29 July 2011, 6:40

We have Mahara 1.4 and we try to use clamav 0.97 virus scanning. Clamdsan and clamscan works fine from linux terminal when trying eicar test file. When loading eicar test file to Mahara, clam scans file, but tells that everything is ok so it doesn't recognize test virus. clamd.log says that /tmp/phpr56fh OK. We have Centos 5.6 64-bit, PHP 5.3.6, Apache 2.219 and MySQl 5.5.15. Virus checking and path to clam are ok in Mahara settings. clamav is installed from rpm. Should clam really work with mahara 1.4?

29 July 2011, 8:13

Hi Jukka,

I've just tested this with the Mahara 1.4 successfully. What settings do you have for clam?

I'm using Debian Squeeze with clamav and clamav-daemon 0.97+dfsg-2~squeeze1. Path to clamscan is set to /usr/bin/clamdscan and I have virus checking enabled. I've also confirmed that it works using /usr/bin/clamscan too.

Here's the relevant contents of my /var/log/clamav/clamav.log

Fri Jul 29 14:07:27 2011 -> /tmp/phpLeaFmi: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND

Andrew

01 August 2011, 0:17

Hi Andrew

Clam settings are almost as defaults. I have only enabled logging /var/log/clamav, disabled syslog and enabled LogClean.

Still clamdscan ja clamscan can found eicar as virus when trying in terminal, but when loadind eicar to Mahara, clam scans it, but claims it to be not as virus.

Another stupid question too. How to remove virus files, when founded? From terminal clamscan --remove, but I cannot use --remove in Mahara. Is there clamd.conf setting for that?

~ Jukka ~

01 August 2011, 3:23

Hi Jukka,

Mahara will do that itself. If a virus is detected in an uploaded file, a notification is sent to the site administration, and the file will be moved to the quarantine directory. This is a directory within your dataroot. This is so that you may manually inspect any reported virus files and it should be safe to empty this directory if you wish.

The fact that you're seeing some action in your clam log means that Mahara is doing something, and that clamscan is being called as you expect.

If you're up for some php hacking to try and track down the root of the issue, point yourself at htdocs/lib/uploadmanager.php

The function you want to look at is mahara_clam_scan_file(). I'd start by adding:

  log_info($cmd);
  log_info($output);
  log_info($return);

after the exec call (line 285 ish).

You should expect to see something like:

  /usr/bin/clamscan /tmp/phpXXXX 2>&1

  <the output of your clamscan here>

  1

Hopefully this should give some indication as to the cause of the problem.

One other thought -- have you tried running clamscan on the file whilst running as your web server's user? I'm not overly familiar with CentOS (I'm a Debian man) but in Debian I'd do:

sudo su - www-data
clamdscan /tmp/eicar.com
clamscan /tmp/eicar.com

Also, if you can pop in to the #mahara IRC channel, you may find it useful too :)

All the best,

Andrew

01 August 2011, 4:16

Hi Andrew

It works now and have been worked all the time. I have just been a little stupid maybe because I just came from summer holiday :o|. My Windows seven workstation just cleaned eicar test file even if I shutted down antivirus program and after that I tried to load eicar to Mahara and of course clamav didn't find anything.

Sorry

~ Jukka ~

01 August 2011, 4:29

Hi Jukka,

It's all good :) I was getting worried that we'd broken AntiVirus in Mahara - I even started working on some unit tests so that we can check for such breakages so it's spurred me on to do something I've been meaning to start for a while.

Glad that you have it working and good luck with your Mahara experience :)

Andrew