stream to be scanned, I see the result in the clamav logs, but
>> for
>> > some reason the result is not getting sent back on the socket
>> consistently.
>> > Oddly enough, if I make clamav send back an error response, I will get
>> the
>> > response 100% of the time. I only see inconsistency when clamav executes
>> > the scan successfully, both when it finds a virus and when it does not
>> find
>> > a virus.
>> >
>> > *A couple things that I have tried:*
>> >
>> > 1. I was wondering if this happens on very small files. So I increased
>> the
>> > size of the file to over 500k and I still saw the same results.
>> >
>> > 2. Next I was wondering if it might happen when clamav uses its cache to
>> > determine that a file has already been scanned. So I changed the
>> > DisableCache configuration to 'yes' and still saw the same thing.
>> >
>> > Has anyone seen a problem like this in the past? Are there tests proving
>> > the socket communication is working correctly? Please let me know what
>> > information you would need to assist.
>> >
>> > *Attachments*
>> > clamd.conf - configuration used for the clam daemon.
>> > test-file.txt - the file I am streaming to clamav.
>> >
>> > Thanks so much for any help you can provide!
>> >
>> > --
>> > Cory Parrish
>> > Owner, Developer, and Fellow Geek
>> > StriveNine
>> >
>> > _______________________________________________
>> > clamav-users mailing list
>> > clamav-users at lists.clamav.net
>> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> >
>> >
>> > Help us build a comprehensive ClamAV guide:
>> > https://github.com/vrtadmin/clamav-faq
>> >
>> > http://www.clamav.net/contact.html#ml
>> >
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
>
> --
> Cory Parrish
> Owner, Developer, and Fellow Geek
> StriveNine
>

-- 
Cory Parrish
Owner, Developer, and Fellow Geek
StriveNine