Can not upload zip files - Virus detected

musioc

Well-Known Member
Aug 4, 2011
123
1
68
Hello dears
Merry Christmas :)

I can not upload this file via cpanel file manager
Error:
The file you uploaded, vendor.zip, contains a virus so the upload was canceled: Win.Trojan.Toa-5372190-0 FOUND
I checked file , Many antivirus marked it as OK, No virus detected.
This problem occurs for other servers and also other zip files.
When I unzip files and upload one by one, cpanel upload them without any issue.

This is the zip file: - Removed -
We use cloudlinux 6.x and 7.x x86_64 with latest cpanel/whm (release) version
I have root access

Regards
 
Last edited by a moderator:

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
Clamscan of your file vendor.zip results in :
Code:
# clamscan -ia ~/vendor.zip
~/vendor.zip!ZIP:vendor/phpdocumentor/type-resolver/phpmd.xml.dist!...!(72)ZIP:vendor/symfony/console/Resources/bin/hiddeninput.exe: Win.Trojan.Toa-5372190-0 FOUND
~/vendor.zip: Win.Trojan.Toa-5372190-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 5389274
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 9.09 MB
Data read: 7.87 MB (ratio 1.16:1)
Time: 15.690 sec (0 m 15 s)
After unzipping (on a linux box) the resulting clamscan shows:
Code:
# clamscan -ir ~/vendor

----------- SCAN SUMMARY -----------
Known viruses: 5389274
Engine version: 0.99.2
Scanned directories: 1061
Scanned files: 5198
Infected files: 0
Data scanned: 28.16 MB
Data read: 16.57 MB (ratio 1.70:1)
Time: 17.367 sec (0 m 17 s)
.... so I have to wonder if there is anything in the zip that is detecting the environment and only triggering the exploit file if it is unzipped or loaded on a windows box.

Of course, there is always the possibility that the ClamAV result is a false positive, but there again, there is always the possibility that it is detecting something no one else is !

Personally, it was my server, I would always go with the safe option .... if an antivirus showed a zip as having malware embedded within it, I would either destroy the zip, or if I had no choice but to use it, I would take every measure I could to disinfect it before deploying it.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
This problem occurs for other servers and also other zip files.
Hello @musioc,

I concur with the previous post, however could you elaborate a little more on the quote above? Is this happening for every zip file, or only zip files that produce similar results with the clamscan command referenced in the previous response?

Thank you.