clamscan reports FOUND and also then OK for XLS scan #521
Milestone
Comments
|
This seems similar to the bug #442 that I reported a while ago. |
|
Hm this does sound like the same bug. It is likely it is a bug is a specific file format parser. |
micahsnyder
changed the title
|
I just tested with 0.103.5 and 0.104.1 and found the issue doesn't exist in 0.104.1. I'll see if I can identify when it was fixed and if it will be easy to backport for the upcoming 0.103.6 patch version. |
micahsnyder
added a commit
to micahsnyder/clamav-micah
that referenced
this issue
Apr 18, 2022
It is possible when not using allmatch mode that an alert on an XLS file may be "lost". That is, it first reports as FOUND but then later reports as OK. Resolves: Cisco-Talos#521
micahsnyder
added a commit
to micahsnyder/clamav-micah
that referenced
this issue
Apr 18, 2022
It is possible when not using allmatch mode that an alert on an XLS file may be "lost". That is, it first reports as FOUND but then later reports as OK. The issue is essentially that the way allmatch and alert reporting is done, it is easy to accidentally change the return value at one intermediate layer and forget about the alert. This fix doesn't clean up the systematic issue, but does resolve this specific bug. Resolves: - Cisco-Talos#442 - Cisco-Talos#521
micahsnyder
added a commit
to micahsnyder/clamav-micah
that referenced
this issue
Apr 18, 2022
It is possible when not using allmatch mode that an alert on an XLS file may be "lost". That is, it first reports as FOUND but then later reports as OK. The issue is essentially that the way allmatch and alert reporting is done, it is easy to accidentally change the return value at one intermediate layer and forget about the alert. This fix doesn't clean up the design flaw, but does resolve this specific bug. Resolves: - Cisco-Talos#442 - Cisco-Talos#521
|
Just tested again. I can confirm the issue isn't there in 0.104.2. Thanks Micah! |
micahsnyder
added a commit
that referenced
this issue
Apr 27, 2022
It is possible when not using allmatch mode that an alert on an XLS file may be "lost". That is, it first reports as FOUND but then later reports as OK. The issue is essentially that the way allmatch and alert reporting is done, it is easy to accidentally change the return value at one intermediate layer and forget about the alert. This fix doesn't clean up the design flaw, but does resolve this specific bug. Resolves: - #442 - #521
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
some files are detected only when allscan is used. clamav shows name of malware, but reports no problem detected.
This was reported in mailing list:
https://lists.clamav.net/pipermail/clamav-users/2022-March/012539.html
% file intamldeosreitlu.xls
intamldeosreitlu.xls: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Posik, Last Saved By: HRdtjnd, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Mon Mar 28 08:33:09 2022, Security: 0
% clamscan intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
/home/uhlar/intamldeosreitlu.xls: OK
...
Infected files: 0
% clamscan -z intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
...
Infected files: 1
with clamdscan, problem is not detected until allscan option is used, after that it's detected:
% clamdscan /home/uhlar/intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: OK
...
Infected files: 0
% clamdscan /home/uhlar/intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: OK
...
Infected files: 0
% clamdscan -z /home/uhlar/intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
...
Infected files: 1
% clamdscan /home/uhlar/intamldeosreitlu.xls
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
/home/uhlar/intamldeosreitlu.xls: Doc.Downloader.Qbot03222-9942295-0 FOUND
...
Infected files: 2
with -z option I get 1 infected file, without it 2 infected...
How to reproduce the problem
Checking configuration files in /etc/clamav
Config file: clamd.conf
PreludeAnalyzerName = "ClamAV"
LogFile = "/var/log/clamav/clamav.log"
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogClean = "yes"
LogVerbose = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
MaxConnectionQueueLength = "15"
StreamMaxLength = "20971520"
MaxThreads = "12"
ReadTimeout = "180"
SendBufTimeout = "200"
SelfCheck = "3600"
User = "clamav"
BytecodeTimeout = "60000"
MaxScanTime = "120000"
MaxRecursion = "16"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
Config file: freshclam.conf
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogVerbose = "yes"
LogRotate = "yes"
DatabaseDirectory = "/var/lib/clamav/"
UpdateLogFile = "/var/log/clamav/freshclam.log"
Checks = "48"
DatabaseMirror = "db.sk.clamav.net", "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"
ReceiveTimeout = "30"
Config file: clamav-milter.conf
LogFile = "/var/log/clamav/clamav-milter.log"
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogVerbose = "yes"
LogRotate = "yes"
PidFile = "/var/run/clamav/clamav-milter.pid"
TemporaryDirectory = "/tmp"
ReadTimeout = "240"
User = "clamav"
MaxFileSize = "31457280"
ClamdSocket = "unix:/var/run/clamav/clamd.ctl"
MilterSocket = "/var/spool/postfix/clamav/clamav-milter.ctl"
MilterSocketGroup = "clamav"
MilterSocketMode = "666"
LocalNet = "192.34.61.247"
OnInfected = "Reject"
RejectMsg = "Clamav detected %v"
AddHeader = "Replace"
LogInfected = "Full"
LogClean = "Off"
Software settings
Version: 0.103.5
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR
Database information
Database directory: /var/lib/clamav/
WARNING: freshclam.conf and clamd.conf point to different database directories
[3rd Party] jurlbl.ndb: 4975 sigs
[3rd Party] rogue.hdb: 2423 sigs
[3rd Party] winnow_bad_cw.hdb: 1 sig
[3rd Party] javascript.ndb: 43708 sigs
[3rd Party] porcupine.ndb: 6752 sigs
[3rd Party] crdfam.clamav.hdb: 1 sig
[3rd Party] securiteinfoascii.hdb: 88417 sigs
[3rd Party] bofhland_malware_URL.ndb: 4 sigs
[3rd Party] winnow_extended_malware.hdb: 245 sigs
[3rd Party] securiteinfo.hdb: 104608 sigs
[3rd Party] sigwhitelist.ign2: 12 sigs
main.cld: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
[3rd Party] blurl.ndb: 3450 sigs
[3rd Party] spamattach.hdb: 14 sigs
[3rd Party] phishtank.ndb: 4588 sigs
[3rd Party] bofhland_cracked_URL.ndb: 40 sigs
[3rd Party] sanesecurity.ftm: 170 sigs
[3rd Party] spam_marketing.ndb: 31016 sigs
[3rd Party] winnow_malware_links.ndb: 133 sigs
[3rd Party] securiteinfoandroid.hdb: 84401 sigs
[3rd Party] securiteinfopdf.hdb: 3408 sigs
[3rd Party] scam.ndb: 12783 sigs
[3rd Party] winnow_malware.hdb: 293 sigs
[3rd Party] phish.ndb: 28139 sigs
[3rd Party] spamimg.hdb: 200 sigs
[3rd Party] bofhland_malware_attach.hdb: 1836 sigs
[3rd Party] junk.ndb: 55847 sigs
[3rd Party] securiteinfo.ign2: 123 sigs
[3rd Party] winnow.attachments.hdb: 182 sigs
bytecode.cld: version 333, sigs: 92, built on Mon Mar 8 16:21:51 2021
daily.cld: version 26498, sigs: 1976960, built on Thu Mar 31 10:19:05 2022
[3rd Party] securiteinfohtml.hdb: 57401 sigs
[3rd Party] bofhland_phishing_URL.ndb: 72 sigs
[3rd Party] doppelstern.hdb: 1 sig
Total number of signatures: 9159722
Platform information
uname: Linux 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64
OS: linux-gnu, ARCH: i386, CPU: i686
Full OS version: Debian GNU/Linux 11 (bullseye)
zlib version: 1.2.11 (1.2.11), compile flags: 55
platform id: 0x0a117e7e04000000000a0201
Build information
GNU C: 10.2.1 20210110 (10.2.1)
CPPFLAGS: -Wdate-time -D_FORTIFY_SOURCE=2
CFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-SjufEr/clamav-0.103.5+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-SjufEr/clamav-0.103.5+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64
LDFLAGS: -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
Configure: '--build=i686-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/i386-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-SjufEr/clamav-0.103.5+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-SjufEr/clamav-0.103.5+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-system-libmspack' '--with-libcurl=/usr' '--with-gnu-ld' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=i686-linux-gnu' 'OBJCFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-SjufEr/clamav-0.103.5+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security'
sizeof(void*) = 4
Engine flevel: 126, dconf: 126
Attachments
If applicable, add screenshots to help explain your problem.
If the issue is reproducible only when scanning a specific file, attach it to the ticket.
https://www.virustotal.com/gui/file/378adfee41626e904b41ba967aa18871a39a82e12ae199486acce898a8599be2?nocache=1
The text was updated successfully, but these errors were encountered: