Can not upload zip files - Virus detected

M

musioc

Well-Known Member
Aug 4, 2011
127
1
68
Hello dears
Merry Christmas :)

I can not upload this file via cpanel file manager
Error:
The file you uploaded, vendor.zip, contains a virus so the upload was canceled: Win.Trojan.Toa-5372190-0 FOUND
Click to expand...
I checked file , Many antivirus marked it as OK, No virus detected.
This problem occurs for other servers and also other zip files.
When I unzip files and upload one by one, cpanel upload them without any issue.

This is the zip file: - Removed -
We use cloudlinux 6.x and 7.x x86_64 with latest cpanel/whm (release) version
I have root access

Regards
 
Last edited by a moderator:
rpvw

rpvw

Well-Known Member
Jul 18, 2013
1,100
475
113
UK
cPanel Access Level
Root Administrator
Clamscan of your file vendor.zip results in :
Code: 
# clamscan -ia ~/vendor.zip
~/vendor.zip!ZIP:vendor/phpdocumentor/type-resolver/phpmd.xml.dist!...!(72)ZIP:vendor/symfony/console/Resources/bin/hiddeninput.exe: Win.Trojan.Toa-5372190-0 FOUND
~/vendor.zip: Win.Trojan.Toa-5372190-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 5389274
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 9.09 MB
Data read: 7.87 MB (ratio 1.16:1)
Time: 15.690 sec (0 m 15 s)
After unzipping (on a linux box) the resulting clamscan shows:
Code: 
# clamscan -ir ~/vendor

----------- SCAN SUMMARY -----------
Known viruses: 5389274
Engine version: 0.99.2
Scanned directories: 1061
Scanned files: 5198
Infected files: 0
Data scanned: 28.16 MB
Data read: 16.57 MB (ratio 1.70:1)
Time: 17.367 sec (0 m 17 s)
.... so I have to wonder if there is anything in the zip that is detecting the environment and only triggering the exploit file if it is unzipped or loaded on a windows box.

Of course, there is always the possibility that the ClamAV result is a false positive, but there again, there is always the possibility that it is detecting something no one else is !

Personally, it was my server, I would always go with the safe option .... if an antivirus showed a zip as having malware embedded within it, I would either destroy the zip, or if I had no choice but to use it, I would take every measure I could to disinfect it before deploying it.
 
Last edited:
  • Like
Reactions: cPanelMichael and Infopro
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,261
463
musioc said:
This problem occurs for other servers and also other zip files.
Click to expand...
Hello @musioc,

I concur with the previous post, however could you elaborate a little more on the quote above? Is this happening for every zip file, or only zip files that produce similar results with the clamscan command referenced in the previous response?

Thank you.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
durangod In Progress [CPANEL-26576] File upload feature in File Manager reports 100% progress too early User Experience 5
inteldigital WHM style upload "The style tarball is invalid" User Experience 4
S Uploaded branding images not displayed User Experience 4
S Reseller Branding Logo not uploading in cPanel or Webmail User Experience 4
M Increase upload limit of cPanel file manager User Experience 4
Similar threads
In Progress [CPANEL-26576] File upload feature in File Manager reports 100% progress too early
WHM style upload "The style tarball is invalid"
Uploaded branding images not displayed
Reseller Branding Logo not uploading in cPanel or Webmail
Increase upload limit of cPanel file manager
Top Bottom