On Tuesday, February 17, 2015 11:58:02 PM Manoj Ramakrishnan wrote: > On 18/02/15 6:09 AM, "Steven Morgan" <smor...@sourcefire.com> wrote: > >On Tue, Feb 17, 2015 at 1:11 AM, Manoj Ramakrishnan < > > > >manojramakrish...@nbnco.com.au> wrote: > >> Hi Al, > >> > >> Thanks for replying. > >> It is exactly what I thought. But why is it different from ZIP file? > >> I added extra characters in the beginning of the ZIP file but no issues > >> > >>in > >> > >> scanning that and finding eicar signature. > >> > >> It may be because of this file typing signature, which is not tied to a > > > >fixed offset (the '*' in second field is wildcard offset): > > "1:*:504b0304:ZIP-SFX:CL_TYPE_ANY:CL_TYPE_ZIPSFX" > > > >There are no corresponding wildcard magics for GZIP. Could you please > >confirm by looking for a message containing "ZIP/ZIP-SFX signature found > >at" in your debug output. > > > >> Also curious to see why is it not working in case #4 and #6? > > > >Using "LeaveTemporaryFiles yes", you should be able to inspect files in > >the > >ClamAV temp directory as forwarded by your web proxy. This will show the > >files as seen by ClamAV. As already pointed out, if there are any > >additional characters (http headers, etc.), it will not be recognized as > >GZIP. Are there any settings in squidclamav to control how files are > >formed > >for forwarding to ClamAV? > > At the moment there is no settings in squidclamav to extract the multipart > form data and send only the attachment to clamd. > > As Kevin mentioned, if clamd doesn't natively support parsing HTTP > messages then we need to find a way to pass correct data to clamd. > > Is HTTP message parsing support on your feature roadmap for clamd?
I haven't been following this thread very closely, so this may be off track, but would havp do what you need: http://www.server-side.de/ Scott K _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
