Whitelist ModSecurity Rule With ClamAV Scans

In this article I’m going to discuss how to find and Whitelist specific ModSecurity rules that might be causing 406 errors on your websites on either your VPS (Virtual Private Server) or dedicated server.

The rules that ModSecurity uses can help block potential attack attempts from malicious users upload malware to servers, but sometimes it can also block legitimate upload requests, and knowing how to go in and find what rules are getting triggered and how to whitelist them can be handy.

All-in-One WP Migration


This tutorial we using WordPress with All-in-One WP Migration plugins, that allow import/export your WordPress installation to any server.

Sometimes this cause false/positive alarms with ClamAV scanner with Malware rules.

Apache error.log

First we need find ModSecurity rule that blocking upload to server. This usually found in Apache error.log or if shared webhosting environment then domain error.log.

Our tutorial this is very easy search error code: Access denied with code 406

That rule is in /etc/modsecurity.d/runav.conf file.

[Wed Feb 22 10:47:36.458459 2017] [:error] [pid 32046] [client] [client] ModSecurity: Access denied with code 406 (phase 2). File "/tmp/20170222-104655-WK1P-1Qikx4AAH0um30AAAA6-file-U3UJSa" rejected by the approver script "/usr/local/bin/runav.pl": 0 clamscan: {HEX}Malware.Expert.generic.malware.6.UNOFFICIAL [file "/etc/modsecurity.d/runav.conf"] [line "14"] [id "950115"] [msg "Virus found in uploaded file"] [severity "CRITICAL"] [hostname "malware.expert"] [uri "/wordpress/wp-admin/admin-ajax.php"] [unique_id "WK1P-1Qikx4AAH0um30AAAA6"], referer: https://malware.expert/wordpress/wp-admin/admin.php?page=site-migration-import

ClamAV scanner rule

If we look better this rule, it’s typically ModSecurity scanning rule:

SecRule FILES_TMPNAMES "@inspectFile /usr/local/bin/runav.pl" \
	"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115'"

Now we need find POST payload that we can make Whitelist rule for that.

POST payload

When we try import old WordPress site with All-in-One WP Migration, we get this POST payload and filed import.

[22/Feb/2017:10:47:36 +0200] WK1P-1Qikx4AAH0um30AAAA6 62090 443
POST /wordpress/wp-admin/admin-ajax.php?action=ai1wm_import HTTP/1.1
Host: testi0.zoner.fi
Connection: keep-alive
Content-Length: 4624901
Origin: https://testi0.zoner.fi
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36
content-type: multipart/form-data; boundary=----WebKitFormBoundarypzt79sF4w2tJ9mLL
Accept: */*
Referer: https://malware.expert/wordpress/wp-admin/admin.php?page=site-migration-import
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: *

HTTP/1.1 406 Not Acceptable
Content-Length: 284
Keep-Alive: timeout=2, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Message: Access denied with code 406 (phase 2). File "/tmp/20170222-104655-WK1P-1Qikx4AAH0um30AAAA6-file-U3UJSa" rejected by the approver script "/usr/local/bin/runav.pl": 0 clamscan: {HEX}Malware.Expert.generic.malware.6.UNOFFICIAL [file "/etc/modsecurity.d/runav.conf"] [line "14"] [id "950115"] [msg "Virus found in uploaded file"] [severity "CRITICAL"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php
Stopwatch: 1487753215267371 41258574 (- - -)
Stopwatch2: 1487753215267371 41258574; combined=277262, p1=4393, p2=272864, p3=0, p4=0, p5=4, sr=261, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/).
Server: Apache/2
Engine-Mode: "ENABLED"



We need ModSecurity SecMarker directive to whitelist specified rule that block Apache Upload scan.

Write Whitelist ModSecurity rule

Now we have very easy write ModSecurity whitelist rule to WordPress All-in-One WP Migration plugin. First we create rule that catch POST Payload and skip orginal rule if found:

Whitelist rule

SecRule REQUEST_METHOD  "POST"	"id:950100,phase:2,t:none,chain,pass,skipAfter:IGNORE_CLAMAV_SCAN,nolog,msg:'Malware expert - All-in-One WP Migration'"
SecRule REQUEST_URI	"@contains /wp-admin/admin-ajax.php?action=ai1wm_import"	"t:none,t:lowercase,t:urldecode,nolog"

Orginal rule

SecRule FILES_TMPNAMES "@inspectFile /usr/local/bin/runav.pl" \
	"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115'"

skipAfter rule


Final words

There is another ways also remove rules, example SecRuleRemoveById, but is simple and if you need get more whitelist rules, just add them before Orginal rule. And here, you can find more ModSecurity Rule Examples.

Check out:

Malware Expert – Free Malware Signatures
Malware Expert – ModSecurity Rules