News
Knowledgebase
How to check malware scan settings

This check is explained on example of domain example.org.

To check file location is used.

Request:

curl -v http://example.org/example.org_1500902659128.php

Correct answer:

* Hostname was NOT found in DNS cache
*   Trying 74.208.236.246...
* Connected to example.org (74.208.236.246) port 80 (#0)
> GET /example.org_1500902659128.php HTTP/1.1
> User-Agent: curl/7.38.0
> Host: example.org
> Accept: */*
>
< HTTP/1.1 451 1
< Content-Type: text/plain;charset=UTF-8
< Content-Length: 0
< Connection: keep-alive
< Keep-Alive: timeout=15
< Date: Fri, 11 Aug 2017 15:08:35 GMT
* Server Apache is not blacklisted
< Server: Apache
< X-Powered-By: PHP/5.6.30
< X-Cww-Err: 1
< X-Cww-Id: 0.0.5 d5412af26c9c5cc5b36a4c21e2b01bd4 php-5.6.30 Linux Apache
< Cache-Control: must-revalidate
< Pragma: no-cache
< Expires: Thu,1 Jan 1970 00:00:01 GMT

Web-server answer code is very important. It means, that

HTTP/1.1 451 1 is correct answer.

Another answers are incorrect. Their examples:

HTTP/1.1 404 means that file path is incorrect or file is absent at all;

HTTP/1.1 403 means that an access to file is forbidden.

X-Cww-Id: 0.0.5 shows scanner version (0.0.5 is actual now).

X-Cww-Err is also very important field. If it exists in the answer it means that there is some error. Error type is determined by digits in this field.

messagereasonpossible cause and fix solution
1 agent failed to determine HTTP request method

badly configued Nginx sometimes does not pass REQUEST_METHOD variable to PHP script;

fixed in Agent version 0.0.5; ask customer to update Agent on its site

5 broken authetication headers passed to Agent

remote server clobbers/deletes Agent authentication header (X-Cww-tag);

fix solution is not know yet

10 authentication failed

authentication keys embedded in Agent and stored in SSS database differ;

broken Agent or corrupted auth key in SSS db;

ask customer to update Agent on its site (Agent will be regenerated with proper auth keys)

15 authentication tokens ar outdated

time interval between auth and scan phases of SSS is too large (usually must not exceed 15-30 seconds);

very slow network, overloaded remote site (which leads to huge response times), etc.;

try again later

20 can not execute subscripts

installed and configured remote site PHP engine does not support any function capable of executing PHP code within PHP script (eval(), create_function(), file_put_content(), etc are blocked or unavailable);

no sulution, customer must be informed about requirements of having those funcs working

21 failed to decrypt subscript

decryption of subscript failed;

no working openssl() or mcrypt() functions found; AES-128-CTR algo is not supported; authentication header (X-CWW-TAG) contains wrong KEY+IV pair;

no sulution yet on remote side or check SSS encryption part

22 gzdecode() on subscript failed

failed to uncompress subscript using gzdecode();

gzdecode() functions works as not expected; SSS subscript compression produced bad output;

no solution yet on remote side or check SSS compression part

23 no subscript magic comment found

decoded/decompressed PHP subscript does not contain magic pattern;

brokern subscript sent by SSS

check SSS subscript composing part

30 no subscript provided

SSS provided data blocks in POST request but no code block;

check SSS subscript composing part

9X subscript execution failed

SSS provided (POSTed) subscript failed to be executed by Agent;

check SSS subscript composing part

(0 vote(s))
Helpful
Not helpful

Comments (0)
Help Desk Software by Kayako
© 2018 Comodo Security Solutions, Inc. All rights reserved.