|
mod_clamav doesn`t scan zip-Files
What is wrong ?
I wanted to test my mod_clamav with: http://www.eicar.org/anti_virus_test_file.htm The eicar.com 68 Bytes a virus is found ! The eicar.com.txt 68 Bytes a virus is found ! eicar_com.zip 184 Bytes NO virus found ! eicarcom2.zip 308 Bytes NO virus found ! Why is that ? I activated log and this is the output: [25/Jan/2007:17:22:04 +0100] INFECTED text/html Eicar-Test-Signature request="GET http://www.eicar.org/download/eicar.com.txt HTTP/1.1", status=200, sent=329, delay=89749 [25/Jan/2007:17:22:05 +0100] INFECTED text/html Eicar-Test-Signature request="GET http://www.eicar.org/download/eicar.com HTTP/1.1", status=200, sent=325, delay=95966 [25/Jan/2007:17:21:52 +0100] passed application/zip - request="GET http://www.eicar.org/download/eicarcom2.zip HTTP/1.1", status=200, sent=308, delay=238914 So the zip File is passed!!! Why is that ? If I do: # wget http://www.eicar.org/download/eicarcom2.zip --17:23:21-- http://www.eicar.org/download/eicarcom2.zip => `eicarcom2.zip.1' Auflösen des Hostnamen »www.eicar.org«.... 88.198.38.136 Verbindungsaufbau zu www.eicar.org[88.198.38.136]:80... verbunden. HTTP Anforderung gesendet, warte auf Antwort... 200 OK Länge: 308 [application/zip] 100%[==================================================================================================== =============>] 308 --.--K/s 17:23:21 (94.47 KB/s) - »eicarcom2.zip.1« gespeichert [308/308] # clamscan eicarcom2.zip eicarcom2.zip: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 87347 Engine version: 0.88.7 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Time: 1.958 sec (0 m 1 s) This Virus is found !!! Here my clamd.conf # grep -v "#" clamd.conf| grep -v ^$ LogFile /var/log/clamd LogFileMaxSize 2M LogTime LogSyslog LogFacility LOG_MAIL PidFile /var/lib/clamav/clamd.pid TemporaryDirectory /tmp FixStaleSocket TCPSocket 3310 TCPAddr 127.0.0.1 User vscan Foreground ScanArchive ScanRAR ArchiveMaxRecursion 9 ArchiveBlockEncrypted Can somebody please help ? Maybe something wrong with the build ? Does mod_clamav have something like configure --with-zip-uncompress ???? Thanks |
I don't know what's wrong but in your info there's missing some stuff, like your mod_clamav Apache conf and any Apache err/access log entries. Maybe adding those could help.
|
here it is!
=============================================================
Listen 8080 ProxyRequests On ProxyVia On ClamavMode local default-server.conf #LOG FUER CLAMAVAPACHE ClamavExtendedLogging On LogFormat "%t %!304{clamav:status}n \ %{Content-type}o \ %{clamav:virusname}n request=\"%r\", \ status=%>s, sent=%!304b, delay=%!304D" \ clamav_stats CustomLog /var/log/apachescan.log clamav_stats ClamavTmpDir /usr/clamav-ramdisk/ ClamavDbDir /var/lib/clamav #ClamavSafeTypes image/gif image/jpeg image/png #ClamavSizelimit 5000000 ClamavReloadInterval 3600 <Proxy *> Order deny,allow SetOutputFilter CLAMAV Deny from all Allow from xxxxxxxxxxxx </Proxy> ============================================================= |
Any Apache err/access log entries?
|
no
its empty!
Nothing! Quote:
|
Installed deps httpd-devel and clamav-devel.
Compiled mod_clamav-0.21.tar.gz with --with-apxs=/usr/sbin/apxs and installed it (some warnings but it works). Configured httpd-2.0.46-61's httpd.conf with the Proxy directives. Added a conf.d/mod_clamav.conf similar to your conf. Made tempdir /tmp/mod_clamav (u:apache,g:apache,m:1700). Checked clamd.conf: *by default* stuff like ScanArchive is *on*. The only difference is my clamav user is called "clamav", but that doesn't matter since it runs in the Apache process space. Tried the EICAR tests and I (w)get: Code:
INFECTED text/html Eicar-Test-Signature request="GET http://www.eicar.org/download/eicar.com.txt HTTP/1.0", 200Bummer. No problem here. The mod_clamav docs say: Quote:
|
I got it
Well....
I just recompiled the mod and it works fine....Maybe I just oversleped a kernel update ??? Quote:
|
| All times are GMT -5. The time now is 05:29 AM. |