search

benzino77 / clamav-rest-api

ClamAV REST API. Scan files using simple POST request.
MIT License
105 stars 37 forks source link

"is_infected":null returned on any request, even if virus is found #49

Closed Evil2000 closed 11 months ago

Evil2000 commented 11 months ago

Hi folks,

I would like to mention, that issue #45 doesn't seem to be resolved. Today I pulled clamav:latest and clamav-rest-api:latest from dockerhub and started both.

$ docker run --detach --publish 8080:8080 \
--name rest-api \
-e NODE_ENV=production \
-e APP_FORM_KEY=files \
-e APP_MAX_FILE_SIZE=1073741824 \
-e APP_PORT=8080 \
-e CLAMD_IP=192.168.4.54 \
benzino77/clamav-rest-api

ce995ce2b7d043d84864dde83ceba71f6704254cefd5efdbb8dc2f09ba997d19

When firing the curl request with three eicar files it returns "is_infected":null everytime:

$ curl -X POST http://localhost:8080/api/v1/scan -F files=@eicarcom2.zip -F files=@eicarcom2.zip -F files=@eicarcom2/eicar_com.zip
{"success":true,"data":{"result":[{"name":"eicarcom2.zip","is_infected":null,"viruses":[]},{"name":"eicarcom2.zip","is_infected":null,"viruses":[]},{"name":"eicar_com.zip","is_infected":null,"viruses":[]}]}}

but clamav is detecting it right (logentry): Mon Aug 7 12:38:37 2023 -> instream(172.17.0.1@33300): Win.Test.EICAR_HDB-1 FOUND

Evil2000 commented 11 months ago

Here's the debug log from clamav-rest-api:

> clamav-rest-api@1.2.1 start
> node src/app.js
node-clam: DEBUG MODE ON
node-clam: Could not verify the clamdscan binary. [Error: ENOENT: no such file or directory, access '/usr/bin/clamdscan'] {
  errno: -2,
  code: 'ENOENT',
  syscall: 'access',
  path: '/usr/bin/clamdscan'
}
node-clam: Could not verify the clamscan binary. [Error: ENOENT: no such file or directory, access '/usr/bin/clamscan'] {
  errno: -2,
  code: 'ENOENT',
  syscall: 'access',
  path: '/usr/bin/clamscan'
}
node-clam: Initially testing socket/tcp connection to clamscan server.
node-clam: Attempting to establish socket/TCP connection for "_ping"
node-clam: using remote server: 192.168.4.54:3310
node-clam: Established connection to clamscan server!
node-clam: PONG!
node-clam: Established connection to clamscan server!
Server started on PORT: 8080
node-clam: Socket/Host connection closed.
node-clam: Provided stream is readable.
node-clam: Attempting to establish socket/TCP connection for "scanStream"
node-clam: using remote server: 192.168.4.54:3310
node-clam: Received final data from stream.
node-clam: The input stream has dried up.
node-clam: ClamAV is done scanning.
node-clam: Raw Response:   
node-clam: Error Response:  
node-clam: File may be INFECTED!
node-clam: Provided stream is readable.
node-clam: Attempting to establish socket/TCP connection for "scanStream"
node-clam: Socket/Host connection closed.
node-clam: ClamAV socket has been closed! false
node-clam: using remote server: 192.168.4.54:3310
node-clam: Received final data from stream.
node-clam: The input stream has dried up.
node-clam: ClamAV is done scanning.
node-clam: Raw Response:   
node-clam: Error Response:  
node-clam: File may be INFECTED!
node-clam: Provided stream is readable.
node-clam: Attempting to establish socket/TCP connection for "scanStream"
node-clam: Socket/Host connection closed.
node-clam: ClamAV socket has been closed! false
node-clam: using remote server: 192.168.4.54:3310
node-clam: Received final data from stream.
node-clam: The input stream has dried up.
node-clam: ClamAV is done scanning.
node-clam: Raw Response:   
node-clam: Error Response:  
node-clam: File may be INFECTED!
::ffff:172.17.0.1 - - [07/Aug/2023:13:43:41 +0000] "POST /api/v1/scan HTTP/1.1" 200 203 "-" "curl/8.0.1"
node-clam: Socket/Host connection closed.
node-clam: ClamAV socket has been closed! false
Evil2000 commented 11 months ago

I had a look into the network transfer and observed that the clamscan client closes the TCP connection to the clamd socked before the clamd is able to send a response. Here in detail:

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       192.168.4.54          192.168.4.54          TCP      56     63890 → 3310 [SYN] Seq=0 Win=65535 Len=0 MSS=65495 WS=256 SACK_PERM
--[ At this point the clamscan client starts a new TCP connection to clamd. ]--
      2 0.000139       192.168.4.54          192.168.4.54          TCP      56     3310 → 63890 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=65495 WS=256 SACK_PERM
      3 0.000222       192.168.4.54          192.168.4.54          TCP      44     63890 → 3310 [ACK] Seq=1 Ack=1 Win=2619648 Len=0
--[ At this point the TCP connection is established. Now clamscan starts to send a file... ]--
      4 0.011743       192.168.4.54          192.168.4.54          TCP      370    63890 → 3310 [PSH, ACK] Seq=1 Ack=1 Win=2619648 Len=326
--[ ... file is sent and clamd ACKs. Fine. ]--
      5 0.011787       192.168.4.54          192.168.4.54          TCP      44     3310 → 63890 [ACK] Seq=1 Ack=327 Win=2619648 Len=0
      6 0.015179       192.168.4.54          192.168.4.54          TCP      44     63890 → 3310 [FIN, ACK] Seq=327 Ack=1 Win=2619648 Len=0
--[ Wait, now clamscan is closing the connection, but no response from clamd was recieved already. ]--
      7 0.015241       192.168.4.54          192.168.4.54          TCP      44     3310 → 63890 [ACK] Seq=1 Ack=328 Win=2619648 Len=0
--[ At this point the TCP connection is closed ]--
      8 0.045350       192.168.4.54          192.168.4.54          TCP      79     3310 → 63890 [PSH, ACK] Seq=1 Ack=328 Win=2619648 Len=35
--[ Now, clamd has finished scanning, and wants to send the response, but connection is closed. Reset will be sent. ]--
      9 0.045412       192.168.4.54          192.168.4.54          TCP      44     63890 → 3310 [RST, ACK] Seq=328 Ack=36 Win=0 Len=0
Evil2000 commented 11 months ago

This might be fixed with the provided code change. I successfully tested it.

benzino77 commented 11 months ago

Thanks for your contribution! I really appreciate that! I will have a look at your PR when I come back from vacation.