HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
HAVP not detecting virus, clamscan does http://havp.hege.li/forum/viewtopic.php?f=3&t=533 |
Page 1 of 1 |
Author: | sfoerster [ 15 May 2010 15:39 ] |
Post subject: | HAVP not detecting virus, clamscan does |
I'm running HAVP as a parent proxy for our squid: >egrep -v '^#|^$|false$' /etc/havp/havp.config SERVERNUMBER 40 MAXSERVERS 150 LOGLEVEL 1 SCANTEMPFILE /cache/havp/havp-XXXXXX PARENTPROXY 127.0.0.1 PARENTPORT 6868 PORT 7979 BIND_ADDRESS 127.0.0.1 TEMPLATEPATH /etc/havp/templates/interhyp WHITELIST /etc/havp/whitelist STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS ENABLECLAMLIB true Unfortunately, this one request slips through: 15/05/2010 14:31:00 127.0.0.1 GET 200 http://www.freihaus-brenner.de/ 343+10284 OK Whereas: >wget -O/tmp/virus.txt http://www.freihaus-brenner.de/ ; clamscan -v /tmp/virus.txt --2010-05-15 14:36:31-- http://www.freihaus-brenner.de/ Connecting to 127.0.0.1:7979... connected. Proxy request sent, awaiting response... 200 OK Length: 10284 (10K) [text/html] Saving to: `/tmp/virus.txt' 100%[===================================================================================================================================================================================================>] 10,284 --.-K/s in 0s 2010-05-15 14:36:31 (161 MB/s) - `/tmp/virus.txt' saved [10284/10284] LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** Scanning /tmp/virus.txt /tmp/virus.txt: JS.Agent-64 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 772662 Engine version: 0.95.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.01 MB Data read: 0.01 MB (ratio 1.50:1) Time: 2.143 sec (0 m 2 s) One thing I noted: >tail /var/log/havp/error.log 15/05/2010 14:12:56 === Starting HAVP Version: 0.91 15/05/2010 14:12:56 Running as user: havp, group: havp 15/05/2010 14:12:56 Use parent proxy: 127.0.0.1:6868 15/05/2010 14:12:56 --- Initializing ClamAV Library Scanner 15/05/2010 14:12:56 ClamAV: Using database directory: /var/clamav 15/05/2010 14:12:57 ClamAV: Loaded 769919 signatures (engine 0.95.3) 15/05/2010 14:12:57 ClamAV Library Scanner passed EICAR virus test (Eicar-Test-Signature) 15/05/2010 14:12:57 --- All scanners initialized 15/05/2010 14:12:57 Process ID: 28840 The number of available virus signatures seems to differ - I don't know if that is of any relevance. Can anyone help me debug why this malware isn't caught? |
Author: | karesmakro [ 16 May 2010 13:11 ] |
Post subject: | Re: HAVP not detecting virus, clamscan does |
Is it possible, that this virus was in your browser cache? I made some tests and this is my result: Code: 15/05/2010 18:27:17 127.0.0.1 GET 200 http://www.freihaus-brenner.de/ 237+10284 VIRUS ClamAV: JS.Agent-64 I used clamav 0.96 and havp 0.92pre1 for this tests Quote: The number of available virus signatures seems to differ - I don't know if that is of any relevance. This is correct, but can't say why! This is a question, which hege could answer (I hope) |
Author: | hege [ 16 May 2010 14:13 ] |
Post subject: | Re: HAVP not detecting virus, clamscan does |
Quote: The number of available virus signatures seems to differ - I don't know if that is of any relevance. Probably clamscan loads phishing sigs and HAVP doesn't. You could try clamscan --phishing-sigs=no (not sure if it's called that in 0.95.3 but see --help). |
Author: | karesmakro [ 16 May 2010 16:02 ] |
Post subject: | Re: HAVP not detecting virus, clamscan does |
No, I don't use pishing signatures. There is really a difference: Code: 16/05/2010 14:55:23 === Starting HAVP Version: 0.91 16/05/2010 14:55:23 Running as user: havp, group: havp 16/05/2010 14:55:23 --- Initializing ClamAV Library Scanner 16/05/2010 14:55:23 ClamAV: Using database directory: /var/lib/clamav 16/05/2010 14:55:30 ClamAV: Loaded 771985 signatures (engine 0.96) 16/05/2010 14:55:30 ClamAV Library Scanner passed EICAR virus test (Eicar-Test-Signature) 16/05/2010 14:55:30 --- All scanners initialized (same to havp-0.92pre1) and clamav: Code: ./clamscan --phishing-sigs=no /root/ripmime.tar.gz /root/ripmime.tar.gz: OK ----------- SCAN SUMMARY ----------- Known viruses: 772246 Engine version: 0.96 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.31 MB Data read: 0.05 MB (ratio 6.67:1) Time: 8.037 sec (0 m 8 s) regards |
Author: | sfoerster [ 16 May 2010 17:34 ] |
Post subject: | Re: HAVP not detecting virus, clamscan does |
The virus was definitely not in the browser cache, due to wget's lack of any cache. Which further debugging data do I have to provide to narrow down that problem? I have already verified that HAVP and clamscan are using the same database directory. I verified that the file really passed through HAVP (i.e. it was not in the downstream proxy's cache) by requesting it directly from HAVP. If nobody here as any further ideas, I'd have HAVP access clamd via socket to see if this is indeed some problem with the way HAVP interacts with libclamav. |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |