Well , let tell you .
there is a lot of stings "php files" consecrated as a viruses and yes there is a BIG list  of string blacklist.
i did scan the upload files , which may users upload a harmful phpshell scripts .

but as you know , when Hacker know that you block a way he will start thinking about other way .
now , he can open his cpanel . or wordpress file management , he crate a new empty file ,  copy paste the php code inside it , change the extension to .php , and that is it !

but if i did scan the POSTED sting data with clam , then it will found that he posted a script that we already has a huge Dayle updated blacklist database .

and we will stop the saving proses.

See that is what i am looking for.

On Tue, Feb 23, 2010 at 8:41 AM, Ryan Barnett <Ryan.Barnett@breach.com> wrote:

I understand what you want to do but not why. What are expecting clamav to find? AV is mainly looking for executable binary code which may be present in webapps when they allow external file attachments. In your case, you are talking about text strings so ModSecurity can do it. The issue may be what blacklist to use. Does anyone using clamav know if it has a text string blacklist feature built-in?




Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett@Breach.com
www.Breach.com


From: beshoo
To: Ryan Barnett
Sent: Tue Feb 23 01:24:48 2010

Subject: Re: [mod-security-users] How to Scan Post Data with ClamAv "Not The Upload File"
i want to scan the POST text strings but with clam not with Modesecurity Regx pattern , that is my target !

On Tue, Feb 23, 2010 at 8:17 AM, Ryan Barnett <Ryan.Barnett@breach.com> wrote:

Are you wanting to look for text strings or was there some specific clamav feature you wanted? If the client is not using multipart content-type to upload a file attachment, then I am not sure what AV feature you need. If you only want to look at text strings then you don't need clamav, as you can use @pm/@pmFromFile and pass it a list of blacklist strings to run against the request_body variable.

Ryan C. Barnett
Director of Application Security Research
Breach Security, Inc.
Ryan.Barnett@Breach.com
www.Breach.com


From: beshoo
To: Jamuse
Cc: mod-security-users@lists.sourceforge.net
Sent: Tue Feb 23 00:57:49 2010
Subject: Re: [mod-security-users] How to Scan Post Data with ClamAv "Not The Upload File"
as i said in the email that i sent  , i dont want to scan the uploaded files , the posted data did not save any thing to /tmp FILES_TMPNAMES , i am sure there is other way to scan the post row , again not the uploaded files

thank you :)

On Tue, Feb 23, 2010 at 7:50 AM, Jamuse <jamuse@gmail.com> wrote:
Take a look at the modsec-clamscan.pl script in the modsecurity util directory. You can invoke the script with something like:

SecRule FILES_TMPNAMES "@inspectFile /opt/modsecurity/bin/modsec-clamscan.pl" \
    phase:2,t:none,log,block

- J

On Tue, Feb 23, 2010 at 5:58 AM, beshoo <beshoo@gmail.com> wrote:
Dear user , i need to scan any POSTED data with clamAV ,
 eg :
User open Cpanel ,

Create a New File in Cpanel

Edit the file with Cpanel Editor

Copy and paste , the Code as PhpShell code .

Save the file .. :)

i need to scan the POST data with ClamAV .

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html