Hi,
I have installed mod_clamav + proftpd. I am trying to test mod_clamav functionality by uploading an infected file. But the problem is that, mod_clamav does not detect any infection in the file. Whereas, if I manually run clamdscan against that file, it shows file is infected. Proftpd and Clamd is installed on the same macine.
==========
Proftpd Debug Output
==========
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'PORT 192,168,6,213,16,60' to mod_core
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'PORT 192,168,6,213,16,60' to mod_core
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching CMD command 'PORT 192,168,6,213,16,60' to mod_core
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - in dir_check_full(): path = '/', fullpath = '/home/ftpuser1/'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'PORT 192,168,6,213,16,60' to mod_log
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'STOR clam.pdf' to mod_core
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'STOR clam.pdf' to mod_core
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching PRE_CMD command 'STOR clam.pdf' to mod_xfer
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - in dir_check_full(): path = '/clam.pdf', fullpath = '/home/ftpuser1/clam.pdf'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - in dir_check_full(): setting umask to 0022 (was 0022)
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching CMD command 'STOR clam.pdf' to mod_xfer
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS at inet.c:336
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - PRIVS_RELINQUISH: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - active data connection opened - local : ::ffff:192.168.7.238:20
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - active data connection opened - remote : ::ffff:192.168.6.213:4156
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - session.chroot_path is '/home/ftpuser1'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - session.xfer.path is '/clam.pdf'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ClamMinSize=0 ClamMaxSize=262144000 Filesize=7074
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - Going to virus scan absolute filename = '/home/ftpuser1/clam.pdf' with relative filename = '/clam.pdf'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - mod_clamav/0.10: Connecting to remote Clamd host '127.0.0.1' on port 3310
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS at mod_clamav.c:252
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - PRIVS_RELINQUISH: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - Successfully reconnected to Clamd.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - No virus detected in filename = '/home/ftpuser1/clam.pdf'.
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching POST_CMD command 'STOR clam.pdf' to mod_xfer
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'STOR clam.pdf' to mod_log
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - dispatching LOG_CMD command 'STOR clam.pdf' to mod_xfer
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - Transfer completed: 7074 bytes in 0.00 seconds
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ProFTPD terminating (signal 2)
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - error deleting scoreboard entry: Operation not permitted
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - mod_clamav/0.10: debug: disconnected from Clamd
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS at mod_auth_pam.c:167
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - ROOT PRIVS: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - PRIVS_RELINQUISH: ID switching disabled
desktop1.test.com (::ffff:192.168.6.213[::ffff:192.168.6.213]) - FTP session closed.
=============
Clamdscan command output
=============
[root@desktop1.test.com proftpd]# clamdscan /home/ftpuser1/clam.pdf
/home/ftpuser1/clam.pdf: ClamAV-Test-File FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.004 sec (0 m 0 s)
========================================================
My system config is as below :
OS : CentOS release 5 (Final)
Proftpd : ProFTPD Version 1.3.2rc4
mod_clamav : 0.10
Clamd Version: 0.95.2-4.el5.rf
I followed these steps to install mod_clamav --
http://www.thrallingpenguin.com/reso...mod_clamav.htm
Can someone please tell me why is mod_clamav not able to detect infection.
Thanks in advance