Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid signatures #4

Closed
jtallinger opened this issue Oct 25, 2018 · 4 comments
Closed

Invalid signatures #4

jtallinger opened this issue Oct 25, 2018 · 4 comments
Labels
Bug Fixed

Comments

@jtallinger
Copy link

Hi,

(I move conversation over here as it is mostly just related to SigTool process now).

That last change in SigTool somehow made it worse I think. Now every file is flagged for something. var dump on $VN shows for example:

array(2) { [0]=> string(25) "� ��Java.Trojan.Boonana-6" [1]=> string(4) "2005" }

With index 1 being just "2005" sure enough it will flag almost any file. I'm sure that is not correct signature?

Not many faulty signatures now (have not checked how many is bypassed due to !isset($VN[1])):

Anti-virus: Signature errors during file scan: 2 of 35563
Last error message: preg_match(): Compilation failed: number too big in {} quantifier at offset 78
Last signature: 7265766973696f6e20383630206c747b717569747d69662f417b2f4434303c(?:..){122880,}39303930393039303930393039303930393039304538303030303030303035
@jtallinger
Copy link
Author

I guess we should never store a signature without a valid/empty signature hash? Now it seems that may happen.

For the scanning itself, don't know how risky this change is or if this is enough to handle faulty signatures (functions.php/row 3141):

private function splitSigParts($sig, $max = -1)
{
        // PREG_SPLIT_NO_EMPTY removed
        return preg_split('~(?<!\?|\<)\:~', $sig, $max);
}

Then VN[1] will be returned but as empty value, which means VN[2] will not wrongly be used as signature hash. That along with following change (functions.php/row 2534):

// Filter out faulty signatures
if (!isset($VN[1]) || empty($VN[1])) {
    continue;
}

@jtallinger
Copy link
Author

Added some additional logging to missing and empty signatures during scan, which brought up the total invalid signatures:

Anti-virus: Signature errors during file scan: 83 of 35561
Last error message: Signature hash missing or empty
Last signature: � ��Vbs.Trojan.PowerShell-5705194-0:

~80 empty signatures found

@Maikuolan Maikuolan mentioned this issue Jan 19, 2019
Closed
@Maikuolan Maikuolan mentioned this issue Jun 7, 2019
Closed
@Maikuolan Maikuolan added the Help Wanted Extra attention is needed label Aug 8, 2019
@Maikuolan
Copy link
Member

@jtallinger,

I've made a few minor changes to the SigTool since the time that this issue was first created, since we'd last discussed it. If you get a spare moment, would you be able to test it out again, to let me know whether these invalid signatures still persist in signature files freshly generated by SigTool as of the current latest commit? Cheers. :-)

It appears to be okay now at my end, but I'd be more confident about the problem being actually solved if it could be confirmed by way of a second opinion (after which, I could close this off, or.. if the invalid signatures still persist, I could try to explore some new avenues of testing and so on).

@Maikuolan Maikuolan added Bug Fixed and removed Attention Required Help Wanted Extra attention is needed labels Mar 13, 2020
@Maikuolan
Copy link
Member

Marking as fixed and closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Maikuolan @jtallinger