squidvirusclamav

Clamav receives modified file for scanning from C-ICAP proxy


I have planted the EICAR test file in the application, which is behind C-ICAP SquidClamav proxy. The proxy is redirecting specific traffic to ClamAV for virus scanning. The issue is that the file is not marked as virus, because it is received in lowercase. The source file is uppercase of course, also once downloaded it is blocked by the local machine antivirus. All of the involved parties (app, proxy, clamav) reside in Kubernetes cluster as separate pods.

I configured the ClamAV to keep temporary files. I scanned the files for 'eicar' string and printed the output: temporary file content I assume that it is the proxy that is modifying the file. How can I verify and fix that?


Solution

  • I think I found the answer. The content of the file is converted to lowercase by ClamAV itself, using this code: https://opensource.apple.com/source/clamav/clamav-158/clamav.Bin/clamav-0.98/libclamav/textnorm.c.auto.html.

    The issue with ClamAV not detecting the EICAR test file must be somewhere else.