Mailing List Archive: ClamAv not detecting data when sent as file from curl

Hi Guys,

I am trying to send EICAR data to ClamAv by two ways:

*1. By sending eicher file data as POST data -> Virus Detected*

* command -> curl -X POST -d @eicar.com.txt http://localhost/test.html
<http://localhost/test.html>*

POST /abcd.html HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Accept: */*
Content-Length: 68
Content-Type: application/x-www-form-urlencoded

44
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
0

2. *When i send same with file -> Virus Not Detected*

*command -> curl -i -F name=eicar.com.txt -F filedata=@eicar.com.txt*
*http://localhost/test.html <http://localhost/test.html>*

POST / HTTP/1.1
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Accept: */*
Content-Length: 369
Expect: 100-continue
Content-Type: multipart/form-data;
boundary=----------------------------221b58daed79

171
------------------------------221b58daed79
Content-Disposition: form-data; name="name"

eicar.com.txt
------------------------------221b58daed79
Content-Disposition: form-data; name="filedata";
filename="eicar.com.txt"
Content-Type: text/plain

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
------------------------------221b58daed79--
0

Any suggestions what i am missing?

Thanks
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

The body of the HTTP request in the first is only the EICAR file (though
the 44 and 0 on different lines is odd), but the body of the multi-part
form request is like embedding the EICAR file into different data (ClamAV
doesn't know what a multi-part form is). The multi-part form is no longer
just the EICAR test file, so the signature won't find it.

On Thu, Jul 16, 2015 at 10:32 AM, P K <pkopensrc@gmail.com> wrote:

> Hi Guys,
>
> I am trying to send EICAR data to ClamAv by two ways:
>
> *1. By sending eicher file data as POST data -> Virus Detected*
>
> * command -> curl -X POST -d @eicar.com.txt http://localhost/test.html
> <http://localhost/test.html>*
>
> POST /abcd.html HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Accept: */*
> Content-Length: 68
> Content-Type: application/x-www-form-urlencoded
>
> 44
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> 0
>
> 2. *When i send same with file -> Virus Not Detected*
>
> *command -> curl -i -F name=eicar.com.txt -F filedata=@eicar.com.txt*
> *http://localhost/test.html <http://localhost/test.html>*
>
> POST / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
> OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Accept: */*
> Content-Length: 369
> Expect: 100-continue
> Content-Type: multipart/form-data;
> boundary=----------------------------221b58daed79
>
> 171
> ------------------------------221b58daed79
> Content-Disposition: form-data; name="name"
>
> eicar.com.txt
> ------------------------------221b58daed79
> Content-Disposition: form-data; name="filedata";
> filename="eicar.com.txt"
> Content-Type: text/plain
>
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> ------------------------------221b58daed79--
> 0
>
> Any suggestions what i am missing?
>
> Thanks
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>

--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml