Re: [Clamav-devel] Question about STREAM scanning
--- "Calin A. Culianu" <[EMAIL PROTECTED]> wrote: > > > On Tue, 15 Mar 2005, John Giammarche wrote: > > > > >> > >> > >> Well, then I have another problem. > >> > >> I have a file that is known to be infected with a > >> virus. It's the "ps" executable from a server, > >> inside > >> a .tar.bz2. > >> > >> Scanned in the console, the result is as follows: > >> > >> /root/ps.tar.bz2: Linux.RST.B FOUND > >> --- SCAN SUMMARY --- > >> Known viruses: 31605 > >> Scanned directories: 0 > >> Scanned files: 1 > >> Infected files: 1 > >> Data scanned: 0.06 MB > >> I/O buffer size: 131072 bytes > >> Time: 1.423 sec (0 m 1 s) > >> > >> Scanned from the Java program: > >> > >> stream: OK > >> > >> In the logfile: > >> > >> Tue Mar 15 10:58:34 2005 -> Accepted connection > on > >> port 1190, fd 7 > >> Tue Mar 15 10:58:34 2005 -> stream: OK > >> > >> > >> Something is not working good > > > > > > Hmm. Do you have different config files that you > use for clamscan versus > clamd? Looks like archive scanning might be > disabled in the clamd case.. > but normally it isn't. Weird... Thanks, but it's working now. Check the previous posts. > > > > ___ > http://lurker.clamav.net/list/clamav-devel.html > __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ ___ http://lurker.clamav.net/list/clamav-devel.html
Re: [Clamav-devel] Question about STREAM scanning
On Tue, 15 Mar 2005, John Giammarche wrote: Well, then I have another problem. I have a file that is known to be infected with a virus. It's the "ps" executable from a server, inside a .tar.bz2. Scanned in the console, the result is as follows: /root/ps.tar.bz2: Linux.RST.B FOUND --- SCAN SUMMARY --- Known viruses: 31605 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.06 MB I/O buffer size: 131072 bytes Time: 1.423 sec (0 m 1 s) Scanned from the Java program: stream: OK In the logfile: Tue Mar 15 10:58:34 2005 -> Accepted connection on port 1190, fd 7 Tue Mar 15 10:58:34 2005 -> stream: OK Something is not working good Hmm. Do you have different config files that you use for clamscan versus clamd? Looks like archive scanning might be disabled in the clamd case.. but normally it isn't. Weird... ___ http://lurker.clamav.net/list/clamav-devel.html
Re: [Clamav-devel] Question about STREAM scanning
--- John Giammarche <[EMAIL PROTECTED]> wrote: > > --- "Calin A. Culianu" <[EMAIL PROTECTED]> wrote: > > > > On Mon, 14 Mar 2005, John Giammarche wrote: > > > > > Hello everyone and thanks for reading my > message. > > > > > > I want to use clamd to scan files that are > > uploaded to > > > a Java Servlet. So far, I've connected to clamd > > and > > > clamd answered the PORT that I should connect to > > send > > > the file. So far so good. > > > > > > When I connect to that port and send the data > > (raw, as > > > a byte array), clamd never answers. The > questions > > here > > > are: > > > > > > 1- In which port does clamd answer? I assume > it's > > the > > > same one through which I sent the file. I want > to > > read > > > the answer to know if the file is infected or > not. > > > > No, clamd actually answers once you close the > > connection on the data > > socket. It answers on the original port you > > connected to. It says stream: > > OK if it's ok or stream: FOUND if > > there's a virus... > > > Well, then I have another problem. > > I have a file that is known to be infected with a > virus. It's the "ps" executable from a server, > inside > a .tar.bz2. > > Scanned in the console, the result is as follows: > > /root/ps.tar.bz2: Linux.RST.B FOUND > --- SCAN SUMMARY --- > Known viruses: 31605 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.06 MB > I/O buffer size: 131072 bytes > Time: 1.423 sec (0 m 1 s) > > Scanned from the Java program: > > stream: OK > > In the logfile: > > Tue Mar 15 10:58:34 2005 -> Accepted connection on > port 1190, fd 7 > Tue Mar 15 10:58:34 2005 -> stream: OK > > > Something is not working good Well, I solved it, it was an error in the way I was straming the file from the Java servlet. Thanks everyone! J > > > > > > > > > > > > 2- I comnfigured the logging so that it logs > clean > > > files also. Look at the log so far: > > > > > > > Close the connection on the temporary data socket > > and read a line from the > > control socket (the original one you connected to) > > and you should get > > stream: OK/FOUND messages. I think your problem > was > > you were expecting it > > to return an answer on the data connection right > > away, but of course it > > couldn't, as it never knows when the stream is > done. > > It kept waiting for > > more data. But your java program wanted to get a > > reply. Both sides were > > waiting for something and noone was talking. The > > only way to tell clamd > > you are done sending it data is to actually close > > the connection on the > > data socket. Then you get an answer right away on > > the control socket. > > > > -Calin > > ___ > > http://lurker.clamav.net/list/clamav-devel.html > > > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > ___ > http://lurker.clamav.net/list/clamav-devel.html > __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ ___ http://lurker.clamav.net/list/clamav-devel.html
Re: [Clamav-devel] Question about STREAM scanning
--- "Calin A. Culianu" <[EMAIL PROTECTED]> wrote: > > On Mon, 14 Mar 2005, John Giammarche wrote: > > > Hello everyone and thanks for reading my message. > > > > I want to use clamd to scan files that are > uploaded to > > a Java Servlet. So far, I've connected to clamd > and > > clamd answered the PORT that I should connect to > send > > the file. So far so good. > > > > When I connect to that port and send the data > (raw, as > > a byte array), clamd never answers. The questions > here > > are: > > > > 1- In which port does clamd answer? I assume it's > the > > same one through which I sent the file. I want to > read > > the answer to know if the file is infected or not. > > No, clamd actually answers once you close the > connection on the data > socket. It answers on the original port you > connected to. It says stream: > OK if it's ok or stream: FOUND if > there's a virus... Well, then I have another problem. I have a file that is known to be infected with a virus. It's the "ps" executable from a server, inside a .tar.bz2. Scanned in the console, the result is as follows: /root/ps.tar.bz2: Linux.RST.B FOUND --- SCAN SUMMARY --- Known viruses: 31605 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.06 MB I/O buffer size: 131072 bytes Time: 1.423 sec (0 m 1 s) Scanned from the Java program: stream: OK In the logfile: Tue Mar 15 10:58:34 2005 -> Accepted connection on port 1190, fd 7 Tue Mar 15 10:58:34 2005 -> stream: OK Something is not working good > > > > > 2- I comnfigured the logging so that it logs clean > > files also. Look at the log so far: > > > > Close the connection on the temporary data socket > and read a line from the > control socket (the original one you connected to) > and you should get > stream: OK/FOUND messages. I think your problem was > you were expecting it > to return an answer on the data connection right > away, but of course it > couldn't, as it never knows when the stream is done. > It kept waiting for > more data. But your java program wanted to get a > reply. Both sides were > waiting for something and noone was talking. The > only way to tell clamd > you are done sending it data is to actually close > the connection on the > data socket. Then you get an answer right away on > the control socket. > > -Calin > ___ > http://lurker.clamav.net/list/clamav-devel.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-devel.html
