modsecurity_uploadscan doesn't seem to be working for me

S

Saif.H

Verified User
Joined
Mar 11, 2021
Messages
6
Hi,

ModSecurity upload scan through ClamAV doesn't seem to be working on my server. ModSecurity and ClamAV both are working fine though.
The options.conf values are as follows -


#ClamAV-related Settings
clamav=yes
clamav_exim=yes
modsecurity_uploadscan=yes
proftpd_uploadscan=yes
pureftpd_uploadscan=yes
suhosin_php_uploadscan=yes

#WEB Server Settings
unit=no
webserver=nginx_apache
http_methods=ALL
litespeed_serialno=trial
modsecurity=yes
modsecurity_ruleset=comodo
apache_ver=2.4
apache_mpm=auto
mod_ruid2=yes
userdir_access=no
harden_symlinks_patch=yes
use_hostname_for_alias=no
redirect_host=xxx.xxx.xxx
redirect_host_https=no
Click to expand...

I have tried rebuilding modsecurity, clamav and nginx_apache but still no luck. I still can upload eicar test files and shells/malware through php uploader and during the upload I don't see anything to get logged into modsec_audit.log

What I'm doing wrong here? I haven't tried changing the webserver yet. Is nginx_apache the issue here? Could you please try and check if uploadscan is working perfectly on your server?

Thanks.
 
Hi,

I have checked and verified that the upload scan works fine with openlitespeed and apache but doesn't seem to work while I use nginx_apache. Is there any workaround for this?

Thanks.
 
Hi,

Just tested mod_security "upload scan" functionality, but it doesn't seem to work with either nginx_apache or nginx config's:

Bash: 
cd /usr/local/directadmin/custombuild
./build update
./build set clamav yes
./build clamav
./build set modsecurity yes
./build set modsecurity_uploadscan yes
./build set modsecurity_ruleset "comodo"
./build modsecurity
./build modsecurity_rules
./build rewrite_confs

Is anyone familiar with this issue -or is this normal behavior and this combination is simply not possible. E.g., the page https://docs.directadmin.com/webservices/apache/modsecurity.html seem to suggest it should be possible.

Please note, mod_security and clamav are working, but the upload scan doesn't. Tested using a browser based upload (http POST) with malware test files from: https://www.eicar.org/download-anti-malware-testfile/

Issue is not caused by clamav, it's detecting properly:

Bash: 
# clamscan eicar_com.zip
Loading:    20s, ETA:   0s [========================>]    8.62M/8.62M sigs
Compiling:   4s, ETA:   0s [========================>]       41/41 tasks

/root/eicar_com.zip: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8624578
Engine version: 0.104.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 26.841 sec (0 m 26 s)
Start Date: 2022:07:28 14:23:34
End Date:   2022:07:28 14:24:01



Thanks!
 
In addition:

JSON output when checking remains like this:
JSON: 
{
    "SecRuleRemoveById" :
    [
    ],
    "comments":
    {
    },
    "flags":
    {
        "SecRuleEngine": "On"
    },
    "has_override": "no",
    "subdomain_select":
    {
        "0":
        {
            "selected": "yes",
            "text": "Main Domain ...",
            "value": ""
        }
    }
}

Where this flag is expected:

JSON: 
"SecFilterScanPOST": "On",

Thanks!
 
virtio said:
In addition:

JSON output when checking remains like this:
JSON: 
{
    "SecRuleRemoveById" :
    [
    ],
    "comments":
    {
    },
    "flags":
    {
        "SecRuleEngine": "On"
    },
    "has_override": "no",
    "subdomain_select":
    {
        "0":
        {
            "selected": "yes",
            "text": "Main Domain ...",
            "value": ""
        }
    }
}

Where this flag is expected:

JSON: 
"SecFilterScanPOST": "On",

Thanks!
Click to expand...
Hello,
As per the documentation the flag needs to go here.

"flags":
{
"SecFilterScanPOST": "On",
"SecRuleEngine": "On"
}

Also, are you setting up the upload scan method globally or per domain ?
 
tecsys said:
Hello,
As per the documentation the flag needs to go here.

"flags":
{
"SecFilterScanPOST": "On",
"SecRuleEngine": "On"
}

Also, are you setting up the upload scan method globally or per domain ?
Click to expand...

Hi,

It is set globally and using:

Bash: 
./build set modsecurity_uploadscan yes

Should set the flag, but it doesn't.
 
You must log in or register to reply here.
Back
Top