HTTP Anti-Virus Proxy

Official HAVP Support Forum
Registration disabled, I'm tired of spambots. E-mail havp@hege.li if you have questions.
HAVP project is pretty much frozen/abandoned at this time anyway.
It is currently 22 Jun 2014 09:52

All times are UTC + 2 hours [ DST ]




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: 04 Aug 2008 20:00 
Offline

Joined: 04 Aug 2008 16:29
Posts: 5
Hi hege!

We are testing the HAVP 0.88 (0.89) / ClamAV 0.93.3 for Copfilter and have the issue that the library and the daemon scanner give different results on the same download (you have seen the discussion in the copfilter dev-forum).
The daemon seem to catch malicious contents like it should (and HAVP stops further download), the library scanner lets slip through.
Code:
31/07/2008 16:48:33 127.0.0.1 GET 200 http://argos66.free.fr/copfilter/update-copfilter-1.8.tar.gz 305+7740583 VIRUS Clamd: Exploit.WMF.Gen-1

The command line scan (clamscan) confirms this (files seem to be infected).
Code:
./clamdscan /root/update-copfilter-1.8.tar.gz
/root/update-copfilter-1.8.tar.gz: Exploit.WMF.Gen-1 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 2.579 sec (0 m 2 s)

Remark: The file contains test-signatures which trigger the scanner to bark.
The library scanner isn't recognizing this!
With HAVP 0.89 the behavior seems to be unchanged ...

Do you have an idea what might go on here?
Any hints appreciated!

8) Cheers


Top
 Profile  
 
PostPosted: 04 Aug 2008 20:13 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
Simply because havp.config has much lower scanning limits for good reason (performance).

e.g. CLAMMAXFILES

$ clamscan --max-files=50 update-copfilter-1.8.tar.gz
update-copfilter-1.8.tar.gz: OK

Default clamd scans 10000 files.


Top
 Profile  
 
PostPosted: 04 Aug 2008 20:29 
Offline

Joined: 04 Aug 2008 16:29
Posts: 5
That is in fact simple ;-) ...
Thanks, I will test this.

Another example is this file: http://www.mindfusion.eu/XMLViewer.zip.
This is truncated by the library scanner (this seems to happen on a random base), the daemon has no problems with it.
I must admit, that this one seems to be quite exotic, as this is the only known file which triggers this behavior so far.
1. Remark: The file is "clean" and contains one .msi file.
2. Remark: This one really haunts us!
Another idea?

Cheers


Top
 Profile  
 
PostPosted: 04 Aug 2008 20:41 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
Yes I was just looking into that too.

It seems ClamAV OLE2 handling with same file limit setting is broken, I'm posting a bug there.

$ clamscan XMLViewer.zip
XMLViewer.zip: OK

$ clamscan --max-files=50 XMLViewer.zip
XMLViewer.zip: Unknown error code
XMLViewer.zip: OK


Top
 Profile  
 
PostPosted: 04 Aug 2008 22:47 
Offline

Joined: 04 Aug 2008 16:29
Posts: 5
I have set CLAMMAXFILES 10000 in havp.config and tried the downloads again with the library scanner (after clearing all caches!):
    1. The file update-copfilter-1.8_lib.tar.gz will still download without problem and in full length, which is bad.
    2. The file XMLViewer.zip seems to download in full length now, which is good.

Regarding the first file: Are there other settings which may be different between the clamd and libclamav in HAVP?


Top
 Profile  
 
PostPosted: 05 Aug 2008 02:50 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
welt_am_draht wrote:
Regarding the first file: Are there other settings which may be different between the clamd and libclamav in HAVP?


Sure, but I think you need to paste everything here / check yourself, since I don't know what you currently have..

PS. ClamAV fixed https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1123


Top
 Profile  
 
PostPosted: 05 Aug 2008 15:26 
Offline

Joined: 04 Aug 2008 16:29
Posts: 5
Sorry, I was a bit unspecific ;-). I will try to get the settings of libclamav as close as possible to the settings of clamd and report back on the results.

hege wrote:

So this will make its way into 0.94 I assume.

Cheers


Top
 Profile  
 
PostPosted: 06 Aug 2008 12:07 
Offline

Joined: 04 Aug 2008 16:29
Posts: 5
Some tests later ...

I made the settings of clamd and libclamav as similar as possible, clamd:
Code:
Wed Aug  6 10:46:01 2008 -> Listening daemon: PID: 6851
Wed Aug  6 10:46:01 2008 -> Limits: Global size limit set to 104857600 bytes.
Wed Aug  6 10:46:01 2008 -> Limits: File size limit set to 26214400 bytes.
Wed Aug  6 10:46:01 2008 -> Limits: Recursion level limit set to 16.
Wed Aug  6 10:46:01 2008 -> Limits: Files limit set to 10000.

and libclamav (havp.config):
Code:
CLAMMAXSCANSIZE 100
CLAMMAXFILESIZE 25
CLAMMAXRECURSION 16
CLAMMAXFILES 10000

HAVP runs with ClamAV library:
Code:
06/08/2008 10:46:07 === Starting HAVP Version: 0.89
06/08/2008 10:46:07 Running as user: havp, group: havp
06/08/2008 10:46:08 --- Initializing ClamAV Library Scanner
06/08/2008 10:46:08 ClamAV: Using database directory: /var/log/copfilter/default/opt/clamav/virdb
06/08/2008 10:46:21 ClamAV: Loaded 457951 signatures (engine 0.93.3)
06/08/2008 10:46:21 ClamAV Library Scanner passed EICAR virus test (Eicar-Test-Signature)
06/08/2008 10:46:21 --- All scanners initialized
06/08/2008 10:46:21 Process ID: 7054

And now the "infection" is found and the download of the update pack is truncated ;-)
Code:
06/08/2008 10:48:48 127.0.0.1 GET 200 http://argos66.free.fr/copfilter/update-copfilter-1.8.tar.gz 303+7740583 VIRUS ClamAV: Exploit.WMF.Gen-1

May be you've never seen a man happier on a broken download! :lol:
Thanks for your help on these issues and for filing the bug report to the ClamAV team!

8)
Cheers


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 2 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group