Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can not upload zip files - Virus detected

Discussion in 'User Experience' started by musioc, Dec 25, 2016.

  1. musioc

    musioc Well-Known Member

    Aug 4, 2011
    Likes Received:
    Trophy Points:
    Hello dears
    Merry Christmas :)

    I can not upload this file via cpanel file manager
    I checked file , Many antivirus marked it as OK, No virus detected.
    This problem occurs for other servers and also other zip files.
    When I unzip files and upload one by one, cpanel upload them without any issue.

    This is the zip file: - Removed -
    We use cloudlinux 6.x and 7.x x86_64 with latest cpanel/whm (release) version
    I have root access

    #1 musioc, Dec 25, 2016
    Last edited by a moderator: Dec 25, 2016
  2. rpvw

    rpvw Well-Known Member

    Jul 18, 2013
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Clamscan of your file results in :
    # clamscan -ia ~/
    ~/!ZIP:vendor/phpdocumentor/type-resolver/phpmd.xml.dist!...!(72)ZIP:vendor/symfony/console/Resources/bin/hiddeninput.exe: Win.Trojan.Toa-5372190-0 FOUND
    ~/ Win.Trojan.Toa-5372190-0 FOUND
    ----------- SCAN SUMMARY -----------
    Known viruses: 5389274
    Engine version: 0.99.2
    Scanned directories: 0
    Scanned files: 1
    Infected files: 1
    Data scanned: 9.09 MB
    Data read: 7.87 MB (ratio 1.16:1)
    Time: 15.690 sec (0 m 15 s)
    After unzipping (on a linux box) the resulting clamscan shows:
    # clamscan -ir ~/vendor
    ----------- SCAN SUMMARY -----------
    Known viruses: 5389274
    Engine version: 0.99.2
    Scanned directories: 1061
    Scanned files: 5198
    Infected files: 0
    Data scanned: 28.16 MB
    Data read: 16.57 MB (ratio 1.70:1)
    Time: 17.367 sec (0 m 17 s)
    .... so I have to wonder if there is anything in the zip that is detecting the environment and only triggering the exploit file if it is unzipped or loaded on a windows box.

    Of course, there is always the possibility that the ClamAV result is a false positive, but there again, there is always the possibility that it is detecting something no one else is !

    Personally, it was my server, I would always go with the safe option .... if an antivirus showed a zip as having malware embedded within it, I would either destroy the zip, or if I had no choice but to use it, I would take every measure I could to disinfect it before deploying it.
    #2 rpvw, Dec 25, 2016
    Last edited: Dec 26, 2016
    cPanelMichael and Infopro like this.
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello @musioc,

    I concur with the previous post, however could you elaborate a little more on the quote above? Is this happening for every zip file, or only zip files that produce similar results with the clamscan command referenced in the previous response?

    Thank you.

Share This Page