Please find the pcap file attached. This particular run had 19 failures and then the 20 time I received the expected response. I'll analyze it on my end too but don't have much experience at this so a little help is definitely appreciated.
On Mon, May 8, 2017 at 4:43 PM, Cory Parrish <[email protected]> wrote: > Thanks for the response Steven. I will get the information that you are > looking for. > > What I have done in the meantime, is setup a retry of the scan with a 50 > ms delay until I receive an expected response (i.e. non FIN packet). What I > have found is that I always eventually get the expected response within 10 > tries. > > *Is There A Timing Issue?* > I am immediately sending data after I get an ack back that I am connected > on the socket. So I don't think there is a timing issue but it would be > nice to find a way to test this. Do you know if there is a configuration I > can set to increase this wait time? I haven't seen one in the > configurations. > > Thanks again for your help!! > > On Mon, May 8, 2017 at 4:32 PM, Steven Morgan <[email protected]> > wrote: > >> Cory, >> >> If you can capture the tcp network traffic for a successful and a failed >> session and send me the pcap files, I'd be glad to take a look at them. >> >> I have noticed that clamd only allows a short delay following tcp >> connection establishment before receiving a clamd command or else it sends >> a fin. Is it possible that there is a timing issue? >> >> Steve >> >> On Mon, May 8, 2017 at 11:35 AM, Cory Parrish < >> [email protected]> >> wrote: >> >> > Hello, I'm trying to stream a file to clamav (V 0.99.2) using the TCP >> > Connection from a NodeJS server. Sometimes data is being sent back but >> > other times I am receiving the "FIN" packet before any data. Every time >> I >> > send a stream to be scanned, I see the result in the clamav logs, but >> for >> > some reason the result is not getting sent back on the socket >> consistently. >> > Oddly enough, if I make clamav send back an error response, I will get >> the >> > response 100% of the time. I only see inconsistency when clamav executes >> > the scan successfully, both when it finds a virus and when it does not >> find >> > a virus. >> > >> > *A couple things that I have tried:* >> > >> > 1. I was wondering if this happens on very small files. So I increased >> the >> > size of the file to over 500k and I still saw the same results. >> > >> > 2. Next I was wondering if it might happen when clamav uses its cache to >> > determine that a file has already been scanned. So I changed the >> > DisableCache configuration to 'yes' and still saw the same thing. >> > >> > Has anyone seen a problem like this in the past? Are there tests proving >> > the socket communication is working correctly? Please let me know what >> > information you would need to assist. >> > >> > *Attachments* >> > clamd.conf - configuration used for the clam daemon. >> > test-file.txt - the file I am streaming to clamav. >> > >> > Thanks so much for any help you can provide! >> > >> > -- >> > Cory Parrish >> > Owner, Developer, and Fellow Geek >> > StriveNine >> > >> > _______________________________________________ >> > clamav-users mailing list >> > [email protected] >> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> > >> > >> > Help us build a comprehensive ClamAV guide: >> > https://github.com/vrtadmin/clamav-faq >> > >> > http://www.clamav.net/contact.html#ml >> > >> _______________________________________________ >> clamav-users mailing list >> [email protected] >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > > > -- > Cory Parrish > Owner, Developer, and Fellow Geek > StriveNine > -- Cory Parrish Owner, Developer, and Fellow Geek StriveNine _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
