LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-25-2007, 10:25 AM   #1
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES / FC/ OES / CentOS
Posts: 614

Rep: Reputation: 32
mod_clamav doesn`t scan zip-Files


What is wrong ?

I wanted to test my mod_clamav with:

http://www.eicar.org/anti_virus_test_file.htm

The eicar.com 68 Bytes a virus is found !
The eicar.com.txt 68 Bytes a virus is found !

eicar_com.zip 184 Bytes NO virus found !
eicarcom2.zip 308 Bytes NO virus found !

Why is that ?

I activated log and this is the output:


[25/Jan/2007:17:22:04 +0100] INFECTED text/html Eicar-Test-Signature request="GET http://www.eicar.org/download/eicar.com.txt HTTP/1.1", status=200, sent=329, delay=89749
[25/Jan/2007:17:22:05 +0100] INFECTED text/html Eicar-Test-Signature request="GET http://www.eicar.org/download/eicar.com HTTP/1.1", status=200, sent=325, delay=95966
[25/Jan/2007:17:21:52 +0100] passed application/zip - request="GET http://www.eicar.org/download/eicarcom2.zip HTTP/1.1", status=200, sent=308, delay=238914

So the zip File is passed!!!

Why is that ?

If I do:

# wget http://www.eicar.org/download/eicarcom2.zip
--17:23:21-- http://www.eicar.org/download/eicarcom2.zip
=> `eicarcom2.zip.1'
Auflösen des Hostnamen »www.eicar.org«.... 88.198.38.136
Verbindungsaufbau zu www.eicar.org[88.198.38.136]:80... verbunden.
HTTP Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 308 [application/zip]

100%[==================================================================================================== =============>] 308 --.--K/s

17:23:21 (94.47 KB/s) - »eicarcom2.zip.1« gespeichert [308/308]

# clamscan eicarcom2.zip
eicarcom2.zip: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 87347
Engine version: 0.88.7
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Time: 1.958 sec (0 m 1 s)

This Virus is found !!!

Here my clamd.conf

# grep -v "#" clamd.conf| grep -v ^$
LogFile /var/log/clamd
LogFileMaxSize 2M
LogTime
LogSyslog
LogFacility LOG_MAIL
PidFile /var/lib/clamav/clamd.pid
TemporaryDirectory /tmp
FixStaleSocket
TCPSocket 3310
TCPAddr 127.0.0.1
User vscan
Foreground
ScanArchive
ScanRAR
ArchiveMaxRecursion 9
ArchiveBlockEncrypted


Can somebody please help ?

Maybe something wrong with the build ? Does mod_clamav have something like configure --with-zip-uncompress ????

Thanks
 
Old 01-28-2007, 07:36 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I don't know what's wrong but in your info there's missing some stuff, like your mod_clamav Apache conf and any Apache err/access log entries. Maybe adding those could help.
 
Old 01-29-2007, 01:06 AM   #3
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES / FC/ OES / CentOS
Posts: 614

Original Poster
Rep: Reputation: 32
here it is!

=============================================================
Listen 8080

ProxyRequests On
ProxyVia On

ClamavMode local
default-server.conf


#LOG FUER CLAMAVAPACHE

ClamavExtendedLogging On
LogFormat "%t %!304{clamav:status}n \
%{Content-type}o \
%{clamav:virusname}n request=\"%r\", \
status=%>s, sent=%!304b, delay=%!304D" \
clamav_stats
CustomLog /var/log/apachescan.log clamav_stats

ClamavTmpDir /usr/clamav-ramdisk/
ClamavDbDir /var/lib/clamav
#ClamavSafeTypes image/gif image/jpeg image/png
#ClamavSizelimit 5000000
ClamavReloadInterval 3600

<Proxy *>
Order deny,allow
SetOutputFilter CLAMAV
Deny from all
Allow from xxxxxxxxxxxx
</Proxy>
=============================================================
 
Old 01-29-2007, 04:20 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Any Apache err/access log entries?
 
Old 01-29-2007, 04:29 AM   #5
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES / FC/ OES / CentOS
Posts: 614

Original Poster
Rep: Reputation: 32
no

its empty!

Nothing!


Quote:
127.0.0.1 - - [29/Jan/2007:11:35:21 +0100] "GET http://www.eicar.org/download/eicar_com.zip HTTP/1.0" 200 184 "http://www.eicar.org/anti_virus_test_file.htm" "Mozilla/5.0 (X11; U; Linux i686; de; rv:1.8.0.9) Gecko/20060911 SUSE/1.5.0.9-0.1 Firefox/1.5.0.9"

Last edited by saavik; 02-06-2007 at 08:22 AM.
 
Old 01-29-2007, 05:52 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Installed deps httpd-devel and clamav-devel.
Compiled mod_clamav-0.21.tar.gz with --with-apxs=/usr/sbin/apxs and installed it (some warnings but it works).
Configured httpd-2.0.46-61's httpd.conf with the Proxy directives.
Added a conf.d/mod_clamav.conf similar to your conf.
Made tempdir /tmp/mod_clamav (u:apache,g:apache,m:1700).
Checked clamd.conf: *by default* stuff like ScanArchive is *on*. The only difference is my clamav user is called "clamav", but that doesn't matter since it runs in the Apache process space.
Tried the EICAR tests and I (w)get:
Code:
INFECTED text/html Eicar-Test-Signature request="GET http://www.eicar.org/download/eicar.com.txt HTTP/1.0", 200
INFECTED text/html Eicar-Test-Signature request="GET http://www.eicar.org/download/eicar.com HTTP/1.0", 200
INFECTED text/html Eicar-Test-Signature request="GET http://www.eicar.org/download/eicarcom2.zip HTTP/1.0", 200
And the resultant D/L's are the expected HTML Clamav warning.
Bummer. No problem here.

The mod_clamav docs say:
Quote:
Originally Posted by docs
mod_clamav provides very verbose logging, if enabled at compile time. If the preprocessor flag CLAMAV_DEBUG is set to 1 instead of the default 0, additional messages are generated at run time. If you meet a problem running mod_clamav, please try to compile with debugging enabled and run the server with DebugLevel set to debug.
so I think that's gonna be your next step....
 
Old 02-06-2007, 08:39 AM   #7
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES / FC/ OES / CentOS
Posts: 614

Original Poster
Rep: Reputation: 32
I got it

Well....

I just recompiled the mod and it works fine....Maybe I just oversleped a kernel update ???

Quote:
[06/Feb/2007:15:37:08 +0100] INFECTED text/html Eicar-Test-Signature request="GET http://www.eicar.org/download/eicarcom2.zip HTTP/1.0", status=200, sent=329, delay=2137754
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
zip files cooldudeguy Linux - Software 2 10-24-2004 02:57 AM
1st ClamAV scan.. 48 files infected... What??!! sh1ft Linux - Security 2 06-29-2004 10:06 PM
*.zip files e1000 Linux - Software 2 12-30-2003 10:40 AM
Zip Files linuxsoundprob Linux - Software 8 08-26-2003 06:34 AM
.zip Files Wynd Linux - Newbie 4 08-01-2001 12:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration