Closed Evil2000 closed 11 months ago
Here's the debug log from clamav-rest-api:
> clamav-rest-api@1.2.1 start
> node src/app.js
node-clam: DEBUG MODE ON
node-clam: Could not verify the clamdscan binary. [Error: ENOENT: no such file or directory, access '/usr/bin/clamdscan'] {
errno: -2,
code: 'ENOENT',
syscall: 'access',
path: '/usr/bin/clamdscan'
}
node-clam: Could not verify the clamscan binary. [Error: ENOENT: no such file or directory, access '/usr/bin/clamscan'] {
errno: -2,
code: 'ENOENT',
syscall: 'access',
path: '/usr/bin/clamscan'
}
node-clam: Initially testing socket/tcp connection to clamscan server.
node-clam: Attempting to establish socket/TCP connection for "_ping"
node-clam: using remote server: 192.168.4.54:3310
node-clam: Established connection to clamscan server!
node-clam: PONG!
node-clam: Established connection to clamscan server!
Server started on PORT: 8080
node-clam: Socket/Host connection closed.
node-clam: Provided stream is readable.
node-clam: Attempting to establish socket/TCP connection for "scanStream"
node-clam: using remote server: 192.168.4.54:3310
node-clam: Received final data from stream.
node-clam: The input stream has dried up.
node-clam: ClamAV is done scanning.
node-clam: Raw Response:
node-clam: Error Response:
node-clam: File may be INFECTED!
node-clam: Provided stream is readable.
node-clam: Attempting to establish socket/TCP connection for "scanStream"
node-clam: Socket/Host connection closed.
node-clam: ClamAV socket has been closed! false
node-clam: using remote server: 192.168.4.54:3310
node-clam: Received final data from stream.
node-clam: The input stream has dried up.
node-clam: ClamAV is done scanning.
node-clam: Raw Response:
node-clam: Error Response:
node-clam: File may be INFECTED!
node-clam: Provided stream is readable.
node-clam: Attempting to establish socket/TCP connection for "scanStream"
node-clam: Socket/Host connection closed.
node-clam: ClamAV socket has been closed! false
node-clam: using remote server: 192.168.4.54:3310
node-clam: Received final data from stream.
node-clam: The input stream has dried up.
node-clam: ClamAV is done scanning.
node-clam: Raw Response:
node-clam: Error Response:
node-clam: File may be INFECTED!
::ffff:172.17.0.1 - - [07/Aug/2023:13:43:41 +0000] "POST /api/v1/scan HTTP/1.1" 200 203 "-" "curl/8.0.1"
node-clam: Socket/Host connection closed.
node-clam: ClamAV socket has been closed! false
I had a look into the network transfer and observed that the clamscan client closes the TCP connection to the clamd socked before the clamd is able to send a response. Here in detail:
No. Time Source Destination Protocol Length Info
1 0.000000 192.168.4.54 192.168.4.54 TCP 56 63890 → 3310 [SYN] Seq=0 Win=65535 Len=0 MSS=65495 WS=256 SACK_PERM
--[ At this point the clamscan client starts a new TCP connection to clamd. ]--
2 0.000139 192.168.4.54 192.168.4.54 TCP 56 3310 → 63890 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=65495 WS=256 SACK_PERM
3 0.000222 192.168.4.54 192.168.4.54 TCP 44 63890 → 3310 [ACK] Seq=1 Ack=1 Win=2619648 Len=0
--[ At this point the TCP connection is established. Now clamscan starts to send a file... ]--
4 0.011743 192.168.4.54 192.168.4.54 TCP 370 63890 → 3310 [PSH, ACK] Seq=1 Ack=1 Win=2619648 Len=326
--[ ... file is sent and clamd ACKs. Fine. ]--
5 0.011787 192.168.4.54 192.168.4.54 TCP 44 3310 → 63890 [ACK] Seq=1 Ack=327 Win=2619648 Len=0
6 0.015179 192.168.4.54 192.168.4.54 TCP 44 63890 → 3310 [FIN, ACK] Seq=327 Ack=1 Win=2619648 Len=0
--[ Wait, now clamscan is closing the connection, but no response from clamd was recieved already. ]--
7 0.015241 192.168.4.54 192.168.4.54 TCP 44 3310 → 63890 [ACK] Seq=1 Ack=328 Win=2619648 Len=0
--[ At this point the TCP connection is closed ]--
8 0.045350 192.168.4.54 192.168.4.54 TCP 79 3310 → 63890 [PSH, ACK] Seq=1 Ack=328 Win=2619648 Len=35
--[ Now, clamd has finished scanning, and wants to send the response, but connection is closed. Reset will be sent. ]--
9 0.045412 192.168.4.54 192.168.4.54 TCP 44 63890 → 3310 [RST, ACK] Seq=328 Ack=36 Win=0 Len=0
This might be fixed with the provided code change. I successfully tested it.
Thanks for your contribution! I really appreciate that! I will have a look at your PR when I come back from vacation.
Hi folks,
I would like to mention, that issue #45 doesn't seem to be resolved. Today I pulled clamav:latest and clamav-rest-api:latest from dockerhub and started both.
When firing the curl request with three eicar files it returns
"is_infected":null
everytime:but clamav is detecting it right (logentry):
Mon Aug 7 12:38:37 2023 -> instream(172.17.0.1@33300): Win.Test.EICAR_HDB-1 FOUND