Thanks steven. I uploaded both file. I feel clamav should detect signature with any files irrespective of form data by browser.
On Sat, Aug 22, 2015 at 12:13 AM, Steven Morgan <smor...@sourcefire.com> wrote: > I've opened https://bugzilla.clamav.net/show_bug.cgi?id=11380. Please > attach to this bugzilla ticket the original pdf file and the original > multipart document. > > Thanks. > > On Tue, Aug 18, 2015 at 10:48 AM, P K <pkopen...@gmail.com> wrote: > > > Hi Guys, > > > > Again troubling you. Can you please let me know why its not working for > > windows server. Do i need to enable any setting in ClamAv configuration? > > > > I was trying same exploit.pdf virus file to upload in Windows server and > > its not detected by ClamAv Antivirus. > > > > *I tried with detect-pua also and it didn't worked for me*. > > > > It works fine with curl and other software. *Maybe we have to handle > > separately for windows server*. > > > > Looks like its due to way windows servers work to upload file using > > Boundary mechanism. > > > > Below is output of virus file to clamav: > > > > Content-Disposition: form-data; name="__EVENTVALIDATION" > > > > /wEWBAK5276uAwLv4ZO6DgLmgPS1DQL374fcBaj9ZhJYdIZVwZS464ZHv7T3ou6w > > -----------------------------21154944191352840482619583850 > > Content-Disposition: form-data; name="destination" > > > > > > > > > > > > > > > */AnalyticsReports-----------------------------21154944191352840482619583850Content-Disposition: > > form-data; name="ctl00$PlaceHolderMain$ctl01$ctl05$InputFile"; > > filename="exploit.pdf"Content-Type: application/force-download* > > %PDF-1.1 > > 1 0 obj > > << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 5 0 R >> > > endobj > > 2 0 obj > > << /Type /Outlines /Count 0 >> > > endobj > > 3 0 obj > > << /Type /Pages /Kids [4 0 R] /Count 1 >> > > endobj > > 4 0 obj > > << /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] >> > > endobj > > 5 0 obj > > << /Type /Action /S /JavaScript /JS ( > > VIRUS DATA ..................... > > ........................................... > > > > spray_heap(); > > trigger_bug(); > > > > ) >> > > endobj > > xref > > 0 6 > > 0000000000 65535 f > > 0000000010 00000 n > > 0000000096 00000 n > > 0000000145 00000 n > > 0000000205 00000 n > > 0000000279 00000 n > > trailer > > << /Size 6 /Root 1 0 R >> > > startxref > > 1787 > > %%EOF > > -----------------------------21154944191352840482619583850 > > Content-Disposition: form-data; > > name="ctl00$PlaceHolderMain$ctl01$ctl05$OverwriteSingle" > > > > on > > -----------------------------21154944191352840482619583850 > > Content-Disposition: form-data; name="__spText1" > > > > > > -----------------------------21154944191352840482619583850 > > > > > > On Thu, Jul 30, 2015 at 3:39 PM, P K <pkopen...@gmail.com> wrote: > > > > > thanks Shaun. I seen its pushed in latest update. > > > > > > Hope to learn more from you guys. > > > > > > On Wed, Jul 29, 2015 at 7:32 PM, Shaun Hurley <shahu...@sourcefire.com > > > > > wrote: > > > > > >> PK, > > >> > > >> Thank you for bringing this to our attention. > > >> > > >> I have created another signature that doesn't rely upon PUA being > > enabled. > > >> As soon as the signature is done being tested for false positives we > > will > > >> publish it. > > >> > > >> Thanks again, > > >> Shaun Hurley > > >> ClamAV Malware Team > > >> > > >> On Tue, Jul 28, 2015 at 10:54 AM, P K <pkopen...@gmail.com> wrote: > > >> > > >> > worked properly after enabling PUA. > > >> > > > >> > Cheers, > > >> > --PK > > >> > > > >> > On Tue, Jul 28, 2015 at 8:14 PM, Steve Basford < > > >> > steveb_cla...@sanesecurity.com> wrote: > > >> > > > >> > > > > >> > > On Tue, July 28, 2015 3:41 pm, P K wrote: > > >> > > > So how to detect same in my clamAv? > > >> > > > > > >> > > > > >> > > Until a proper sig is added, you could try > > >> > > > > >> > > clamscan --detect-pua=yes > > >> > > > > >> > > Cheers, > > >> > > > > >> > > Steve > > >> > > Web : sanesecurity.com > > >> > > Blog: sanesecurity.blogspot.com > > >> > > > > >> > > _______________________________________________ > > >> > > Help us build a comprehensive ClamAV guide: > > >> > > https://github.com/vrtadmin/clamav-faq > > >> > > > > >> > > http://www.clamav.net/contact.html#ml > > >> > > > > >> > _______________________________________________ > > >> > Help us build a comprehensive ClamAV guide: > > >> > https://github.com/vrtadmin/clamav-faq > > >> > > > >> > http://www.clamav.net/contact.html#ml > > >> > > > >> _______________________________________________ > > >> Help us build a comprehensive ClamAV guide: > > >> https://github.com/vrtadmin/clamav-faq > > >> > > >> http://www.clamav.net/contact.html#ml > > >> > > > > > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
