libmodsecurity + nginx + inspectfile clamav always returns 0

[nedngo]

Hi All
Using of ModSecuity 3.0.13 and nginx connector 1.0.3

file clamav_scan.sh

#!/bin/bash
echo "[TEST][$(date)] Start scan file: $1" >> /tmp/text.log
exit 1

rule modsecurity

SecRule FILES_TMPNAMES "@inspectFile clamav_scan.sh" \
  "id:1001,phase:2,t:none,block,log,msg:'File upload failed virus scan (ClamAV)'"

log of text.log

[TEST][Wed Apr 16 13:10:13 +08 2025] Start scan file: /tmp/20250416-131013-174478021319.907838-file-2WVlvx

log of /var/log/modsec-debug.log

[174478021319.907838] [/upload] [4] (Rule: 1001) Executing operator "InspectFile" with param "clamav_scan.sh" against FILES_TMPNAMES.
[174478021319.907838] [/upload] [9] Target value: "/tmp/20250416-131013-174478021319.907838-file-2WVlvx" (Variable: FILES_TMPNAMES:/tmp/20250416-131013-174478021319.907838-file-2WVlvx)
[174478021319.907838] [/upload] [4] Rule returned 0.

config modsecurity.conf

SecRequestBodyAccess On
SecRuleEngine On
SecUploadKeepFiles on
SecUploadDir /tmp
SecUploadFileMode 0777

test script clamav_scan.sh

[root@c4-sit-master-rl8 tmp]# /tmp/clamav_scan.sh /tmp/20250416-131013-174478021319.907838-file-2WVlvx; echo $?;
1

However the script called by the rule always returns 0

[nedngo]

I change to script perl. It working!

[airween]

Hi @nedngo,

sorry for the late reply. CRS has a pretty good antivirus plugin, and - as I know - it works with both engines (libmodsecurity3 and mod_security2). Have you tried that?

[nedngo]

@airween thank you. I will try it!