Discussion:
[Clamav-devel] ClamAv not detecting data when sent as file from curl
(too old to reply)
P K
2015-07-16 15:32:39 UTC
Permalink
Hi Guys,

I am trying to send EICAR data to ClamAv by two ways:

*1. By sending eicher file data as POST data -> Virus Detected*

* command -> curl -X POST -d @eicar.com.txt http://localhost/test.html
<http://localhost/test.html>*

POST /abcd.html HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Accept: */*
Content-Length: 68
Content-Type: application/x-www-form-urlencoded

44
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
0

2. *When i send same with file -> Virus Not Detected*

*command -> curl -i -F name=eicar.com.txt -F filedata=@eicar.com.txt*
*http://localhost/test.html <http://localhost/test.html>*

POST / HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Accept: */*
Content-Length: 369
Expect: 100-continue
Content-Type: multipart/form-data;
boundary=----------------------------221b58daed79

171
------------------------------221b58daed79
Content-Disposition: form-data; name="name"

eicar.com.txt
------------------------------221b58daed79
Content-Disposition: form-data; name="filedata";
filename="eicar.com.txt"
Content-Type: text/plain

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
------------------------------221b58daed79--
0

Any suggestions what i am missing?

Thanks
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Brandon Perry
2015-07-16 15:42:17 UTC
Permalink
The body of the HTTP request in the first is only the EICAR file (though
the 44 and 0 on different lines is odd), but the body of the multi-part
form request is like embedding the EICAR file into different data (ClamAV
doesn't know what a multi-part form is). The multi-part form is no longer
just the EICAR test file, so the signature won't find it.
Post by P K
Hi Guys,
*1. By sending eicher file data as POST data -> Virus Detected*
<http://localhost/test.html>*
POST /abcd.html HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Accept: */*
Content-Length: 68
Content-Type: application/x-www-form-urlencoded
44
0
2. *When i send same with file -> Virus Not Detected*
*http://localhost/test.html <http://localhost/test.html>*
POST / HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Accept: */*
Content-Length: 369
Expect: 100-continue
Content-Type: multipart/form-data;
boundary=----------------------------221b58daed79
171
------------------------------221b58daed79
Content-Disposition: form-data; name="name"
eicar.com.txt
------------------------------221b58daed79
Content-Disposition: form-data; name="filedata";
filename="eicar.com.txt"
Content-Type: text/plain
------------------------------221b58daed79--
0
Any suggestions what i am missing?
Thanks
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
http://www.clamav.net/contact.html#ml
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Loading...