mod_clamav does not detect virus

suhas! · 07-27-2009, 10:45 PM

Hi,

I have installed mod_clamav + proftpd. I am trying to test mod_clamav functionality by uploading an infected file. But the problem is that, mod_clamav does not detect any infection in the file. Whereas, if I manually run clamdscan against that file, it shows file is infected. Proftpd and Clamd is installed on the same macine.

==========
Proftpd Debug Output
==========

desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'PORT 192,168,6,213,16,60' to mod_core
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'PORT 192,168,6,213,16,60' to mod_core
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching CMD command 'PORT 192,168,6,213,16,60' to mod_core
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - in dir_check_full(): path = '/', fullpath = '/home/ftpuser1/'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'PORT 192,168,6,213,16,60' to mod_log
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'STOR clam.pdf' to mod_core
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'STOR clam.pdf' to mod_core
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'STOR clam.pdf' to mod_xfer
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - in dir_check_full(): path = '/clam.pdf', fullpath = '/home/ftpuser1/clam.pdf'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - in dir_check_full(): setting umask to 0022 (was 0022)
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching CMD command 'STOR clam.pdf' to mod_xfer
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS at inet.c:336
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - PRIVS_RELINQUISH: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - active data connection opened - local : ::ffff:192.168.7.238:20
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - active data connection opened - remote : ::ffff:192.168.6.213:4156
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - session.chroot_path is '/home/ftpuser1'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - session.xfer.path is '/clam.pdf'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ClamMinSize=0 ClamMaxSize=262144000 Filesize=7074
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - Going to virus scan absolute filename = '/home/ftpuser1/clam.pdf' with relative filename = '/clam.pdf'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - mod_clamav/0.10: Connecting to remote Clamd host '127.0.0.1' on port 3310
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS at mod_clamav.c:252
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - PRIVS_RELINQUISH: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - Successfully reconnected to Clamd.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - No virus detected in filename = '/home/ftpuser1/clam.pdf'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching POST_CMD command 'STOR clam.pdf' to mod_xfer
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'STOR clam.pdf' to mod_log
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'STOR clam.pdf' to mod_xfer
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - Transfer completed: 7074 bytes in 0.00 seconds
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ProFTPD terminating (signal 2)
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - error deleting scoreboard entry: Operation not permitted
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - mod_clamav/0.10: debug: disconnected from Clamd
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS at mod_auth_pam.c:167
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - PRIVS_RELINQUISH: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - FTP session closed.

=============
Clamdscan command output
=============

[root@desktop1.test.com proftpd]# clamdscan /home/ftpuser1/clam.pdf
/home/ftpuser1/clam.pdf: ClamAV-Test-File FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.004 sec (0 m 0 s)

========================================================

My system config is as below :

OS : CentOS release 5 (Final)
Proftpd : ProFTPD Version 1.3.2rc4
mod_clamav : 0.10
Clamd Version: 0.95.2-4.el5.rf

I followed these steps to install mod_clamav --
http://www.thrallingpenguin.com/reso...mod_clamav.htm

Can someone please tell me why is mod_clamav not able to detect infection.

Thanks in advance

unSpawn · 07-28-2009, 05:05 AM

Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. Your mutilated duplicate thread should be closed. Removing the text from the OP like you did in http://www.linuxquestions.org/questi...-virus-742796/ makes that thread worthless to all, a waste of LQ's resources and time of those who have to deal with it. Please not singlehandledly decide to "move" your thread: instead ask the moderators to move the thread for you using the "Report" button. Please check out the LQ Rules (rule #7), Please ask specific questions and How to Use LinuxQuestions.org.

suhas! · 07-28-2009, 10:14 AM

Firstly apology for mistake.

Initially, I wanted to rename the OP subject. But didnt find any option there to rename, hence cleared the post, and started another thread with the proper subject.

Anyways, the problem I was facing has been resolved. All I needed to do was to install a latest version of mod_clamav.

However, I am using mod_sftp with proftpd. When I keep SFTPEngine turned off, mod_clamav does scan files properly. But when I turn SFTPEngine on, files are not scanned at all.

============
Proftpd debug output
===========

desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD_ERR command 'REALPATH /clam.pdf' to mod_log
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'REALPATH /' to mod_log
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'STOR /clam.pdf' to mod_core
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'STOR /clam.pdf' to mod_core
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'STOR /clam.pdf' to mod_xfer
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - in dir_check_full(): path = '/clam.pdf', fullpath = '/home/ftpuser1/clam.pdf'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - in dir_check_full(): setting umask to 0022 (was 0022)
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'OPEN /clam.pdf' to mod_log
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - in dir_check_full(): path = '/clam.pdf', fullpath = '/home/ftpuser1/clam.pdf'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - in dir_check_full(): setting umask to 0022 (was 0022)
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'WRITE q68CwS' to mod_log
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - in dir_check_full(): path = '/clam.pdf', fullpath = '/home/ftpuser1/clam.pdf'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - in dir_check_full(): setting umask to 0022 (was 0022)
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'WRITE q68CwS' to mod_log
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching POST_CMD command 'STOR /clam.pdf' to mod_xfer
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'STOR /clam.pdf' to mod_log
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'STOR /clam.pdf' to mod_xfer
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - Transfer completed: 7277 bytes in 0.15 seconds
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'CLOSE q68CwS' to mod_log
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - Client session idle timeout, disconnected
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - mod_sftp/0.9.6: scrubbing 2 passphrases from memory
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS at mod_auth_pam.c:167
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - PRIVS_RELINQUISH: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - SFTP session closed.

==============

Appreciate any help !!

Regards.