Conflicting scan result with latest clamAV 1.2.1 version for scanning encrypted rar file on alpine image Vs docker ubuntu image. #1104
Comments
clamavissue
changed the title
|
Sorry for the delay. I thought I had replied, but I forgot to press the "Comment" button. I'm not sure how alpine builds their clamav package. We do not maintain it, that's a third party package. I was able to confirm the same results as what you found -- the Alpine clamav package did not extract RAR archives even though it appears to have the libclamunrar module installed. I am unsure why it didn't work. We provide an x86_64 alpine-based clamav docker image: https://hub.docker.com/r/clamav/clamav/tags I tested with this and it correctly extracts RAR archives. We are also working on providing a multi-arch (amd64, arm64, and pp64le) debian-slim based image, if you're interested. But it is not quite ready yet. |
|
Hi, Thanks For reply. Can you please provide steps how did you created alpine image with clamAV? I will check with our steps just to understand if it helps to understand the difference. The only difference which I observed is alpine linux version is 3.18 which we have. and I do use command "RUN apk add clamav freshclam --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community" to pull clamav install on alpine image. Thanks |
|
Our docker image is built using these files: https://github.com/Cisco-Talos/clamav-docker/tree/main/clamav/1.2/alpine We do not use Alpine's clamav packages. We build clamav from source for our docker image. |
|
Can we build image using these file to use in our system? If yes can you suggest me steps which how I can build image for our usage purpose? |
|
We have added additional command to install libunrar before installing clamav and freshclam and it worked. It is now giving heuristics signature and infected status for encrypted rar file scan. You can close this issue. |
|
Apologies for the delay writing back. We've been on holiday break.
Yes if you wish to build the image yourself instead of using our pre-built images or the Alpine packages, you can copy the Or if you want to use our images, we have some documentation to help you get started, here https://docs.clamav.net/manual/Installing/Docker.html
I am glad to hear you got it working with the alpine packages by using the additional command. |
Describe the bug
We are testing with clamav 1.2.1 installing on alpine image and ubuntu docker image. after installation we have same configuration in clamd.conf file. We tried to scan encrypted Readme.rar file. it gives conflicting results on both.
On Alpine image it gives clean scan status for Readme.rar where as on ubuntu docker image it gives heuristics signature saying file is infected.
For alpine below output
/ # clamdscan Readme.rar
//Readme.rar: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.022 sec (0 m 0 s)
Start Date: 2023:11:29 10:41:32
End Date: 2023:11:29 10:41:32
/ # clamd --v
ClamAV 1.2.1/27108/Wed Nov 29 08:40:15 2023
/ # clamd --v
ClamAV 1.2.1/27108/Wed Nov 29 08:40:15 2023
/ # ps -ef|grep clamd
87 clamav 0:32 clamd -c /etc/clamav/clamd.conf
94 root 0:00 grep clamd
/ # clamconf -n
Checking configuration files in /etc/clamav
Config file: clamd.conf
LogFile = "/var/log/clamav/clamd.log"
LogTime = "yes"
PidFile = "/run/clamav/clamd.pid"
LocalSocket = "/tmp/clamd.sock"
LocalSocketMode = "660"
TCPSocket = "3310"
TCPAddr = "localhost"
User = "clamav"
AlertEncrypted = "yes"
AlertEncryptedArchive = "yes"
AlertEncryptedDoc = "yes"
Config file: freshclam.conf
PidFile = "/run/clamav/freshclam.pid"
DatabaseMirror = "database.clamav.net"
clamav-milter.conf not found
Software settings
Version: 1.2.1
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON
Database information
Database directory: /var/lib/clamav
bytecode.cvd: version 334, sigs: 91, built on Wed Feb 22 21:33:21 2023
daily.cld: version 27108, sigs: 2047993, built on Wed Nov 29 08:40:15 2023
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
Total number of signatures: 8695511
Platform information
uname: Linux 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
WARNING: zlib version mismatch: 1.3 (1.2.13)
zlib version: 1.3 (1.2.13), compile flags: a9
platform id: 0x0a21bfbf08000000000d0201
Build information
GNU C: 13.2.1 20231014 (13.2.1)
sizeof(void*) = 8
Engine flevel: 191, dconf: 191
/ #
for docker ubuntu image it gives below one
root@09aa388aca06:/home# clamdscan Readme.rar
/home/Readme.rar: Heuristics.Encrypted.RAR FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.009 sec (0 m 0 s)
Start Date: 2023:11:24 13:14:45
End Date: 2023:11:24 13:14:45
root@09aa388aca06:/home# clamd --v
ClamAV 1.2.1/27103/Fri Nov 24 08:40:22 2023
Replace this text with a clear and concise description of the bug or feature request.
root@09aa388aca06:/# clamconf -n
Checking configuration files in /usr/local/etc
Config file: clamd.conf
PidFile = "/run/clamav/clamd.pid"
DatabaseDirectory = "/var/lib/clamav"
LocalSocket = "/tmp/clamd.sock"
LocalSocketMode = "660"
TCPSocket = "3310"
TCPAddr = "localhost"
User = "clamav"
AlertEncrypted = "yes"
AlertEncryptedArchive = "yes"
AlertEncryptedDoc = "yes"
Config file: freshclam.conf
LogFileMaxSize = "2097152"
DatabaseDirectory = "/var/lib/clamav"
UpdateLogFile = "/var/log/freshclam.log"
DatabaseMirror = "database.clamav.net"
clamav-milter.conf not found
Software settings
Version: 1.2.1
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR
Database information
Database directory: /var/lib/clamav
daily.cld: version 27105, sigs: 2047822, built on Sun Nov 26 08:39:29 2023
bytecode.cvd: version 334, sigs: 91, built on Wed Feb 22 21:33:21 2023
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
Total number of signatures: 8695340
Platform information
uname: Linux 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
zlib version: 1.3 (1.3), compile flags: a9
platform id: 0x0a21bfbf0800000000070500
Build information
GNU C: 7.5.0 (7.5.0)
sizeof(void*) = 8
Engine flevel: 191, dconf: 191
How to reproduce the problem
1.Create ubuntu docker image with docker pull command and then copy clamav 1.2.1 debian installable file (clamav-1.2.1.linux.x86_64.deb) on it.
2.Install .deb with commands sudo dpkg -i clamav-1.2.1.linux.x86_64.deb
3.After this i ran freshclam and then started clamd service.
4.Using command clamdscan Readme.rar scanned encrypted rar file .
5.This file is password protected .rar file and copied from windows machine to docker image.
6.For clamdscan it gives output as shown above
root@09aa388aca06:/home# clamdscan Readme.rar
/home/Readme.rar: Heuristics.Encrypted.RAR FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.009 sec (0 m 0 s)
Start Date: 2023:11:24 13:14:45
End Date: 2023:11:24 13:14:45
which is same as we get on windows installation of same version of clamav.
7 Now in our service we are using alpine image and pulling clamav and freshclam from alpine packages.
8. I tried with local docker file in which pulled one alpine image and adde clamav installation with below command
RUN apk add clamav freshclam --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community
9.when I checked clamav version it gives same latest clamav 1.2.1 version on it.
10 when I tried to scan same Readme.rar on alpine images after running freshclam and clamd service it gives result as below
/ # clamdscan Readme.rar
//Readme.rar: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.022 sec (0 m 0 s)
Start Date: 2023:11:29 10:41:32
End Date: 2023:11:29 10:41:32
This is conflicting behavior we are observing on different linux images. As we are using alpine image in our service we need fix for this case.
Please let me know if you need more info for this
The text was updated successfully, but these errors were encountered: