#110 Eicar virus eicar with .doc extension not detected by virus_scan + clamav_mod

[Goran Brannstrom]

I have a setup on Debian 8 with Squid3, c-icap 0.3.42 and the virus_scan and clamav modules:

ii c-icap 1:0.3.4-2 amd64 ICAP server implementation
ii libc-icap-mod-clamav 1:0.3.2-2 all transitional dummy package
ii libc-icap-mod-virus-scan 1:0.3.2-2+b1 amd64 Antivirus Service for c-icap

Most things work, but when I try the eicar virus with different file endings I notice that if call it "eicar.doc" the virus is not detected, while other extensions like .jpg, .docx, .txt and other work fine.
Would some kind person please tell me why, or how to make sure it gets detected properly?
Any tip appreciated.

In virus_scan.conf i have:
virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE

I can see that squid makes a request to scan the file in: /var/log/c-icap/access.log
But no detection in : /var/log/c-icap server.log. Why is that?

If I scan the file manually with clamscan I get:
$ clamscan eicar.doc
eicar.doc: Eicar-Test-Signature FOUND

Kind regards,
Goran Brannstrom

[Goran Brannstrom]

When I added the line below the eicar virus with ".doc" extension is now detected:
virus_scan.VirScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE

But this option, I thought, should only be used for "Viralator mode?
I have this setting: virusscan.StartSendPercentDataAfter 2M
But have not turned on: virusscan.VirHTTPUrl"

Yet, my tests show that VirScanFileTypes has to have the above setting, or files of extension ".doc" are not scanned. Perhaps this is "expected behavior" but not obvious in the documentation.

[chtsanti]

Again the file extension does not play any role.
The eicar file should detected as an ASCII TEXT file.

If the virus detected using the virus_scan.VirScanFileTypes configuration parameter, then it should be detected if you completelly remove this line and add the following line:
virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE

The virelator mode make sense only for large files, I do not think that it is something you need it.

[Goran Brannstrom]

What you suggest is what didn't work from the beginning. Only when I add:
virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
...does it work

[Goran Brannstrom]

If I don't need this "virelator mode", then could you tell me exactly what option(s) turns on/off this "virelator mode"? I'm not sure myself.

These are the options I use:

root@proxy2:/etc/c-icap# grep "^[a-zA-Z]" virus_scan.conf
Service antivirus_module virus_scan.so
ServiceAlias srv_clamav virus_scan
ServiceAlias  avscan virus_scan?allow204=on&sizelimit=off&mode=simple
virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
virus_scan.SendPercentData 5
virus_scan.StartSendPercentDataAfter 2M
virus_scan.MaxObjectSize  5M
virus_scan.VirScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
Include clamav_mod.conf 

[Karl Tischler]

Hi,
I assume, virus_scan.VirScanFileTypes is a global configuration option. And yes, you are right, that office doc's would only be detected, if the file type option has been set.

[Goran Brannstrom]

Thanks for input, Karl. I guess my tests confirms this assumtion.
It is not obvious from docs exactly what options constitutes "viralator mode".
But there is nothing like hard-won experience... :-)

[chtsanti]

The c-icap deos not recognise the file type using the file extension.
The c-icap checks in the file contents to determine the file type.

If the file named as "test.jpeg" scanned by c-icap, then if you rename this file to "test.doc" will be scanned to.

[Goran Brannstrom]

Yet, the fact remains that if I use only:
virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
Then the eicar virus with extension .txt get detected but not if I rename it to eicar.doc.
So how can the extension not have any bearing?

If I add:
virus_scan.VirScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
Then whether I call the file eicar.txt or eicar.doc they both get detected.