HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
Different behavior of libclamav vs. clamd on infected archiv http://havp.hege.li/forum/viewtopic.php?f=3&t=378 |
Page 1 of 1 |
Author: | welt_am_draht [ 04 Aug 2008 20:00 ] |
Post subject: | Different behavior of libclamav vs. clamd on infected archiv |
Hi hege! We are testing the HAVP 0.88 (0.89) / ClamAV 0.93.3 for Copfilter and have the issue that the library and the daemon scanner give different results on the same download (you have seen the discussion in the copfilter dev-forum). The daemon seem to catch malicious contents like it should (and HAVP stops further download), the library scanner lets slip through. Code: 31/07/2008 16:48:33 127.0.0.1 GET 200 http://argos66.free.fr/copfilter/update-copfilter-1.8.tar.gz 305+7740583 VIRUS Clamd: Exploit.WMF.Gen-1 The command line scan (clamscan) confirms this (files seem to be infected). Code: ./clamdscan /root/update-copfilter-1.8.tar.gz /root/update-copfilter-1.8.tar.gz: Exploit.WMF.Gen-1 FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 2.579 sec (0 m 2 s) Remark: The file contains test-signatures which trigger the scanner to bark. The library scanner isn't recognizing this! With HAVP 0.89 the behavior seems to be unchanged ... Do you have an idea what might go on here? Any hints appreciated! Cheers |
Author: | hege [ 04 Aug 2008 20:13 ] |
Post subject: | Re: Different behavior of libclamav vs. clamd on infected archiv |
Simply because havp.config has much lower scanning limits for good reason (performance). e.g. CLAMMAXFILES $ clamscan --max-files=50 update-copfilter-1.8.tar.gz update-copfilter-1.8.tar.gz: OK Default clamd scans 10000 files. |
Author: | welt_am_draht [ 04 Aug 2008 20:29 ] |
Post subject: | Re: Different behavior of libclamav vs. clamd on infected archiv |
That is in fact simple ... Thanks, I will test this. Another example is this file: http://www.mindfusion.eu/XMLViewer.zip. This is truncated by the library scanner (this seems to happen on a random base), the daemon has no problems with it. I must admit, that this one seems to be quite exotic, as this is the only known file which triggers this behavior so far. 1. Remark: The file is "clean" and contains one .msi file. 2. Remark: This one really haunts us! Another idea? Cheers |
Author: | hege [ 04 Aug 2008 20:41 ] |
Post subject: | Re: Different behavior of libclamav vs. clamd on infected archiv |
Yes I was just looking into that too. It seems ClamAV OLE2 handling with same file limit setting is broken, I'm posting a bug there. $ clamscan XMLViewer.zip XMLViewer.zip: OK $ clamscan --max-files=50 XMLViewer.zip XMLViewer.zip: Unknown error code XMLViewer.zip: OK |
Author: | welt_am_draht [ 04 Aug 2008 22:47 ] |
Post subject: | Re: Different behavior of libclamav vs. clamd on infected archiv |
I have set CLAMMAXFILES 10000 in havp.config and tried the downloads again with the library scanner (after clearing all caches!):
2. The file XMLViewer.zip seems to download in full length now, which is good. Regarding the first file: Are there other settings which may be different between the clamd and libclamav in HAVP? |
Author: | hege [ 05 Aug 2008 02:50 ] |
Post subject: | Re: Different behavior of libclamav vs. clamd on infected archiv |
welt_am_draht wrote: Regarding the first file: Are there other settings which may be different between the clamd and libclamav in HAVP? Sure, but I think you need to paste everything here / check yourself, since I don't know what you currently have.. PS. ClamAV fixed https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1123 |
Author: | welt_am_draht [ 05 Aug 2008 15:26 ] |
Post subject: | Re: Different behavior of libclamav vs. clamd on infected archiv |
Sorry, I was a bit unspecific . I will try to get the settings of libclamav as close as possible to the settings of clamd and report back on the results. hege wrote: PS. ClamAV fixed https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1123 So this will make its way into 0.94 I assume. Cheers |
Author: | welt_am_draht [ 06 Aug 2008 12:07 ] |
Post subject: | Re: Different behavior of libclamav vs. clamd on infected archiv |
Some tests later ... I made the settings of clamd and libclamav as similar as possible, clamd: Code: Wed Aug 6 10:46:01 2008 -> Listening daemon: PID: 6851 Wed Aug 6 10:46:01 2008 -> Limits: Global size limit set to 104857600 bytes. Wed Aug 6 10:46:01 2008 -> Limits: File size limit set to 26214400 bytes. Wed Aug 6 10:46:01 2008 -> Limits: Recursion level limit set to 16. Wed Aug 6 10:46:01 2008 -> Limits: Files limit set to 10000. and libclamav (havp.config): Code: CLAMMAXSCANSIZE 100 CLAMMAXFILESIZE 25 CLAMMAXRECURSION 16 CLAMMAXFILES 10000 HAVP runs with ClamAV library: Code: 06/08/2008 10:46:07 === Starting HAVP Version: 0.89 06/08/2008 10:46:07 Running as user: havp, group: havp 06/08/2008 10:46:08 --- Initializing ClamAV Library Scanner 06/08/2008 10:46:08 ClamAV: Using database directory: /var/log/copfilter/default/opt/clamav/virdb 06/08/2008 10:46:21 ClamAV: Loaded 457951 signatures (engine 0.93.3) 06/08/2008 10:46:21 ClamAV Library Scanner passed EICAR virus test (Eicar-Test-Signature) 06/08/2008 10:46:21 --- All scanners initialized 06/08/2008 10:46:21 Process ID: 7054 And now the "infection" is found and the download of the update pack is truncated Code: 06/08/2008 10:48:48 127.0.0.1 GET 200 http://argos66.free.fr/copfilter/update-copfilter-1.8.tar.gz 303+7740583 VIRUS ClamAV: Exploit.WMF.Gen-1 May be you've never seen a man happier on a broken download! Thanks for your help on these issues and for filing the bug report to the ClamAV team! Cheers |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |