HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
Problem detecting Virus inside ZIP http://havp.hege.li/forum/viewtopic.php?f=3&t=397 |
Page 1 of 1 |
Author: | igorneves [ 18 Nov 2008 16:10 ] |
Post subject: | Problem detecting Virus inside ZIP |
Hi, I'm using HAVP as a parent proxy for squid. It's working great for most common cases. I started my testes with simple virus files and everything was working nice. Now I'm stuck with zip files. If I download one zip file with only the virus inside, HAVP detects it and it works as it should. If I put more files inside the zip along with the exe virus, it does not detect anything. I have tried configuring HAVP with clamav and with clamd, both have the same problem. My system it's centos 5.2, and the versions of the software are: - havp-0.89-2 - clamd-0.94-1.el5.rf - clamav-0.94-1.el5.rf LOGS: ==> /var/log/havp/access.log <== 18/11/2008 12:51:57 127.0.0.1 GET 200 http://xxx.xxx.xxx.xxx/test_virus.zip 260+7323474 OK ==> shell <== # clamscan test_virus.zip test_virus.zip: Worm.SomeFool.P FOUND ----------- SCAN SUMMARY ----------- Known viruses: 463741 Engine version: 0.94 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 14.79 MB Time: 3.908 sec (0 m 3 s) ==> shell <== # clamdscan test_virus.zip //test_virus.zip: Worm.SomeFool.P FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 2.133 sec (0 m 2 s) ==> havp.conf <== LOGLEVEL 1 PORT 8085 KEEPBACKBUFFER 100000 DISABLELOCKINGFOR ClamAV:BinHex ClamAV:PDF ClamAV:ZIP ENABLECLAMLIB false CLAMMAXSCANSIZE 100 CLAMMAXFILES 10000 CLAMMAXFILESIZE 50 CLAMMAXRECURSION 16 ENABLECLAMD true CLAMDSOCKET /tmp/clamd.socket ENABLEFPROT false ENABLEAVG false ENABLEAVESERVER false ENABLESOPHIE false ENABLETROPHIE false ENABLENOD32 false ENABLEAVAST false ENABLEARCAVIR false ENABLEDRWEB false FILE: http://www.flyupload.com/get?fid=264461365 Can anyone help me out on this? Probably I'm doing something wrong. Thanks very much, |
Author: | hege [ 18 Nov 2008 18:16 ] |
Post subject: | Re: Problem detecting Virus inside ZIP |
So what is your MAXSCANSIZE? If it's 5MB and the virus is at end of the file, it is not detected. |
Author: | igorneves [ 18 Nov 2008 18:48 ] |
Post subject: | Re: Problem detecting Virus inside ZIP |
Ok, First of all, thanks, that was the (stupid) problem, while reading the config file I have looked to the value and thought in 50MBytes. # VALUE IN BYTES NOT KB OR MB!!!! # 0 = No size limit # # Default: # MAXSCANSIZE 5000000 This is 5MBytes. Maybe you could change this value to kbytes, this value in bytes in now our days maybe it's a little low, and can induce someone easily in error. This is just my opinion. It's working like a charm nothing to say. Thanks very much for your help. |
Author: | hege [ 18 Nov 2008 18:51 ] |
Post subject: | Re: Problem detecting Virus inside ZIP |
I think kbytes would be even more misleading... it's either bytes or megabytes. But it works now and it's not possible to change to keep backwards compatibility. |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |