-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filter False-Positive PUA.Doc.Packed.EncryptedDoc-6563700-0 #161
Comments
So after some trial an error, I guess I know how it works. When I upload an infected file, you'll get 4 log messages in your data/nextcloud.log file.
this is the first log. On this log you must apply your regexp.
|
FYI: This is the full log of an upload scan for one file. [
{
"reqId": "pva8wPXXBN75sRbArOHw",
"level": 0,
"time": "2020-09-08T10:09:32+00:00",
"remoteAddr": "172.18.0.3",
"user": "m",
"app": "files_antivirus",
"method": "PUT",
"url": "/remote.php/webdav/tmp/eicarcom2.zip",
"message": "Response :: stream: Win.Test.EICAR_HDB-1 FOUND\n",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
"version": "19.0.2.2"
},
{
"reqId": "pva8wPXXBN75sRbArOHw",
"level": 2,
"time": "2020-09-08T10:09:32+00:00",
"remoteAddr": "172.18.0.3",
"user": "m",
"app": "files_antivirus",
"method": "PUT",
"url": "/remote.php/webdav/tmp/eicarcom2.zip",
"message": "Infected file deleted. Win.Test.EICAR_HDB-1 Account: m Path: files/tmp/eicarcom2.zip.ocTransferId1714334355.part",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
"version": "19.0.2.2"
},
{
"reqId": "pva8wPXXBN75sRbArOHw",
"level": 4,
"time": "2020-09-08T10:09:32+00:00",
"remoteAddr": "172.18.0.3",
"user": "m",
"app": "files_antivirus",
"method": "PUT",
"url": "/remote.php/webdav/tmp/eicarcom2.zip",
"message": "Infected file deleted. Win.Test.EICAR_HDB-1 File: files/tmp/eicarcom2.zip.ocTransferId1714334355.part Account: m",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
"version": "19.0.2.2"
},
{
"reqId": "pva8wPXXBN75sRbArOHw",
"level": 3,
"time": "2020-09-08T10:09:32+00:00",
"remoteAddr": "172.18.0.3",
"user": "m",
"app": "no app in context",
"method": "PUT",
"url": "/remote.php/webdav/tmp/eicarcom2.zip",
"message": {
"Exception": "OCP\\Files\\InvalidContentException",
"Message": "Virus Win.Test.EICAR_HDB-1 is detected in the file. Upload cannot be completed.",
"Code": 0,
"Trace": [
{
"function": "OCA\\Files_Antivirus\\{closure}",
"class": "OCA\\Files_Antivirus\\AvirWrapper",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/apps/files_external/3rdparty/icewind/streams/src/CallbackWrapper.php",
"line": 121,
"function": "call_user_func",
"args": [
{
"__class__": "Closure"
}
]
},
{
"file": "/var/www/html/lib/private/Files/Storage/Wrapper/Wrapper.php",
"line": 631,
"function": "stream_close",
"class": "Icewind\\Streams\\CallbackWrapper",
"type": "->",
"args": []
},
{
"file": "/var/www/html/lib/private/Files/Storage/Wrapper/Wrapper.php",
"line": 631,
"function": "writeStream",
"class": "OC\\Files\\Storage\\Wrapper\\Wrapper",
"type": "->",
"args": [
"files/tmp/eicarcom2.zip.ocTransferId1714334355.part",
null,
null
]
},
{
"file": "/var/www/html/apps/dav/lib/Connector/Sabre/File.php",
"line": 202,
"function": "writeStream",
"class": "OC\\Files\\Storage\\Wrapper\\Wrapper",
"type": "->",
"args": [
"files/tmp/eicarcom2.zip.ocTransferId1714334355.part",
null
]
},
{
"file": "/var/www/html/apps/dav/lib/Connector/Sabre/Directory.php",
"line": 154,
"function": "put",
"class": "OCA\\DAV\\Connector\\Sabre\\File",
"type": "->",
"args": [
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 1104,
"function": "createFile",
"class": "OCA\\DAV\\Connector\\Sabre\\Directory",
"type": "->",
"args": [
"eicarcom2.zip",
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
"line": 527,
"function": "createFile",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"tmp/eicarcom2.zip",
null,
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
"line": 89,
"function": "httpPut",
"class": "Sabre\\DAV\\CorePlugin",
"type": "->",
"args": [
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 474,
"function": "emit",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"method:PUT",
[
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 251,
"function": "invokeMethod",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 319,
"function": "start",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/html/apps/dav/appinfo/v1/webdav.php",
"line": 82,
"function": "exec",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/html/remote.php",
"line": 167,
"args": [
"/var/www/html/apps/dav/appinfo/v1/webdav.php"
],
"function": "require_once"
}
],
"File": "/var/www/html/custom_apps/files_antivirus/lib/AvirWrapper.php",
"Line": 154,
"CustomMessage": "--"
},
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
"version": "19.0.2.2"
},
{
"reqId": "pva8wPXXBN75sRbArOHw",
"level": 4,
"time": "2020-09-08T10:09:32+00:00",
"remoteAddr": "172.18.0.3",
"user": "m",
"app": "webdav",
"method": "PUT",
"url": "/remote.php/webdav/tmp/eicarcom2.zip",
"message": {
"Exception": "OCA\\DAV\\Connector\\Sabre\\Exception\\UnsupportedMediaType",
"Message": "Virus Win.Test.EICAR_HDB-1 is detected in the file. Upload cannot be completed.",
"Code": 0,
"Trace": [
{
"file": "/var/www/html/apps/dav/lib/Connector/Sabre/File.php",
"line": 252,
"function": "convertToSabreException",
"class": "OCA\\DAV\\Connector\\Sabre\\File",
"type": "->",
"args": [
{
"__class__": "OCP\\Files\\InvalidContentException"
}
]
},
{
"file": "/var/www/html/apps/dav/lib/Connector/Sabre/Directory.php",
"line": 154,
"function": "put",
"class": "OCA\\DAV\\Connector\\Sabre\\File",
"type": "->",
"args": [
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 1104,
"function": "createFile",
"class": "OCA\\DAV\\Connector\\Sabre\\Directory",
"type": "->",
"args": [
"eicarcom2.zip",
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
"line": 527,
"function": "createFile",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"tmp/eicarcom2.zip",
null,
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
"line": 89,
"function": "httpPut",
"class": "Sabre\\DAV\\CorePlugin",
"type": "->",
"args": [
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 474,
"function": "emit",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"method:PUT",
[
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 251,
"function": "invokeMethod",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 319,
"function": "start",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/html/apps/dav/appinfo/v1/webdav.php",
"line": 82,
"function": "exec",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/html/remote.php",
"line": 167,
"args": [
"/var/www/html/apps/dav/appinfo/v1/webdav.php"
],
"function": "require_once"
}
],
"File": "/var/www/html/apps/dav/lib/Connector/Sabre/File.php",
"Line": 644,
"Previous": {
"Exception": "OCP\\Files\\InvalidContentException",
"Message": "Virus Win.Test.EICAR_HDB-1 is detected in the file. Upload cannot be completed.",
"Code": 0,
"Trace": [
{
"function": "OCA\\Files_Antivirus\\{closure}",
"class": "OCA\\Files_Antivirus\\AvirWrapper",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/html/apps/files_external/3rdparty/icewind/streams/src/CallbackWrapper.php",
"line": 121,
"function": "call_user_func",
"args": [
{
"__class__": "Closure"
}
]
},
{
"file": "/var/www/html/lib/private/Files/Storage/Wrapper/Wrapper.php",
"line": 631,
"function": "stream_close",
"class": "Icewind\\Streams\\CallbackWrapper",
"type": "->",
"args": []
},
{
"file": "/var/www/html/lib/private/Files/Storage/Wrapper/Wrapper.php",
"line": 631,
"function": "writeStream",
"class": "OC\\Files\\Storage\\Wrapper\\Wrapper",
"type": "->",
"args": [
"files/tmp/eicarcom2.zip.ocTransferId1714334355.part",
null,
null
]
},
{
"file": "/var/www/html/apps/dav/lib/Connector/Sabre/File.php",
"line": 202,
"function": "writeStream",
"class": "OC\\Files\\Storage\\Wrapper\\Wrapper",
"type": "->",
"args": [
"files/tmp/eicarcom2.zip.ocTransferId1714334355.part",
null
]
},
{
"file": "/var/www/html/apps/dav/lib/Connector/Sabre/Directory.php",
"line": 154,
"function": "put",
"class": "OCA\\DAV\\Connector\\Sabre\\File",
"type": "->",
"args": [
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 1104,
"function": "createFile",
"class": "OCA\\DAV\\Connector\\Sabre\\Directory",
"type": "->",
"args": [
"eicarcom2.zip",
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
"line": 527,
"function": "createFile",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"tmp/eicarcom2.zip",
null,
null
]
},
{
"file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
"line": 89,
"function": "httpPut",
"class": "Sabre\\DAV\\CorePlugin",
"type": "->",
"args": [
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 474,
"function": "emit",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
"method:PUT",
[
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 251,
"function": "invokeMethod",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": [
{
"__class__": "Sabre\\HTTP\\Request"
},
{
"__class__": "Sabre\\HTTP\\Response"
}
]
},
{
"file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 319,
"function": "start",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/html/apps/dav/appinfo/v1/webdav.php",
"line": 82,
"function": "exec",
"class": "Sabre\\DAV\\Server",
"type": "->",
"args": []
},
{
"file": "/var/www/html/remote.php",
"line": 167,
"args": [
"/var/www/html/apps/dav/appinfo/v1/webdav.php"
],
"function": "require_once"
}
],
"File": "/var/www/html/custom_apps/files_antivirus/lib/AvirWrapper.php",
"Line": 154
},
"CustomMessage": "--"
},
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0",
"version": "19.0.2.2"
}
]
|
I see a lot of False-Positive messages e.g. on PNG, jpeg, PDF files etc.
I try to add an rule to handle it not as a warning.
PUA\.Doc\.Packed\.EncryptedDoc-6563700-0 FOUND
it does not work. can someone give me an advice?
The text was updated successfully, but these errors were encountered: